Payment security risks are an important issue for every business, interacting with payment cards, both physically and digitally. As customer data theft and payment fraud remain rampant, POS providers, payment processors, payment hardware and software vendors alike are looking for extra ways to secure payment transactions and cardholder data processing.
The Payment Card Industry (PCI) Data Security Standard (DSS) was introduced in late 2006. Yet, despite being around for over a decade, it’s still not unanimously adopted. A 2021 poll found that 50% of merchants are still non-compliant with PCI-DSS or failed to pass an assessment.
The above is problematic as the majority of consumers (61%) believe the businesses that have access to their personal data are responsible for preventing fraud. PCI-DSS was designed specifically to address customer data protection.
What is PCI DSS?
PCI DSS is a unified security standard, conceived and introduced by global payment card providers — American Express, Discover, JCB International, Mastercard, and Visa. Jointly, these companies developed a set of governance, technology, and process guidelines for ensuring top-most cardholder data protection.
The two underlying components of PCI-DSS are:
- PA-DSS (Payment Application Data Security Standard), aimed at ensuring that payment providers do not store unnecessary customer data (e.g. full magnetic stripe, CVV2, or PIN data)
- PTS (PIN Transaction Security) devices — approved POS systems merchants are encouraged to be used for secure in-person payments.
Both publicly distributed payment apps and devices, as well as internal payment processing systems, are subject to PA-DSS compliance (and PCI-DSS respectively).
The Payment Application Data Security Standard (PA-DSS) concerns software vendors who develop payment applications that store, process, or transmit cardholder data and/or other types of sensitive authentication data. The requirement comes into effect if you intend to sell, distribute, or license a payment app to any third party.
PCI PTS security requirements, however, are more applicable to point-of-sale devices or payment terminals, both attended, i.e. manned by merchants, or unattended (UPT), i.e. automated parking payment machines.
Source: PCI-DSS Council
PCI-DSS is Two-Fold
Conditionally, PCI-DSS can be broken down to:
- The security standard itself — a prescriptive list of 12 overarching technical requirements and 280+ sub-requirements, specifying compliant payment app architecture, coding practices, data processing standards, and QA/QC procedures.
- PCI-DSS Compliance programs — a certification you can obtain for an existing payment product. You can pass a PCI DSS RoC (Report of Compliance) assessment or a PCI DSS SAQ (Self-assessment Questionnaire).
The PCI DSS Council has an up-to-date database of certified payment applications and PTS devices for merchants. Getting on this list is like receiving a “stamp of approval”, signifying that your products have unquestionable levels of security. Many business partners also pay attention to PCI-DSS compliance status.
PCI-DSS Compliance Benefits
Complying with PCI Security Standards seems like a daunting task. The maze of standards and technical best practices can seem hard to handle for large organizations, let alone smaller vendors.
Yet, becoming compliant has undeniable perks, ranging from higher levels of consumer trust to access to new revenue streams:
- Your systems are secure and your customers can entrust you with their sensitive payment card information. Such peace of mind leads to customer confidence and repeat business.
- PCI Compliance improves your reputation with banks, payment providers, and other business partners.
- You are better prepared to meet additional regulations, such as HIPAA and SOX, after PCI-DSS certification.
- Systems hardening and modernization in line with PCI-DSS requirements often results in improved IT infrastructure efficiency.
Ultimately, PCI-DSS Compliance is your investment in extra protection against costly data breaches and payment card data theft in the present and in the future.
Last year, the average cost of a data breach for larger organizations totaled $3.86 million, per Ponemon study. What’s even more problematic is that businesses in the financial sector required 233 days to identify and contain a breach. With proper security facets in place, this timeline can be reduced at least twice.
PCI DSS: Interpretation of the Main Requirements
PCI DSS emerged as a solution to fragmentation. Before 2006, each card processor relied on its own security standard for protecting cardholder data. Understandably, this resulted in interoperability issues. So the big industry players decided to consolidate their efforts and introduced the PCI DSS standard.
The PCI DSS security requirements pertain to all payment system components, interacting with the cardholder data environment.
- The cardholder data environment (CDE) consists of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.
- System components include network devices, servers, computing devices, and applications.
To ensure homogenous and secure interactions between these two assets, PCI-DSS urges developers to adhere to the following 12 requirements:
- Install firewalls to protect cardholder data
- Never use vendor-provided defaults for system passwords and other security facets
- Protect stored customer data
- Always encrypt data transmissions across public networks
- Use and updated anti-virus software
- Maintain secure access for all systems and applications
- Restrict access to the minimal required information
- Identify and authenticate every party, seeking access
- Implement physical protection of cardholder data
- Log and monitor all access to network resources and customer data
- Test and improve security processes
- Have respective personnel security policies
The above are high-level requirements, however, further broken down into 280+ extra security provisions and best practices.
PCI DSS Compliance Programs
Passing a PCI-DSS assessment is often a contractual requirement, imposed by the founding five payment card brands on partnering merchants and acquires. Given the rise in payment card usage and new payment methods in retail, in particular, bypassing the interactions with these brands is often not possible.
After passing the initial certification, your company will likely need to re-confirm its compliance status once a year using either a self-assessment questionnaire or a report on compliance.
The chart below describes why organizations have to comply with PCI-DSS and who can ask them to be PCI DSS compliant.
PCI SSF as The Next Compliance Milestone
The digital payment landscape keeps evolving and new payment modalities come to the fore. As a response to emerging trends, the PCI DSS council decided to upgrade the initial compliance guidelines.
PCI SSF (Payment Card Industry Software Security Framework) is a revised collection of security standards, built atop of PA DSS. SSF features new requirements for demonstrating staunch payment systems security levels and puts down best practices for new payment software development. PCI SSF is due to come into effect in October 2022 and will replace the PA DSS as a benchmark standard.
Source: PCI-DSS Council
The PCI SSF (Software Security Framework) is designed to support a broader array of payment software types, architectures, and agile software development methodologies in use today. The standard is also more future-oriented, accounting for emerging payment use cases, ranging from unattended commerce solutions to IoT payments.
PCI SFF Components
PCI SSF framework includes four core components:
- Secure Software Standard — puts forth security requirements for developing secure payment software. The key focus is on the protection of data confidentiality and integrity during transactions. Primarily concerns vendors who ship software that facilitates payment transactions.
- Secure Software Lifecycle (Secure SLC) Standard — encourages vendors to institute and adhere to security best practices at every lag of the software development lifecycle to achieve security by design.
- Secure Software Program — a validation assessment vendors can complete to get recognized as compliant with PCI-SSF. Everyone who passes the assessment will be listed on a respective list by PCI-DSS Council.
- Secure SLC Program — a validation assessment vendors can complete to demonstrate their compliance with Secure SDLC requirements. Likewise, successful validation earmarks a placement on the PCI SSC List of Secure SLC Qualified Vendors.
Source: PCI-DSS Council
As part of this change, PCI-DSS also aims to bring in Secure Software Framework Assessors (SSF Assessors) — designated organizations for conducting evaluations of vendors and software products.
So what are the benefits of PCI-SSF?
- Extends PA-DSS applicability to a wider number of payment applications
- Improves the flexibility of requirements and validation options
- Promotes more agile approaches to application development
- Places secure SDLC in the limelight
- Accounts for emerging and future payment use cases
As of present, PA-DSS Council stopped accepting new PA-DSS validation submissions and prepares for the SSF roll-out.
To Conclude: PCI DSS Compliance Myths
Passing a PCI DSS validation is an intricate process. Despite extensive documentation and supporting resources, issued by participating organizations, there’s still a number of persistent PCI myths out in the wild.
So let’s bust some!
Myth 1: PCI DSS doesn’t apply to you if you don’t store cardholder data.
Fact: Wrong, PCI DSS kicks in when you process or transmit sensitive cardholder data (even if you choose not to store it).
Myth 2: PCI DSS is a legal requirement for businesses
Fact: No, it’s not a legal provision, but a contractual obligation you take on if you are interacting with payment cards. Respectively, you should view PCI DSS like any other contract.
Myth 3: Encrypted cardholder data is exempt
Fact: Not completely. The third PCI-DSS requirement says that all cardholder data has to be encrypted. Yet, encrypted cardholder data still equals cardholder data. But properly implemented key management can make encrypted data out of scope.
Myth 4: PCI is a technical issue. There’s no need to involve the rest of the business
Fact: Protecting cardholder data requires everyone to get on board. In fact, when the compliance initiative comes from the finance department and upper execs back it too, the projects end up being the most successful.
Myth 5: Adopting product X or software Y will make us PCI compliant
Fact: There is no silver bullet, one-stop-shop, off-the-shelf solution for achieving PCI compliance.
Myth 6: We outsource payment processing or payment software development. So we can do nothing.
Fact: Is your outsourcing partner compliant? If not, achieving PCI-DSS remains your obligation. Your technology partner can help you prepare for the certification, but they may not be contractually obliged to have PCI-DSS compliance status unless that it is written in your paperwork.
Myth 7: Our business is good because we use compliant payment terminals
Fact: Using an approved PTS (PIN Transaction Security) device is just one aspect of PCI compliance. There’s also PA-DSS as a standard for maintaining secure payment applications.
Myth 8: I’m too small for cybercriminals to take an interest
Fact: Sorry, but no one is too big or small for a fraudulent attack. In fact, 21% of SMBs experienced payment fraud during the first year of operations, and another 51% within the two years of opening doors.
Myth 9: My business is small – I don’t need to be PCI compliant
Fact: Your business size has nothing to do with PCI compliance. Even if you only process several card payments per year, you still need to handle cardholder data in a secure and responsible manner.
Myth 10: PCI compliance only applies to credit card data.
Fact: PCI compliance applies to any type of payment card (debit and credit), as well as contactless payments. Quick reminder: you are cannot store unencrypted card number, the CVV/CVV2 codes, or the PIN number for any type of card.
Myth 11: PCI compliance is too difficult. No one can keep up with all these requirements!
PCI-DSS compliance prompts you to adopt good business standards for securing data. All the main 12 requirements are aimed at that. If you already place security at the core of your operations, PCI compliance won’t be a difficult act!
Level up your security with Edvantis. Contact our Payment Specialists to receive a preliminary consultation on achieving PCI-DSS compliance or developing new payment software in line with all the security best practices.