Organizations that accept, store, transmit, or process cardholder data must comply with the PCI DSS. It’s essential to meet data privacy and protection regulations to manage and protect POS (point-of-sale) systems, where the hardware and software enable your business to make sales.
Why is it so important? According to the Consumer Sentinel Network Data Book 2021 of the Federal Trade Commission (February 2022), credit card fraud was the second most frequently reported type of identity theft. In fact, 49% of all FTC reports were related to fraud, with 1.4 million cases of identity theft. As such, fraud activities pose a real threat.
Being PCI Compliant is equivalent to meeting the requirements for driving a car by having a driver’s license. It’s not a benefit, but rather a necessity, especially when eCommerce websites that neglect security are often hacked. This article discusses the urgency of PCI DSS compliance in software development and advises on its main requirements.
What is PCI DSS compliance?
The Payment Card Industry Data Security Standard (PCI DSS) provides a baseline of technical and operational requirements that protect account data. It was launched in September 2006 to improve account security and regulate PCI security standards. Credit card brands mandate the PCI Standard, monitored by the Payment Card Industry Security Standards Council (PCI SCC), to prevent credit card fraud. Therefore, all service providers must follow strict information regarding security controls and procedures when storing, processing, or transmitting customer payment card data.
Where does PCI DSS apply?
PCI DSS is used primarily by the fintech industry in institutions, including banks, insurance companies, leading agencies, and brokerages. Also, merchants in restaurants, retailers, transportation operators, and virtually any point of sale that processes credit cards across all industries. Even if you have subcontracted all PCI DSS activities to a third party, you are still responsible for ensuring all contracted parties comply with the standard.
The good news is that adhering to the regulations is relatively simple. If you’re using a SaaS platform such as BigCommerce or Shopify, most of the PCI Compliance is handled for you. However, if you use an open-source platform like Magento, WooCommerce, Drupal Commerce, X-Cart, or PrestaShop, you’re responsible for maintaining your website by installing security patches and taking other required measures, including using PCI-compliant eCommerce hosting.
Additionally, if you’re a service provider (including a software developer), the PCI DSS applies to you if you process, transmit, or store cardholder data or if your activities affect the security of the cardholder data during processing, transmission, or storage.
12 rules of PCI DSS compliance
According to PCI DSS, any organization that stores, processes, or transmits cardholder data must maintain a secure environment for sensitive information.
Below are the specified 12 requirements, organized into 6 controlled objectives.
#1 Build and Maintain a Secure Network
1. Protect cardholder data by installing and maintaining a firewall.
Regarding card data, it is a good idea to implement internal firewalls to ensure the servers holding the card data are also protected from internal snooping. Access to private data is blocked by firewalls when foreign or unknown entities attempt to access it. They are often the first line of defense against hackers (malicious or otherwise). It’s important to start with all the ports closed and then open the necessary ones to allow business traffic to pass through.
2. Regarding system passwords, never settle for what the vendor provides by default.
To ensure compliance in this area, you should keep a list of all devices and software requiring passwords (or other security to access). In addition to a device/password inventory, you should consider implementing basic precautions and configurations (e.g., changing the password).
#2 Protect Cardholder Data
3. Protect stored cardholder data.
To ensure compliance with PCI DSS, protecting stored cardholder data requires implementing proper security measures. This includes securely storing sensitive information, such as primary account numbers (PANs) and sensitive authentication data (SAD).
4. Encrypt transmission of cardholder data across public networks.
Strong cryptography and security protocols are fundamental if you include wireless technologies in any part of the data transfer process, transmitting cardholder data over unsecured or public networks..
#3 Maintain a Vulnerability Management Program
5. Use and update anti-virus software regularly.
You should use an up-to-date antivirus solution at every level in the system for all devices interacting with and/or storing PAN, and demand regular updates.
6. Develop and maintain secure systems and applications.
Make sure that all system components are protected from known vulnerabilities. Implement effective patch management to install all critical security patches within one month of their release.
#4 Implement Strong Access Control Measures
7. Restrict access to cardholder data.
You should limit access to cardholder data to those needing to do their jobs. Having all roles that need sensitive data well-documented and updated is crucial.
8. Unique ID assigned to each person with computer access.
When each person with access has a unique identification, they are far less likely to break the rules, knowing they can be identified and tracked. For example, there should not be a single login to the encrypted data in which many employees know the username and password.
9. Restrict physical access to cardholder data.
Restrict physical access to cardholder data, isolating the network housing the cardholder data from the more public network. Both physical (written or typed) and digital data should be locked in a secure room, drawer, or cabinet. Also, any removable media should be strictly controlled within this zone.
#5 Regularly Monitor and Test Networks
10. Ensure that all network resources and cardholder data are tracked and monitored.
All cardholder data and primary account numbers (PAN) must have log entries for compliance. It is necessary to document how data flows into your organization and the number of times access is required.
11. Regularly test security systems and processes.
Monitoring and testing network security includes tracking network events and providing audit trails of all network activity.
#6 Maintain an Information Security Policy
12. Establish a policy that addresses information security for employees and contractors.
Document the inventory of equipment, software, and employees with access.
All these rules require a depth of cybersecurity knowledge to implement the policy. As such, cybersecurity plays a significant role in PCI DSS.
Some words about PCI DSS v4.0 (2023)
PCI DSS version 4.0 was released on March 31, 2022. In v4.0, PCI DSS addresses emerging threats and technologies and enables combatting new threats with innovative methods. The updated standard is available on the PCI SSC website.
To combat new threats to customer payment information, the updated security payment standard addresses emerging threats and technologies. Based on the concept of zero-trust, PCI DSS 4.0 introduces new requirements. Here are some examples of the changes in PCI DSS v4.0:
- A broader range of technologies to meet the traditional security objectives of firewalls with updated terminology for network security controls.
- Cardholder data environment requires multifactor authentication (MFA) for all users.
- Increasing the flexibility of organizations to demonstrate how they achieve security objectives using different methods.
- By using targeted risk analyses, entities can determine how frequently they perform certain activities based on their business needs and risk exposures.
There is a two-year transition period from PCI DSS version 3.2.1, which will be retired on 31 March 2024.
Benefits of PCI DSS compliance
According to the 2018 Verizon Payment Security Report, nearly one in five (18%) organizations still need a defined compliance program with set scope and objectives. Adhering to the Payment Card Industry Data Security Standard (PCI DSS) is necessary for any business wishing to process, transmit, or store card payments. Recognizing the benefits and being PCI DSS-compliant is crucial in keeping customers’ data safe.
Here are 5 benefits of adopting PCI DSS compliance:
- Builds customer trust
- Prevent data breaches
- Helps to meet global standards
- Provides a baseline for other regulations
- Puts security first
What happens if you don’t comply?
- You can get hefty fines
- You can lose customers and revenue
- You are barred from card acceptance
Adhering to the Payment Card Industry Data Security Standard (PCI DSS) is necessary for any business to process, transmit, or store card payments. It should be seen as a global baseline. Understanding the rules and remaining PCI DSS-compliant can be complex and time-consuming, but keeping customers’ data safe is paramount.
Security standards are what every responsible CIO should be doing anyway, taking it step further for company-specific risks and operations. If you need help outsourcing a reliable team of experienced engineers who will care about your data security, please contact us. We will help you meet PCI DSS compliance in every aspect of software development.