In 2020, credit cards were used to make 27% of all payments, according to a study by the Federal Reserve Bank of San Francisco. This was the highest level it’s been since the study began in 2016. Debit cards made up 28%. Cash use made up 19% of all payments, down seven percentage points from 2019. Other payment instruments, including ACH payments, ​​bank account number payments, online banking bill pay, and prepaid cards, made up 26%. 

Accepting payment cards means that your company needs to comply with Payment Card Industry Data Security Standards (PCI DSS) to protect customer data. 

This article covers the basics of PCI DSS and compliance to help you understand the essentials of the framework and how it applies to your business.

What is PCI DSS & what does it stand for?

PCI DSS stands for the Payment Card Industry Data Security Standard. This framework is a set of security requirements for merchants and service providers that store, process, transmit, or could impact the security of cardholder data.

PCI DSS is administered and managed by the PCI Security Standards Council, an independent body that was created by major payment card brands such as Visa, MasterCard, American Express, Discovery and JCB. The payment brands are responsible for enforcing compliance. 

Is PCI DSS a law?

While PCI is not a law, it is part of a contractual relationship between an acquiring bank and the payment card companies they have a relationship with. Since the acquiring banks are on the hook for non-compliance by the card brands, they will determine how their merchants must report PCI DSS compliance and will likely pass any fines down to them. 

Additionally, in some states such as Nevada, Minnesota, and Washington, portions of the PCI DSS have been written into state law.

What is PCI DSS Compliance?

PCI DSS compliance means working with your customers or acquiring banks to determine how your service can impact cardholder data, determining exactly which PCI DSS requirements your organization is responsible for, and adhering to the applicable security controls listed within the PCI DSS framework.

These requirements cover a wide range of operational and technical controls that impact not only how cardholder data is stored, processed, or transmitted but also ensure the security of the machines and networks involved in these processes and the personnel responsible for administration of these controls.

The 12 requirements are:

1. Install and maintain network security controls: This first requirement mostly revolves around the security of your cardholder data network. Implementing network components based on a configuration standard, establishing firewall rules to allow only traffic required for the business and implementing network security controls such as internal network segmentation and requiring personal firewall software on workstations. 
2. Apply secure configurations to all system components: Requirement 2 controls are specifically regarding implementation of systems into your cardholder data environment. Networks, servers, and other resources that are implemented into the network must be configured securely prior to implementation by utilizing configuration standards such a CIS or vendor documentation. By utilizing implementation guidance, this will help ensure any default vendor ID’s or passwords are removed from systems prior to implementation into your cardholder data environment..
3. Protect stored account data: Requirement 3 is specifically related to the protection of stored cardholder data. This requirement specifies what data is allowed to be stored and the controls for storing data securely including encryption requirements, encryption key management including key custodian responsibilities and how to securely delete cardholder data when it is disposed of or past retention limits.
4. Protect cardholder data with strong cryptography during transmission over open, public networks:  Requirement 4 covers the security of cardholder data when it is transmitted. Specific requirements include ensuring strong encryption is used when cardholder data is transmitted over the internet and securely transmitting data over end user messaging technologies and wireless networks.
5. Protect all systems and networks from malicious software: Requirement 5 is related to the use of anti-virus software on all servers and workstations that are considered commonly affected by malware and how monitoring is performed for systems that are considered not commonly affected by malware. This requirement has controls related to how often scanning should be performed, the inability for users to disable the anti-virus software, and proper logging for all anti-virus software. 
6. Develop and maintain secure systems and software: Requirement 6 revolves around the security of software development processes and ensuring systems are patched in a timely manner. This requirement covers controls such as developer secure code training, ensuring web applications are protected from common security vulnerabilities, and critical security patches are being installed on systems in a defined time frame.
7. Restrict access to system components and cardholder data by business need-to-know: Requirement 7 is related to logical access control. Requirements specifically revolve around allowing access only for business related needs and establishing a default deny-all for all access not specifically defined as allowed.
8. Identify users and authenticate access to system components: Requirement 8 covers authentication controls and requirements such as access reviews, revoking access in a timely manner and password requirements. Implementing configurations such as session timeout, password complexity, and user access restrictions for shared accounts.
9. Restrict physical access to cardholder data: Requirement 9 revolves around the physical security of your CDE including office locations, data centers, and the handling of physical media. Ensure physical security controls are in place such as visitor management, access control mechanisms and proper handling of physical media containing cardholder data.
10. Log and monitor all access to system components and cardholder data: Requirement 10 covers logging and monitoring controls such as specific security metrics that should be logged, notified against and resolved by an information security team.  Timely detection and response to these security events is required and covered with controls such as requiring logging configuration for all in-scope systems, having personnel monitoring events 24/7, and having an established process for responding to events.
11. Test security of systems and networks regularly: Requirement 11 contains controls related to the establishment of a vulnerability management process. The controls include performing quarterly internal and external vulnerability scans and an annual penetration test.
12. Support information security with organizational policies and programs: Requirement 12 contains controls related to the operational security of your organization such as policy and procedure management, risk assessment methodology, and incident response protocols.

Is PCI DSS compliance mandatory?

Yes. PCI DSS compliance is required for any merchant or service provider that processes, stores, transmits, or could impact the security of cardholder data — regardless of the size and scale of your business. 

A small business that handles 100 card transactions a year must comply with PCI DSS, just like an enterprise-level business that handles 1 million transactions. 

However, PCI compliance for a small business will look a bit different from an enterprise-level organization.