Achieving Excellence in Payment Security: A Guide to PCI Level 1 Compliance

The Payment Card Industry Data Security Standard (PCI DSS) ensures that credit and debit card details are kept safe and secure. Achieving PCI DSS compliance shows that a company is serious about protecting cardholder information and maintaining trust in the payment card system.

In this blog post, we’ll explore PCI standards and their impact on merchants and service providers. We’ll discuss the different levels of PCI compliance, its effects, the steps to comply, and why it’s crucial for businesses. Whether you’re a small shop owner or a large service provider, understanding PCI DSS is key to securing your customers’ information.

What is PCI DSS Compliance?

PCI DSS was developed by major credit card companies like Visa, Mastercard, American Express, Discover, and JCB International, forming the PCI Security Standards Council (PCI SSC). Also known as payment brands, this council plays a crucial role in ensuring the security of the global payment card ecosystem. While PCI DSS is not a law, it provides a comprehensive framework that covers security management, policies, procedures, network architecture, software design, and other essential protective measures.

Adhering to PCI compliance helps prevent card data breaches by ensuring organizations follow established standards and best practices to protect credit card information. For example, PCI DSS requires specific security controls like encryption, access controls, and regular monitoring, which are vital for safeguarding credit card data. By enforcing strict access controls, PCI compliance standards limit who can access sensitive data, reducing the risk of unauthorized access. This includes user authentication, role-based access, and the principle of least privilege.

PCI DSS also mandates the encryption of credit and debit card data at rest and in transit, making it harder for attackers to misuse stolen card data. Regular monitoring and testing of systems help detect and quickly respond to security incidents through logging, intrusion detection, vulnerability management, and penetration testing. Training employees to follow security policies and procedures is also emphasized, preventing accidental breaches and ensuring everyone understands their role in data protection. By mandating these security practices, PCI DSS creates a robust defense against cyberattacks and data breaches, helping organizations protect sensitive information, maintain customer trust, and reduce non-compliance risks.

PCI DSS defines four different merchant levels of compliance based on the payment card transaction volume a merchant processes annually.  Here’s an overview of the different levels of PCI compliance:

• PCI Level 1: Businesses processing over 6 million transactions per year
• PCI Level 2: Businesses processing 1 million to 6 million transactions per year
• PCI Level 3: Businesses processing 20,000 to 1 million transactions per year
• PCI Level 4: Businesses processing less than 20,000 transactions per year

These levels determine the specific validation requirements and assessment processes. Merchants must meet specific criteria based on the number of annual credit card transactions or other risk factors indicated below in the eligibility criteria.  Here’s a breakdown of the different PCI DSS compliance levels for merchants, including the criteria and requirements for each level.

PCI Level 1 compliance eligibility criteria:

• Merchants that process over six million Visa or Mastercard transactions annually.
• Any merchant that has suffered a data breach that resulted in compromised card data.
• Any merchant that Visa or Mastercard deems Level 1, at their discretion.

Assessment requirements:

• Annual on-site assessment conducted by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA) if signed by an officer of the company.
• Quarterly network scans conducted by an Approved Scanning Vendor (ASV).
• Annual Report on Compliance (ROC)
• Attestation of Compliance form (AOC).

PCI Level 2 compliance eligibility criteria:

• Merchants that process one to six million Visa or Mastercard transactions annually.

Assessment requirements:

• Annual Self-Assessment Questionnaire (SAQ).
• Quarterly network scans conducted by an ASV.
• AOC form.

PCI Level 3 compliance eligibility criteria:

• Merchants that process twenty thousand to one million e-commerce transactions annually.

Assessment requirements:

• Annual SAQ.
• Quarterly network scans conducted by an ASV.
• AOC form.

PCI Level 4 compliance eligibility criteria:

• Merchants that process fewer than twenty thousand e-commerce transactions annually, or up to one million total Visa or Mastercard transactions annually.

Assessment requirements:

• Annual SAQ (specific requirements may vary based on the acquiring bank’s discretion).
• Quarterly network scans conducted by an ASV (if applicable).
• AOC form.

What is PCI DSS Level 1 for Service Providers?

PCI DSS for service providers sets security standards to ensure that companies handling payment card data for others do so securely. These companies, including data centers, payment processors, and cloud services, manage sensitive card information for multiple clients, making robust security measures crucial to prevent data breaches. The Cardholder Data Environment (CDE) for service providers includes all systems, networks, and processes involved in storing, processing, or transmitting cardholder data on behalf of their clients.

The compliance requirements for service providers depend on the number of transactions they handle. Larger providers processing over 300,000 transactions annually must undergo an on-site assessment by a Qualified Security Assessor (QSA) and perform quarterly network scans by an Approved Scanning Vendor (ASV). Smaller providers processing fewer than 300,000 transactions can self-assess using a Self-Assessment Questionnaire (SAQ) and also need to perform quarterly scans. All service providers must implement security measures such as firewalls, secure passwords, data encryption, and regular system updates. They must control access to cardholder data and regularly monitor and test networks to promptly address potential security issues.

Service providers must implement various security measures to protect cardholder data. These measures include:

• Network security: Service providers should establish and maintain a secure network infrastructure, including robust firewall configurations and secure system settings to prevent unauthorized access.
• Data Encryption: Implement encryption protocols to protect stored cardholder data and ensure secure transmission over public networks, safeguarding it from interception.
• Vulnerability Management: Service providers must regularly update anti-virus software, deploy security patches promptly, and maintain secure systems and applications to protect against malware and vulnerabilities.
• Access Control: Implement stringent access controls to restrict access to cardholder data based on business needs. This involves assigning unique IDs, enforcing strong authentication mechanisms and strong passwords, and controlling physical access to sensitive areas.
• Monitoring and Testing: Regularly monitor network activities, log access to cardholder data, and conduct comprehensive testing, including vulnerability scans and annual penetration testing, to identify and address security weaknesses.
• Information Security Policy: Develop and enforce an information security policy that covers all aspects of security, including technical controls, employee training, and incident response procedures.
• Validation and Reporting: Service providers must validate their compliance with PCI DSS through regular assessments and audits. Depending on their level, this may involve conducting annual on-site assessments by a Qualified Security Assessor (QSA), completing Self-Assessment Questionnaires (SAQs), and undergoing quarterly network scans by Approved Scanning Vendors (ASVs). Compliance documentation, such as Reports on Compliance (ROCs) and Attestations of Compliance (AOCs), must be submitted to acquiring banks or payment card brands.

A crucial aspect of PCI DSS compliance for service providers is validation and reporting. They must complete necessary assessments, such as a Self-Assessment Questionnaire or a formal audit, and submit compliance documentation like the Report on Compliance (ROC) and Attestation of Compliance (AOC) to their acquiring bank or relevant card brands. This verifies adherence to security standards and helps maintain trust within the payment ecosystem. To achieve and maintain PCI compliance, organizations must understand the requirements, implement necessary security measures, and ensure continuous adherence.

How to Get Level 1 PCI DSS Compliance?

PCI DSS Level 1 compliance involves meeting all twelve requirements outlined in the Payment Card Industry Data Security Standard (PCI DSS). Here they are:

1. Install and maintain a firewall configuration to protect cardholder data: Establish and maintain a firewall configuration to protect cardholder data. Ensure that firewall rules are configured to allow only authorized traffic and that default passwords and settings are changed.

2. Do not use vendor-supplied defaults for system passwords: Change default passwords and settings to prevent unauthorized access to systems and applications. Use strong, unique passwords and security parameters.

3. Encrypt stored cardholder data: Protect cardholder data stored on systems using strong encryption algorithms and key management practices. Limit access to encrypted data to authorized personnel only.

4. Encrypt transmission of cardholder data across open, public networks: Implement robust encryption methods to protect cardholder data when it is transmitted over public networks, including the Internet. Implement secure protocols like SSL/TLS to ensure data confidentiality and integrity.

5. Use and regularly update anti-malware software: Deploy and maintain anti-malware software on all systems commonly affected by malware or viruses. Ensure that anti-malware software is updated with the latest virus definitions and that regular scans are conducted.

6. Develop and maintain secure systems and applications: Implement secure coding practices and software development methodologies to prevent vulnerabilities in systems and applications. Regularly update and patch systems and applications to address known security vulnerabilities.

7. Restrict access to cardholder data by business need-to-know: Limit access to cardholder data to only those individuals who require it to perform their job duties. Implement role-based access controls and least privilege principles to minimize the risk of unauthorized access.

8. Assign a unique ID for each person with computer access: Assign a unique user ID to each individual with computer access to ensure accountability and traceability of actions taken on systems handling cardholder data. Avoid using generic or shared accounts.

9. Restrict physical access to cardholder data: Implement physical security measures to prevent unauthorized access to facilities and systems storing cardholder data. Use locks, access controls, and monitoring systems to protect physical access points.

10. Track and monitor the network resources and cardholder data: Implement logging and monitoring mechanisms to track and record all access to network resources and cardholder data. Regularly review logs for suspicious activity and anomalies.

11. Regularly test security systems and processes: Conduct regular vulnerability scans, penetration tests, and security assessments to identify and address security vulnerabilities and weaknesses. Validate the effectiveness of security controls and measures.

12. Maintain an information security policy for all the personnel: Develop and maintain an information security policy covering all security aspects, including technical controls, operational procedures, and employee training. Ensure all personnel know their roles and responsibilities in protecting cardholder data.

Preparing for the Next Levels of PCI Compliance

PCI DSS consists of twelve major requirements divided into six control objectives, including building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy. Each requirement has sub-requirements focused on ensuring the secure processing, storage, and transmission of cardholder data. Understanding these requirements is crucial for any organization handling payment card information, as non-compliance can result in severe penalties, financial losses, and reputational damage.

PCI Software Security Framework

The PCI Software Security Framework (PCI SSF), developed by the PCI Security Standards Council, secures payment software throughout its lifecycle. It includes the Secure Software Standard for design, development, deployment, and maintenance and the Secure Software Lifecycle (Secure SLC) Standard for secure management practices. Replacing the older PCI PA-DSS, this framework provides flexible and comprehensive guidelines to enhance payment software security and protect cardholder data.

Source: PCI SSF

Conducting Gap Analysis

A gap analysis is a critical step in achieving PCI DSS compliance, involving an assessment of your organization’s current security measures against PCI DSS requirements. The goal is to identify gaps where your existing controls fall short. This process includes reviewing policies, procedures, and technical implementations, often involving interviews, documentation reviews, and system scans. The outcome is a detailed report highlighting areas of non-compliance and providing a roadmap for achieving full compliance, allowing organizations to prioritize and address weaknesses systematically.

Enhancing Security Controls

Once gaps are identified, enhancing your security controls is next. This involves implementing the necessary technical, physical, and administrative measures to address deficiencies found during the gap analysis. Actions might include updating firewalls, improving encryption protocols, enhancing access control mechanisms, and deploying more effective anti-virus solutions. Regularly updating and patching systems to protect against vulnerabilities and training staff in security best practices are equally important. Ongoing monitoring and adjustment are required to adapt to new threats and regulatory changes.

Updating Policies and Procedures

Policies and procedures form the backbone of a PCI DSS compliance program using a compliance management software. After enhancing your security controls, updating your policies and procedures to reflect these changes is essential. This includes documenting how cardholder data is processed, stored, and transmitted. Policies should cover data retention, disposal, incident response, access controls, and network security. Procedures must be clear and enforceable, ensuring all employees understand their responsibilities. Regular reviews, updates, and training sessions help ensure that policies and procedures are effectively implemented and followed, keeping up with evolving threats and PCI DSS requirements.

Integrating the Process

Achieving and maintaining PCI DSS compliance is an ongoing process that involves understanding specific requirements, conducting gap analysis, enhancing security controls, and updating policies and procedures. These interdependent steps should be revisited regularly to ensure continuous compliance and protection of cardholder data. By systematically addressing each area, organizations can build a robust security posture that meets regulatory requirements and protects against the ever-evolving landscape of cyber threats.

Automating PCI Level 1 Compliance

From a technical perspective, various tools help achieve PCI compliance, including vulnerability management, penetration testing, SIEM, log management, file integrity monitoring, encryption, secure configuration management, compliance management, access control, anti-malware, and security awareness training. Automating these tasks allows organizations to focus on high-value activities like threat analysis and strategic planning. AuditBoard’s CrossComply solution, which automates Compliance Management, offers a flexible, accurate, and affordable way for businesses to maintain PCI DSS compliance and adapt to changing regulatory requirements.