Every business that processes card transactions across the five major card brands must be PCI DSS Compliant. Learn more about how to become and sustain PCI compliance to protect your customers’ sensitive data and your brand from a data breach or violation.
Introduction to PCI Compliance
Business. Customers. Trust. Success. Security. These are the building blocks of a growing business. If you remove security, you might just find yourself without customers and a business.
Business success is built on trust – if you are B2B, customers trust that your team is going to deliver on time and fulfill your contractual obligations. If you’re business-to-consumer (B2C), your guests demand a highly personalized experience from start to finish while treating their personal and sensitive information with the utmost security. If your organization experiences a data breach that compromises cardholder data, you might find out just how important information security and maintaining PCI compliance is to your business’ ability to thrive in today’s market.
New advances in eCommerce and payment technology required new standards and regulations to protect business and consumers. Enter the Payment Card Industry Data Security Standard (PCI DSS), a standard put forth by the five largest credit card companies to help reduce costly consumer and data breaches.
Understanding and navigating PCI DSS compliance can feel overwhelming for business owners. In this guide, we cover everything you need to know about PCI DSS compliance and walk you through best practices to safeguard your business and customers.
History of PCI Compliance
The internet gold rush of the late 1990s and early 2000s created adventurous merchants who wanted to leverage the internet for eCommerce. As acceptance of online payments gained ground, so too came the risks. Online payments caught the eye of malicious individuals. Soon cybercriminals began compromising card processing systems, e-retailers, and payment networks to extract cardholders’ information to purchase prepaid cards, gift cards and goods online or resale. With major credit card companies facing skyrocketing rates of fraud and backlash from consumers Visa, MasterCard, American Express, Discover, and JCB came together to create a comprehensive standard for all merchants in the payment cycle, on December 15, 2001, PCI DSS Version 1.0 was released.
As the internet era began to reach maturity with online payments garnering mainstream adoption, more businesses brought their payment processing systems online, many companies began connecting virtual and physical terminals wirelessly and interconnecting multiple locations to establish centralized databases. Today, businesses collect vast quantities of personal information to create more connected and personalized experiences for customers.
These brand-new opportunities of commerce subjected businesses as well as consumers to more risks – and the opportunity for scammers to take charge card details from compromised networks.
To help with managing compliance standards, the payment brand names also established the PCI Security Standards Council as an independent body, with a set mission to “monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals.” The PCI Security Standards Council is led by a policy-setting Executive Committee, composed of representatives from the five founding global payment brands and Strategic Members. A Board of Advisors, drawn from Participating Organizations, provides input to the organization and feedback on the evolution of the PCI Standards.
It’s key to note that the PCI Security Standards Council is responsible for setting the standards and requirements that seller must adhere to – such as self-assessment questionnaires, security checklists, and PCI-compliant applications, it’s the responsibility of the card brands to enforce PSI DSS compliance criteria among sellers and organizations that accept credit cards.
What Is PCI DSS Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) was developed by the five major credit card companies American Express, Discover, JCB, Master Card and VISA to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally to mitigate risks involved through online purchases or transactions while preventing data loss and security breaches. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
While PCI DSS has no legal authority to compel compliance, it is a requirement of any business that wishes to facilitate transactions from any of the major card associations.
Who does PCI Compliance Apply to?
PCI Compliance applies to any business that accepts credit or debit card transactions from any of the five major card associations (brands), including American Express, Discover, JCB, MasterCard or Visa.
PCI DSS Compliance also applies to service providers (discussed below), any business entity that is not a payment brand (e.g. Visa), directly involved in the processing, storage or transmission of cardholder data. For example, a managed IT service provides that provides managed firewalls or security solutions to a merchant or business accepting card payments is considered a ‘service provider’ and is co-responsible for maintaining PCI compliance.
PCI Compliance Requirements
PCI DSS comprises a minimum set of requirements for protecting account data and may be enhanced by additional controls and practices to further mitigate risks, as well as local, regional and sector laws and regulations. Additionally, legislation or regulatory requirements may require specific protection of personal information or other data elements (for example, cardholder name). PCI DSS does not supersede local or regional laws, government regulations, or other legal requirements.
The PCI Data Security Standard (PCI DSS) is the global security standard for all merchants and retailers. This standard is based on 12 requirements from 6 goal categories and all must be met in order to achieve compliance. These requirements are as follows:
|Goals||PCI DSS Compliance Requirements|
|Build and Maintain a Secure Network and Systems|| |
|Protect Cardholder Data|| |
|Maintain a Vulnerability Management Program|| |
|Implement Strong Access Control Measures|| |
|Regularly Monitor and Test Networks|| |
|Maintain an Information Security Policy|| |
How Does The PCI Security Standards Council Define Account Data?PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers.PCI DSS also applies to all other entities that store, process, or transmit cardholder data and/or sensitive authentication data. Cardholder data and sensitive authentication data are defined as follows:
|Cardholder Data||Sensitive Authentication Data|
| || THIS DATA CANNOT BE STORED PER PCS DSS 3.2|
Business Protection. Redefined.
The primary account number is the defining factor for cardholder data. If cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment (CDE), they must be protected in accordance with applicable PCI DSS requirements.
PCI Compliance Levels
If you accept card payments (card present, t present or online) with any one of the five PCI DSS card brands (American Express, Discover, JCB International, MasterCard, and Visa), then your company is required to be PCI DSS compliant. Each merchant is categorized in one of four levels (Level 1 – Level 4) based on the number of transactions processed across all channels and whether or not your company has experienced a cyberattack that compromised cardholder account data.
Merchants with higher volumes of transactions are held to more stringent compliance standards than their lower volume counterparts because of the inherent risks. For example, Level 4 merchants processing 6 Million or more transactions are required to work with Internal Security Assessors (ISAs), Qualified Security Assessors (QSAs), and PCI Council Approved Scan Vendors (ASVs) to maintain their PCI DSS compliance status.
Every seller falls into one of the four categories depending on their transaction volume during a 12-month period. While each credit card brand has its own slightly different criteria, generally the PCI-compliance levels are as follows*:
Level 1 Merchants
Level 1 is the highest level of PCI compliance of the four merchant levels. Merchants that process over 6 million transactions per year whether card present, card not present, online or in-store, are considered a Level 1 Merchant. In addition, any merchant that has had a data breach or successful cyberattack (internal or external) that resulted in compromised payment card information is automatically elevated to Level 1. It’s important to note that card associations can enhance the compliance level of a merchant at their discretion. Here are the requirements for Level 1 merchants to sustain PCI compliance:
- File an Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or Internal Auditor if signed by an officer of the company. It’s highly recommended by the PCI Council for the Internal Auditor to obtain a PCI SSC Internal Security Assessor (“ISA”) certification.
- Submit an Attestation of Compliance (AOC) form
- Conduct quarterly network scans by an Approved Scan Vendor (ASV)
Level 2 Merchants
Merchants that process one to six million transactions across all channels annually are designated as Level 2 merchants. Level 2 merchants are required to complete the following to maintain PCI compliance:
• Complete a Self-Assessment Questionnaire (SAQ) annually– here’s a link to the PCI DSS SAQ version 3.2
• Submit an Attestation of Compliance (AOC) form (Word document link) each year
• Complete and obtain evidence of passing a vulnerability scan with an Approved Scanning Vendor (ASV)
• Conduct a quarterly network scan by an ASV
Level 3 Merchants
Any merchant with more than 20,000 combined transactions annually but less than or equal to one million total transactions across all channels is considered a Level 3 merchant. Level 3 merchants are required to:
- Complete a Self-Assessment Questionnaire (SAQ)
- Submit an Attestation of Compliance (AOC) form each year
- Complete and obtain evidence of passing a vulnerability scan with an Approved Scanning Vendor (ASV)
- Conduct a quarterly network scan by an ASV
Level 4 Merchants
Level 4 merchants include any seller that processes less than 20,000 payment transactions across all channels. Level 4 merchants are required to:
- Complete the Annual Self-Assessment Questionnaire (SAQ)
- Submit an Attestation of Compliance (AOC) form each year
- Conduct a quarterly network scan by an Approved Scan Vendor (ASV)
Service Providers and PCI DSS Compliance
A Service Provider is a business entity directly involved in processing, storage, or transmission of cardholder data on behalf of another business. This also includes companies that provide services that control or impact the security of cardholder data (e.g. IT Support Guys). Service providers include companies that provide managed IT services, managed firewalls, intrusion detection software or services, and in general security or infrastructure support for organizations that accept card payments.
Level 1 Service ProviderLevel 1 Service Providers are service providers that store, process, or transmit more than 300,000 credit card transactions annually.PCI Requirements:
- Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
- Quarterly network scan by an Approved Scanning Vendor (ASV)
- Penetration Test
- Internal Scan
- Bi-annual network segmentation tests
- Attestation of Compliance (AOC) Form
Level 2 Service ProviderThese are service providers that store, process, or transmit less than 300,000 credit card transactions annually.PCI Requirements:
- Annual Self-Assessment Questionnaire (SAQ)
- Quarterly network scan by an ASV
- Penetration Test
- Internal Scan
- Bi-annual network segmentation tests
- AOC Form
How To Become PCI Compliant
The first step a business must take to become PCI compliant is to shift its belief that obtaining and sustaining PCI DSS compliance is difficult to achieve. Many business owners become intimidated after their initial research or perceive that achieving PCI DSS compliance is more expensive and difficult than it actually is. While, yes, the process can be complex – it’s imperative that businesses don’t procrastinate or slack on shoring up PCI DSS compliance policies, payment data management procedures, and/or avoid taking a proactive approach to cybersecurity.
Secondly, business executives and stakeholders need to stop thinking about PCI Compliance solely in terms of ‘meeting compliance’ and instead translate ‘meeting compliance’ to ‘implementing and maintaining a strong physical, data and cybersecurity posture’. The vast majority of PCI compliance penalties are levied as the result of a data breach that occurred because the organization refused to implement foundational security best practices or did not have active threat monitoring, detection, and remediation strategies.
Being PCI compliant involves implementing security controls outlined in the PCI DSS, signing a contract agreeing to a payment brand or merchant acquirer’s terms for PCI compliance, and completing an annual self-assessment.
These are the five (simplified) steps a business will need to take to become PCI compliant:
- Analyze Your Merchant Compliance Level
The first step once you’re ready to begin the journey of PCI compliance is to review the four merchant levels (discussed above) to identify what your PCI requirements or action items are to complete. There are different security standards based on what banks you work with and how many transactions you hand. Also, whether or not your business has been a victim of a data breach that compromised cardholder data. Different companies have different standards here—for example, here are MasterCard’s, and Visa’s criteria for, which describe four and five levels of businesses, respectively. Analyze where you fall, and how your business is described in PCI’s general standards so you’re ready for the next steps.
- Complete a Self-Assessment Questionnaire (SAQ)
The self-assessment questionnaire (SAQ) is a relatively painless guidebook you can use to assess your current compliance level. There are actually nine different versions of the SAQ guidebook, but don’t let that intimidate you. These versions are available for different business types, so you’ll only need to the book that applies to your business. When you have it, the guidebook will walk you through about a dozen different requirements, and for each, you’ll answer “yes,” “no,” or “N/A.” This will help you identify the missing pieces of your company’s payment security. Most businesses will fall between Merchant Levels 2 – 4, the requirements are relatively same across these levels:
- Complete a Self-Assessment Questionnaire (SAQ)
- Submit an Attestation of Compliance (AOC) form each year
- Complete and obtain evidence of passing a vulnerability scan with an Approved Scanning Vendor (ASV)
- Conduct a quarterly network scan by an ASV
- Now That You’ve Completed Your ASV – It Might Be Time to Remediate
You’ve completed your Self-Assessment Question (SAQ) and done your due diligence in researching PCI standards. You’re business is now ready to obtain and provide evidence of passing a vulnerability scan by an Approved Scanning Vendor. If this is your first time completing a ASV, you might find that you have a few items to remediate. Work with your IT team to correct any security vulnerabilities, hardware upgrades, or documentation required to bring your business into full compliance. We’ve created a 9-Step Approach to Creating an Effective PCI Compliance Remediation Plan plan below to help you get started. Once you’ve made the necessary changes, it’s time to have the ASV rescan and document proof that your organization passed. If remediation was required, take a moment and review your SAQ for accuracy and update as needed.
- Complete a formal attestation of compliance.
Once you’ve made any changes necessary and have updated your SAQ, you can fill out a formal attestation of compliance (AOC). This is a formality that claims your business is fully compliant with all relevant PCI standards—and again, there are nine different types based on the nature and size of your business. Once you’re done with that, you can have a qualified security assessor review your work and create a report on your compliance to validate your own findings.
- File the paperwork.
Congratulations – the long hours of research, determination (and possibly some dread), and money spent has paid off. Your business is ready to package up all the paperwork and deliver to the card associations or banks you process payments with. You’ll need to submit your SAQ, AOC, proof that you passed your ASV, and any other documentation requested.
How Much Does It Cost a Business to Become Compliant?
As soon as you realize that your business is required to be PCI compliant. Most business owners immediately think – how much is this going to cost my company?
It’s a simple question but a difficult one to answer.
- How is your network currently setup? How large or complex is the design of your network?
- Do you have a dedicated IT professional in-house or do you work with a managed IT service provider?
- Have you identified all the system components that are located within or connected to the cardholder data environment?
- How many devices are connected to the cardholder data environment?
- What is your businesses’ PCI scope?
- Does your business utilize File Integrity Monitoring (FIM) software to detect unauthorized access and personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files?
- Is your business currently using tokenization services, credit card vaulting, point-to-point encryption (P2PE) and/or end-to-end encryption (E2EE) to significantly limit your PCI scope?
- Has your team established and adhere to basic security best practices?
- Does your business have a formal patch management strategy to patch and resolve time-sensitive vulnerabilities quickly?
- Is your IT environment well documented with a complete inventory of all the connections between your cardholder data environment, other networks, and devices?
How Long Does It Take to Bring a Business Into Full PCI Dss Compliance?In our experience, most networks that were configured correctly from the start will only require a day’s work to bring the business into compliance. Of course, there’s training that must be done with relevant personnel so that everyone understands PCI compliance and your now well-optimized strategy to sustain PCI DSS compliance. However, from a technological perspective, minimal work is usually required if your IT environment is up-to-par.By properly configuring your network and operating using IT best practices, you can avoid time-consuming PCI compliance remediation effort down the line.
16 Best Practices to Create Sustainable PCI DSS Compliance
To help you not only obtain 100% PCI compliance but sustain it, we’ve created 10 best practices your team can follow to create a sustainable compliance culture within your organization:
- Perform scans as early as possible. Companies required to submit quarterly scan must use an Approved Scanning Vendor. Your organization will be required to submit a scan without any failing vulnerabilities and the scan will be attested by both parties involved. Completing your scans early in the quarter allows you to catch any new vulnerabilities or issues and will provide your team with enough time to remediate and rescan before the end of the quarter. We highly recommend taking a proactive approach, so your team does not become bottlenecked or is forced to delay other revenue-generating initiatives while they remediate.
- Encrypt stored cardholder data. Requirement 3 of the PCI DSS lays out the guidelines for protecting stored cardholder data and the requirements for encryption. At a minimum, all PAN data must be rendered unreadable anywhere it is stored. Including detail media, backup media, logs, and physical mediums like paper. PCI requires protecting cardholder data where ever payment information is captured and transmitted, this includes shopping carts, point of sale systems, card readers, paper records with card data, store networks and wireless routers, as well as, online payment applications.
- Use network segmentation and test it annually for merchants and bi-annually for service providers. Network segmentation is done by physically or virtually separating systems that store, process, or transmit card data from those that don’t. Utilizing network segmentation can reduce your organization’s PCI scope thereby reducing costs, time and effort to achieve compliance. PCI DSS Requirement 11.3.4, requires all organizations to perform segmentation testing at least annually if segmentation controls are utilized to isolate the cardholder data environment (CDE) from other network segments. Additionally, PCI DSS Requirement 188.8.131.52 was added to PCI DSS v3.2 as a new requirement, mandating Service Providers to now perform segmentation testing to test all applicable segmentation controls utilized to segment the CDE at least every 6 months, as opposed to annually.
- Maintain the security of cardholder data while in transit. PCI DSS requirement 4 requires that businesses secure data in transit using keys/certificates, secure transport protocols, and strong encryption (recommended minimum AES-128 bit). Encryption is key, especially for authentication and transmission over wireless networks that transmit cardholder data or that are connected to the CDE to prevent malicious eavesdroppers from scaping sensitive data in transit. Encryption makes the data unreadable and unusable by cyber intruders who do not have the appropriate encryption keys. Collaboration technologies that your businesses use may not be suitable to transmit sensitive data. The PCI SSC (Security Standards Council) explicitly states that PANs must never be sent unprotected over commercial technologies such as email or chat applications and must be rendered unreadable via encryption. Microsoft Office 365 enables organizations to communicate securely if configured correctly. If customers need to share sensitive data over email with anyone inside or outside the organization, customers can apply encryption and rights protection with Office 365 Message Encryption so that only authorized parties can read the protected message. While outside the scope of this guide, we recommend working with a certified Microsoft partner with PCI DSS compliance experience like IT Support Guys.
- Be proactive, not reactive. Business is busy, and every person has a job to do, deadlines to hit, and deliverables or products to ship. Many business owners take a reactive approach when it comes to compliance, this often creates more stress and hidden costs by forcing employees to divert their attention away from revenue-generating projects to jump on a compliance fire that needs to be put out. By taking a proactive approach to compliance and security, your organization will improve your security posture, reduce financial risks, and more effectively monitor interactions across all communication channels to see emerging trends, detect potential vulnerabilities, and remediate before a data breach can occur. It’s important to note that PCI compliance is not a one-time event. It’s an ongoing process to ensure that your business remains compliant even as data flows and customer touchpoints evolve. Managing PCI compliance requires a team effort, cross-departmental support and collaboration. If you don’t have a dedicated team internally to address and maintain compliance, it may be time to create one.
- Train employees to be security conscious. Achieving PCI DSS compliance requires synergy between people, technology, and process. Humans are fallible. In fact, Gartner reports that “99 percent of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident.” Verizon’s 2019 Data Breach Investigations report says that 34% of all breaches in 2018 were caused by insiders. While organizations invest in technology controls and solutions like multi-factor authentications, firewalls, encryption, data backups, monitoring and logging, endpoint protection, and web application firewalls to name a small list. What’s often missed with most small-and-midsized businesses is on-going regular security and compliance . Your card data environments security is only as strong as your weakest link, in most cases, that weak link is your employees. We recommend instituting mandatory (not boring) PCI DSS compliance training programs for new employees that handle sensitive data and at least quarterly reviews. Focus not only on PCI compliance but ensure every staff member understands your company’s security policies as well as data security essentials and best practices.
- Adequately prepare for your QSA assessments. The first step in securing anything valuable is to understand exactly where the information is stored and transmitted. That means understanding every segment, facet, adjacent or networked process that is part of the card data environment. A comprehensive network diagram is not only required but a beneficial exercise for your team to fully understand where card data resides and does not need to reside. Call or contact centers contain disproportionate amounts of sensitive customer information, these departments should be thoroughly examined before a QSA assessment. Additionally, always look for ways to reduce the PCI scope of your environment where possible. For example, removing PANs means you dramatically reduce the scope of your cardholder data environment (CDE) and reduce the amount of work you need to do to comply with the Payment Card Industry Data Security Standard (PCI DSS).
- Work only with payment providers that maintain the highest PCI compliance standards. We recommend using PCI Level 1 service providers because they are held to a higher standard in terms of proving their PCI compliance. Level 1 service providers are required to complete bi-annual penetration tests on top of the annual Report on Compliance, internal scans and quarterly network scans by an ASV. These more stringent requirements offer peace-of-mind that you are working with a reputable, secure, and compliant service provider.
- Restrict Access Rights and Reduce PCI Scope Creep – Under requirement 7 of PCI DSS, access to data must be restricted to authorized employees only. Companies must evaluate which of their employees need access to card data to fulfill their job responsibilities and then use the proper tools and processes to limit access based on business needs. In our experience, some companies will allow the marketing department to have access or third-party organizations that may not need cardholder data to function. This simply expands the scope of an organization’s PCI DSS compliance program to the whole company and creates more risk or liabilities from third-parties. Improperly scoped card data environments often lead to wasted resources, including time and money.
To achieve this, organizations must implement unique ID credentials for every employee to track which users take actions on credit card information and to prevent concurrent logins (two users sharing the same login). Access rights can then be set according to an employee’s job scope using appropriate Access Rights Management (ARM) software. Thankfully Microsoft provides a great solution using Azure Rights Management (Azure RMS). This cloud-based protection service uses encryption, identity, and authorization policies to help secure your files and email, and it works across multiple devices—phones, tablets, and PCs. Information can be protected both within your organization and outside your organization because that protection remains with the data, even when it leaves your organization’s boundaries.
- Be cautious of open source eCommerce platforms. WooCommerce is an amazing platform for WordPress because it’s open-source, flexible, and offers greater control over SEO compared to some other platforms, like Shopify. However, WooCommerce is not completely PCI DSS compliant out of the box if you accept payments directly instead of using a third-party payment gateway like PayPal or Stripe. That being said – it can be configured to meet the stringent security control requirement in order to pass vulnerability scans. If you accept online payments using WooCommerce, you will need to configure it to enforce the SSL requirement on all checkout pages. The next step is to ensure that your WordPress users have only enough access to complete their job. If your content team does not need to access WooCommerce or payment details, prevent users who ‘don’t need to know’ from being able to access sensitive information.
- Implement a credible Web Application Firewall (WAF). Without a website application firewall, a malicious bot could infect your site and steal your customers’ sensitive data. Website application firewalls rest in front of public-facing web applications to monitor, detect, and prevent web-based attacks. Even though these solutions can’t perform the many functions of an all-purpose network firewall, (e.g., network segmentation), they specialize in one specific area: monitoring and blocking web-based traffic. As per PCI DSS requirement 6.6, your WAF must be up to date, generate audit logs, and either block cyberattacks or generate a cybersecurity alert if an imminent attack is suspected. Reputable WAFs like Barracuda’s Web Application Firewall or Sucuri could mean the difference between remaining PCI compliant or hefty fines.
- Develop an Effective Patch Management Strategy – One aspect of maintaining an effective security posture is patch management. Patch Management is the process by which businesses/IT procure, test, and install patches (changes in code or data) intended to upgrade, optimize, or secure existing software, computers, servers, and technology systems to maintain operational efficacy or mitigate security vulnerabilities. While simple in nature, most growing businesses struggle to identify critical patch updates, test and install patch releases to fix problems as they occur. In fact, the average time to patch is 102 days according to Ponemon – this means on average, a business could be leaving the door wide open for hackers to exploit a hardware or software security vulnerability for more than three months. Not sure where to start? We’ve created a guide to help your team establish a formal patch management strategy according to best practices.
- Define Performance Metrics to Measure Success – An effective metrics program can offer useful data for routing the allocation of resources to minimize risk and measure the business consequences of security events. The company should carefully define the scope of its information-security measurement based on specific needs, goals and objectives, operating environments, risk priorities, and compliance program maturity. For security objectives associated with PCI DSS requirements, we need to consider more than – did the business pass or fail their annual Report on Compliance by a QSA.Good security hygiene requires disciplined consistency and IT operational maturity that is created through experience and high-skilled expertise. All of which requires tracking the efficiency of your IT department as a frontline in your organization’s security. Here’s a few KPIs that indicate the health of your IT environment:
- System Availability: Divide the number of minutes that all your systems were available to everyone by the number of minutes they should have been available. If your systems’ uptime begins to decrease, this may indicate that there are data accessibility issues that need remediation.
Example: (43680 minutes of availability / 43800 minutes in a month) = 99.73% uptime for a month with a total of two hours of downtime across all systems
- Planned Maintenance Percentage: Planned maintenance percentage (PMP) is a percentage that describes the amount of maintenance time used towards planned maintenance tasks, which is measured against the total amount of maintenance hours in a given time period (weeks, months, years). If you notice a downward trend over time, it may be time to consider upgrading aging systems or hardware which is the most common reason for a consistent decrease in PMP.
Example: (200 planned maintenance hours / 325 total maintenance hours) = 61.54%
- Percentage of Critical Systems without Up-to-date Patches: Divide the number of critical systems without recent updates to the total number of critical systems and devices.
Example: (7 critical systems that have not been patched in the last 30 days / 50 critical systems ) = 14%
- Average Time to Patch: While this one is a little more difficult track unless your team utilizes a patch management software solution but never the less is extremely valuable. If you don’t have patch management software, we recommend using a spreadsheet to track critical patch updates and vulnerabilities contained in CVE databases. Within your spreadsheet, track the system type (POS terminal, firewall, etc.), device name, patch name, CVE ID, severity level (critical, high, medium, low) date released and finally that the vulnerability was patched.To calculate the Average Time to Patch, first create a column in Excel titled “Days to Patch” and use this formula: =DATEIF(A2,B2, “D”) where “A2” is the cell for when the patch was available and “B2” contains the date the vulnerability was patched. In the last row of the at the bottom of your spreadsheet, you can then use Excel’s ‘AutoAverage’ feature to identify what your current average time to patch is.While the best Average Time to Patch is obviously zero, or the same day. By identifying how many days on average your team takes to patch your mission-critical infrastructure, you’ll be able to optimize processes and your patch management strategy to continuously reduce how long it takes to push out patches.
- Monitor Third-Party Service Providers – Virtually every business relies on third-party service providers. Any third-party organization that directly processes, stores or transmits sensitive authentication data (SAD) or cardholder data (CHD) are service providers and therefore must meet PCI compliance standards. Examples of third-party providers include payment gateway providers, transaction processors, and managed IT service providers that maintain network security or managed firewalls. Organizations should develop and apply procedures to keep an eye on the compliance status of its service providers to minimize the risk of a data breach and evaluate if the partnership is worth maintaining.
- Document and Log Everything – Part of requirement 12 of PCI DSS compliance, document everything underlines the need for organizations to keep records of all its security policies and procedures, its risk assessments and security incidents. Strong documentation helps CIOs and security professionals make informed decisions concerning future security measures and helps companies prove compliance. Logs and log monitoring are found under requirement 10 of PCI DSS and include logs of all security events, servers, and critical system components. Companies should ensure that their antivirus solution provides logs of security incidents. They can also generate logs of attempted unauthorized transfers and the users responsible for them through DLP solutions.
- Evolve the Compliance Program to Address Changes – The threat landscape is constantly evolving, a business should prioritize staying on top of cybersecurity trends and new attack vectors. Organizations need to progress their controls with the risk landscape, changes in organizational structure, new campaigns, as well as changes in service procedures and technology changes to make sure these do not negatively impact the company’s security posture. Working with a Managed IT Service Provider is one of the easiest ways to ensure that your security stays up-to-date and card data environments are protected using time-tested security best practices.
Challenges to Maintaining Compliance
Organizations are struggling to maintain PCI DSS compliance. According to a PCI Security Council report released in January, more than 44 percent of companies see the effectiveness of the PCI DSS controls and overall compliance decline after a PCI assessment is completed. This correlates with the three percent compliance decline seen for the first time since Verizon started tracking PCI compliance in 2012. While the cause for declining compliance is myriad the PCI Security Council outlines five common reasons that businesses begin dropping out of PCI compliance:
- The digital age and technology continue to evolve at breakneck speeds. Pressures to adapt to ever-increasing customer demands and emerging technologies and the resulting changes to an organization’s business goals, structure, and technology infrastructure.
- Organizational complacency, assuming what was good enough last year will be good enough in future
- Overconfidence in organizational practices, resulting in a lack of resources devoted to regular monitoring, detection, tracking, or an effective employee training program can push business out of compliance.
- Inability to assign the right people, tools, and processes, and lack of executive leadership commitment to maintaining
- Failure to accurately scope the organization’s cardholder data environment (CDE) as business practices evolve with the introduction of new products or services, or
Businesses that focus solely on annual PCI DSS assessments to validate the quality of their cardholder data security programs are missing the intent of PCI DSS to enhance cardholder data security, and likely see their PCI DSS compliance state “fall off” between assessments. In order to maintain a consistent level of security and compliance, organizations should focus on implementing an effective physical and digital security posture with integrated security monitoring, threat detection and prevention systems that work cohesively to secure the IT environment as a whole instead of solely on “meeting compliance.”
How Much Could Failing PCI Compliance Cost Your Business?According to Verizon’s Payment Security Report 47.5% of businesses assessed did not meet full compliance. If your business does not comply with PCI standards, you could be at risk for data breaches, fines, card replacement costs, costly forensic audits and investigations into your business, brand reputation damage, and more.Standard fines and penalties imposed by Payment Card Brands for card data breaches take into consideration the following:
- Number of card numbers stolen
- Circumstances surrounding the incident
- Whether track data was stored or not
- Timeliness of reporting incident
- PCI noncompliance fee: Most payment processing companies will charge a PCI non-compliance fee if your business does not fulfill all the PCI DSS requirements, such as not submitting the annual Report on Compliance (ROP) or Self-Assessment Questionnaire (SAQ), Attestation of Compliance (AOC), or proof that you’ve passed your vulnerability scans completed by an Approved Network Scan (ANS) service provider. Non-compliance fees are largely dependent on your Merchant Service Provider’s terms and conditions but can range from $10 – $45 (or more) for each month out of compliance. The card brand can also levy fines which we discuss below.
- PCI noncompliance fine: If a security breach occurs, and consumer credit card data is leaked or compromised AND your records indicate non-compliance; you might end up being fined $5,000 to $100,000 per month by the credit card associations.
- PCI fines for storing sensitive authentication data: up to $100,000 per month. Sensitive authentication data includes full track data (magnetic-stripe data or equivalent on an EMV chip), CAV2/CVC2/CVV2/CID, PINs and PIN blocks.
- PCI noncompliance & revocation: If non-compliance persists and/or credit card data is compromised due to a sheer amount of negligence or sloppy IT infrastructure, your acquiring bank may revoke your ability to accept credit cards, and place you on a merchant account blacklist (Match List – see below) which could effectively end your ability to do business.
- Fines levied by card associations to make notifications to all cardholders and replace credit cards
- Costs of notifying taxpayers of an incident, as directed by the Identity Theft Protection Act
- Forensic Investigation Costs
- The cost associated with discontinuing accepting cards
- Cost of an annual on-site security compliance audit estimated $20,000 every year
- Business reputational damage – probably the most significant side effect of a data breach is the loss of trust by consumers. If your customers cannot trust your business to keep their data safe, you might find that they simply switch brands or take their hard-earned money to one of your competitors. According to Verizon’s Data Breach Report, 69 percent of consumers would be less inclined to do business with a breached organization.
What is the Terminated Merchant File or MasterCard MATCH List?Merchant accounts (read businesses) that partake in fraudulent practices, receive excessive chargebacks or consumer complaints, or unintentionally facilitated, by any means, the unauthorized disclosure or use of account information may find themselves on the Terminated Merchant File (TMF) or MATCH (Member Alert to Control High Risk Merchants) List. MATCH is a system created and managed by Mastercard which essentially is a ‘merchant blacklist’ database that contains information about businesses (and their owners) whose credit card processing privileges have been terminated.The MATCH list not only affects the principal business owner – when a business is placed on the MATCH list, the business name, principal and any business partners are recorded on this blacklist. If you end up on this blacklist, you might find it extremely difficult to obtain a new merchant account by any other bank. If you are able to find a merchant service provider that is willing to work with a business on the MATCH list, you will likely experience higher interchange rates and additional fees to mitigate the risks associated with your lack of compliance or less-than-ideal past business practices.While the MATCH list uses codes to categorize the conditions and practices that resulted in a merchant being added to the MATCH list, it is a system largely without any checks and balances. MasterCard’s own words clearly state that they do not verify or confirm the accuracy of the information reported, from section 11.1 of their MATCH Overview:“MasterCard does not verify, otherwise confirm, or ask for confirmation of either the basis for or accuracy of any information that is reported to or listed in MATCH. It is possible that information has been wrongfully reported or inaccurately reported. It is also possible that facts and circumstances giving rise to a MATCH report may be subject to interpretation and dispute.”The best way to prevent find yourself on the MATCH list is to ensure that your business is PCI compliant, adheres to cybersecurity best practices, follow your card brand’s term of service, and avoid any risky transactions or unethical business practices.Review the table below to understanding how merchants are categorized on MasterCard’s MATCH List:
The best way to prevent find yourself on the MATCH list is to ensure that your business is PCI compliant, adheres to cybersecurity best practices, follow your card brand’s term of service, and avoid any risky transactions or unethical business practices.
|MATCH List Reason Code||Title||Explanation|
|1||Account Data Compromise||Account data is stolen from the card-present merchant and used with other merchants|
|2||Common Point of Purchase||Account data is stolen from the card-present merchant and used with other merchants|
|3||Laundering||The merchant processed transactions that did not involve a bona fide cardholder|
|4||Excessive Chargebacks||The merchant breached predetermined chargeback thresholds|
|5||Excessive Fraud||The merchant breached predetermined fraud-to-sales dollar volume thresholds|
|6||MasterCard Questionable Merchant Audit Program||The merchant is labeled a “Questionable Merchant,” as determined by MasterCard guidelines|
|7||Bankruptcy, Liquidation, Insolvency||The merchant is unable to discharge all financial obligations|
|8||Violation of Standards||The merchant was in violation of one or more of the card network’s regulations|
|9||Merchant Collusion||The merchant participated in fraudulent collusive activities|
|10||PCI DSS Noncompliance||The merchant wasn’t compliant with PCI DSS requirements|
|11||Illegal Transactions||The merchant processed illegal transactions|
|12||Identity Theft||The business owner’s identity is in question|
PCI DSS Compliance Remediation
A readiness assessment from a Qualified Security Assessor (QSA) will likely uncover gaps in PCI compliance that will need to be addressed before a formal PCI review. If a QSA identifies compliance issues during the readiness assessment, you may be able to address some of those issues by reviewing and minimizing your scope of compliance, but existing issues will have to be properly remediated to comply with PCI DSS standards.
After the QSA conducts a readiness assessment, you can expect the assessor will work with your business to:
- identify and explain any existing gaps in compliance;
- develop a remediation plan, including technical fixes and policy and procedural updates; and
- recommend tools or third parties that can help complete the necessary technical and policy work.
It’s important to note that the PCI Security Standards Council has implemented controls to prevent a conflict of interest, due to strict requirements regarding “separation of duties”, a QSA cannot conduct remediation efforts identified during a readiness assessment. A QSA can, however, recommend a third-party to assist in the remediation and fill gaps identified by the QSA.
Our 9-Step Approach to Creating an Effective PCI Compliance Remediation Plan
- Plan ahead. Removal efforts can be lengthy and difficult for all parties involved; with the gaps in compliance recognized, it is very important to outline and also settle on a workable remediation strategy at the start.
- Get Organized. We recommend growing your remediation tasks into categories; both key categories being technological and policy/procedural. You may need to update server configurations, install a business firewall, or develop brand-new plans and procedures, etc. Creating an effective well-organized PCI compliance remediation plan will save your team time, money, and potential frustration throughout the process.
- Assign Responsibilities. Identify the teams and stakeholders responsible for the ownership of all remediation efforts, requirements and milestones required to bring these areas of responsibility into compliance. In this step, business owners need to identify any additional tools, resources or outside providers such as a Managed Service Provider that specializes in PCI compliance.
- Review Remediation Tools and Services. The QSA that completed your readiness assessment can help you identify open-source compliance tools to avoid costs from adding up quickly. Your QSA can also help you to identify different information-security plan templates to speed up the remediation efforts, as well as offer industry-specific expertise if available. Likewise, it’s always wise to outsource security initiatives to specialists with the background and expertise to give your business a fighting chance in a rapidly changing threat landscape.
- Budget. Budget. Even though the cost of non-compliance far exceeds the initial investment to ensure your business meets PCI compliance each year. Costs can quickly add up – between potentially being required to purchase new POS hardware, buying a more robust server, security software, acquiring additional user licenses to prevent concurrent access, working with an outside IT firm, and relevant third-party subscriptions, the cost of compliance can quickly get out of hand. By completing all your research before starting any remediation efforts, your team will be able to craft an accurate budget and minimize the scope creep that is far too common in projects of this nature.
- Set. Remediate! Set a time frame for remediation efforts. Tighten up network’s defenses, lock down sensitive data, complete your security documentation, and get ready for your QSA review.
- Test and Verify. Your team can see the end of the tunnel, now test each in-scope component to verify that each system and your updated processes/procedures meet PCI compliance.
- Contact the QSA for a Formal PCI Review. If your team has resolved each recommendation from the readiness assessment, this should be a fairly straight forward process to confirm you’re now PCI compliant.
- Stay PCI compliant. Congratulations! You’re now officially PCI compliance, the work doesn’t stop here. Business security and compliance is a fluid objective – moving forward be sure to assign responsibilities and follow through with your up-to-date compliance strategies. Don’t forget to inspect and test your systems regularly according to your continuing compliance plan.
PCI Compliance and Hospitality – Are You Part of the 38.5% That Made Full Compliance?
The hospitality industry needs personal data to successful – but that comes with a price. According to the HTFP Journal, it was the most affected vertical in the last years, obtaining an entire 40% of all data breaches that happen worldwide.
Hotels, spas, and high-end resorts seek to provide 5-star interconnected hyper-personalized experiences to delight customers, hopefully creating lifetime loyal patrons. Underlying this need for more personal information, hotels and resorts have specific needs for booking or payment purposes, like cardholder data, passport numbers, and driver’s license information. Yet, the reality is that the hospitality industry is struggling with securing personal data and PCI compliance.
In fact, Verizon reports that only 38.5 percent of hospitality organizations demonstrated full PCI compliance. The lowest compliance sustainability of all industries measured.
The Marriot/Starwood data breach is thought to be the third-largest data breach in recorded history with an estimated 500 million guest records (Yahoo! captured first and second place by total of accounts compromised). Marriot’s compromised data includes names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, Starwood Preferred Guest loyalty program account information, arrival and departure times, and reservation dates. What’s most concerning is that Marriot is the top hotel provider for the American government and military personnel.
In recent news: in the middle of October vpnMentor’s cybersecurity team alerted AutoClerk of an open database exposing records containing the sensitive data of hotel customers as well as US military personnel and officials. AutoClerk is a reservations management, a service owned by Best Western Hotels and Resorts group. AutoClerk is used by resorts to manage online bookings, guest profiles, payment processing, loyalty programs, and revenue. According to vpnMentor, hundreds of thousands of booking reservations were available online in an open Elasticsearch database, data ranging from full names, date of birth, phone numbers, and masked credit card numbers to travel costs, check-in times and room numbers. All of this data was available online without any security barriers or encryption.
Just these two incidents taken together, highlight exactly why penetrable security or lacking foundational security best practices in the hospitality sector threatens consumer privacy, shareholder value, and even national security.
If two international multibillion-dollar organizations can be hacked and lack the operational maturity to secure their IT infrastructure, how vulnerable are small and midsized operations without the security resources, budget, and specialized personnel?
Verizon’s 2019 Data Breach Investigations Report, states 43% of cyberattacks target small businesses, will continue to increase as cybercriminals turn to easier targets to steal sensitive customer data. According to the third Hiscox Cyber Readiness Report, the number of businesses reporting cyber incidents has gone up from 45% last year to 61% in 2019.
Facing a changing regulatory landscape designed to heighten responsibility by threatening fines, many hospitality companies are reconsidering their cybersecurity infrastructure. However, industry-specific challenges like high-employee turnover, vendor risks from connected third-party systems, franchise and chain compromises, and the vast array of systems or software available continue to expose this sector as a lucrative target for hackers.
IT Support Guys works with high-end luxury beachside resorts to local historic bed and breakfasts to major hotel operators serving thousands of rooms across multiple locations. We provide the hospitality industry with the peace-of-mind and security stakeholders need to ensure your team can capture and protect the personal data required in today’s market to deliver an amazing experience that creates loyal lifetime customers.
Helpful Links and Resources:
- PCI Security Standards Council Website
- PCI Security Standards searchable database of Approved Scanning Vendors
- You can download the latest version of the PCI Councils Self-Assessment Questionnaire with this link.
PCI Compliance Key Terms and Definitions You Need to Know:
Account Data – In terms of PCI DSS, this refers to any and all cardholder data and/or sensitive authentication data.
Approved Scanning Vendor – A company approved by the PCI SSC to conduct external vulnerability scanning services.
Attestation of Compliance (AOC) – An annual form for merchants and service providers that is used to attest to the results of a PCI DSS assessment. This is necessary per the PCI DSS Self-Assessment Questionnaire or Report on Compliance. It may involve some or all of the following: delivering a self-assessment questionnaire, a regular network or site scan by an Approved Scanning Vendor, a compliance report by a Qualified Security Assessor, and the actual Attestation of Compliance form itself.
Cardholder Data Environment (CDE) – Processes, technology and people that transmit, process or store cardholder data or sensitive authentication data.
Merchant – defined as any entity that accepts payment cards bearing the logos of any of the five members of the PCI SSC – American Express, Discover, JCB, MasterCard or Visa – as payment for goods and/or services.
PCI DSS – Payment Card Industry Data Security Standard, a proprietary information security standard for organizations that handle branded credit cards from major card companies.
PCI SSC – Payment Card Industry Security Standards Council, a global forum for the ongoing development, enhancement, storage, dissemination and implementation of PCI DSS for account data protection
Qualified Security Assessor – A party qualified by the PCI SSC to perform on-site PCI DSS assessments.
Self-Assessment Questionnaire – A PCI DSS reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.
Service Provider – A business entity that is not a payment brand, but directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. For example, service providers may include companies providing services that control or could impact the security of cardholder data. Managed IT service providers would be considered service providers under PCI DSS if they provide such services as managed firewalls, IDS and other support. Service providers may also be considered merchants if the sold services result in storing, processing or transmitting cardholder data on behalf of other merchants or service providers.