The 2022 Guide to PCI Compliance Levels

By Daniella Balaban
image March 22, 2022 image 6 MIN READ

If the payment card industry was a state, PCI DSS (Payment Card Industry Data Security Standard) would have been the equivalent of internal security laws and regulations.

The PCI DSS was created by the Administered Payment Card Industry Security Standards Council (PCI SSC). It stipulates 12 main requirements (and over 300 sub-requirements) regarding security practices surrounding the use of payment cards.

There are several levels of compliance and any enterprise (from the smallest merchants to the largest credit card processing services) must fulfill the requirements in order to be allowed to use credit or debit cards in any way or form (online, offline, via telephone, etc.). 

Fraud and identity theft can result in costly lawsuits, reputation damage, and customer loss. Less than the most strict adherence to PCI DSS can lead to loss of the right to process credit and debit cards altogether. However, the challenge of creating effective, comprehensive protection and PCI DSS compliance is becoming increasingly complicated. 

As Verizon’s latest Payment Security Report shows web applications are now the main vector for retail breaches. Only 9 percent of attacks received alerts, 53 percent of attacks successfully infiltrated without detection and only 33 percent of attacks were prevented by the security tools in place.

In this article, we will cover the basics of PCI DSS requirements and compliance levels. Moreover, we will discuss the key steps necessary to best comply with them, compliance that is essential to any business who wants to avoid being fined or losing the license to use payment cards.

The 6 goals and 12 requirements of PCI DSS 

The PCI DSS specifies 12 requirements that are commonly grouped under six main goals:

1. Build and Maintain a Secure Network 

2. Protect Cardholder Data 

3. Maintain a Vulnerability Management Program 

4. Implement Strong Access Control Measures

5. Regularly Monitor and Test Networks 

6. Maintain an Information Security Policy 

The three main aspects of managing PCI DSS

In practice, managing PCI DSS compliance boils down to three main aspects (each done in accordance with the 12 PCI DSS requirements mentioned above):

  1. Guaranteeing that sensitive card data is securely gathered, transmitted, processed, and accessed (use a firewall, up-to-date antivirus applications, change default passwords, erase data when needed, use encryption, hashing, masking, truncation, etc.).
  2. Storing sensitive data in the most secure manner (use a firewall and up-to-date antivirus applications, use encryption, restrict access to authorized personnel with a unique ID on a need-to-know basis, restrict physical access, etc.).
  3. Annual inspection and validation to ensure that all security checks are fully and properly implemented (conduct 3rd party audits, test/ scan for vulnerabilities, conduct security surveys, etc.).

The 6 goals and 12 requirements of PCI DSS 

Achieving PCI DSS compliance – The four levels

As mentioned above, there are four levels of compliance (depending on the volume and type of transactions processed by the business). Here is a complete guide to PCI DSS compliance according to each level.

Level 1

Definition

Enterprises that process annually more than 6 million transactions of Visa or MasterCard, more than 2.5 million for American Express; or had a data breach in the past.

Annual requirements

Submit:

Quarterly requirements:

Conduct a network scan by an Approved Scan Vendor (ASV).

Level 2

Definition 

Enterprises that annually process between 1 – 6 million payment card transactions on all channels.

Annual requirements

Submit:

Quarterly requirements

Conduct a quarterly network scan by an Approved Scan Vendor (ASV).

Level 3

Definition 

Enterprises that annually process 20,000 – 1 million payment card transactions on all channels.

Annual requirements:

Quarterly requirements

Conduct a Network scan by an Approved Scan Vendor (ASV).

Level 4

Definition 

Enterprises that annually process fewer than 20,000 payment card transactions on all channels.

Annual requirements:

Quarterly requirements

Conduct a Network scan by an Approved Scan Vendor (ASV).

Maintaining PCI DSS compliance - A “To-Do-List”

Maintaining PCI DSS compliance – A “To-Do-List”

Until now, we have discussed what PCI DSS is and its importance, its 12 main security requirements, the four levels of compliance, and what is needed to fulfill them. Now it is time to talk about practical actions that security personnel (CISOs, InfoSec, corporate security executives and security operations managers, cyber security professionals, etc.) must take to achieve PCI DSS compliance.

1. Detecting and mapping Data and Data flow 

The first step is to locate and map all of the organization’s sensitive credit card data (i.e where it is and how it gets there). 

Check and map all systems, applications, networks, and processes in the organization that interact with credit card data (on-site payment terminals, online shopping sites, networks, local and cloud databases, phone calls logs, ERP and CRM platforms, sales emails, etc.).

2. Conduct a risk assessment and check for vulnerabilities

After mapping the sensitive credit card data’s location and flow, it is time to assess the risks and vulnerabilities. 

Every system component that stores, transfers, or processes such data, should be examined and analyzed. A comprehensive list should be created, detailing potential risks facing each component and assessing its vulnerability.

Based on that list the security team must decide how to protect each component to best comply with PCI DSS requirements while considering the organization’s security resources.

3. Test, monitor, and update

All relevant security systems, systems components, networks, application, processes, protocols (and their adherence) must be regularly tested and constantly monitored to find old and new breaches. Security tools and protocols should be continuously maintained and updated to best resist new threats. 

4. Constant security compliance and awareness training

One of the most vulnerable points in each system is the human operators (from the call center operators to the CISO and his security team). The most secure data transfer protocol is useless if bypassed via unprotected email or text messaging. The best antivirus application will be compromised if it’s not regularly updated.

Therefore, it is vital to constantly conduct security briefings regarding old and new threats and train all personnel to comply with all security requirements.

The 2022 Guide to PCI Compliance Levels

Conclusion

As discussed above, PCI DSS compliance is crucial for every vendor using or processing payment cards since non-compliance means losing the right to use payment cards altogether.

The PCI DSS always starts and ends with the human factor – detect and map data flows, check for risks and vulnerabilities, test, monitor, update, and most importantly, train personnel and conduct PCI DSS audits. These are all actions that must be done regularly and proactively by CISOs, InfoSec, corporate security execs and managers, and their team.

This is exactly where CybeReady enters the scene. CybeReady’s end-to-end corporate cyber security training platform changes employees’ behavior to better cope with security breach dangers (using tools like security awareness training and phishing simulations). 

Moreover, tools like AuditReady will help your enterprise best prepare for the annual/ quarterly PCI DSS audits.  

Contact Cybeready to start improving the effectiveness of your security training program today.

4a34e52d-562b-4e1e-8b71-5c005a7559a9