What does Payment Card Industry (PCI) compliance have to do with flying passengers? Just like an airline needs to comply with harsh safety standards, to get a license to fly passengers, it must comply with PCI security standards to get a permit to use and process credit and debit cards.
Every use of a payment card (credit or debit) involves sensitive data creation, transmitting, storage, and processing, while each step of the way is prone to cyber-attacks. Payment card data breaches come with a cost: IBM’s 2021 Cost of a Data Breach report found that the average cost is $4.24 million per incident and rising. That is why credit card giants started imposing security standards during the 1990s and eventually, from 2004 onward, created the PCI DSS (Payment Card Industry Data Security Standard).
Any enterprise wishing to use payment cards must be fully compliant with the PCI DSS requirements (12 main requirements and over 300 sub-requirements). Non-compliance can result in huge fines and compensations (dozens and sometimes hundreds of millions of dollars) and, in the worst-case scenario, losing the privilege to process payment cards.
As PCI compliance applies to any company processing payment card information, this guide is essential for CISOs, InfoSec professionals, corporate security execs, security operation managers, cyber security professionals, and compliance officers.
In this guide to PCI Compliance, you’ll learn:
- What is PCI compliance (the 12 requirements that stand at the heart of PCI DSS)?
- What are the consequences of PCI non-compliance?
- How to build a successful PCI compliance strategy.
- How to train employees for PCI compliance.
- What are the four levels of PCI DSS compliance?
- The complete requirements list to the PCI DSS 3.2.1 update.
- What are the essentials needed to launch your PCI compliance program?
What is PCI compliance?
PCI compliance means constantly complying with the 12 requirements (and their sub-requirements) stipulated in the most recent version of the PCI DSS. The 12 requirements (grouped under 6 control objectives) are:
| Control objectives one: Build and Maintain a Secure Network | 1. Use and maintain a firewall to protect cardholder’s sensitive data.
2. Change and modify default security parameters such as vendor-supplied passwords. |
| Control objectives two: Protect Cardholder Data | 3. Use encryption, hashing, masking, truncation, and erasing data when needed.
4. Data must be encrypted when stored or transferred, using strong encryption standards, especially when using public networks. |
| Control objectives three: Maintain a Vulnerability Management Program | 5. Install antivirus applications on all systems and constantly update them.
6. Immediately update any application with the latest security patches. |
| Control objectives four: Implement Strong Access Control Measures | 7. Restrict access to cardholder’s data to authorized personnel on a need-to-know basis.
8. Assign a unique ID to each person having access to the system and its components. 9. Restrict physical access to systems containing sensitive cardholder data. |
| Control objectives five: Regularly Monitor and Test Networks | 10. Continuously track all access to cardholder data and network resources.
11. Regularly test/ check every security system, application, and process to reveal vulnerabilities proactively. |
| Control objectives six: Maintain an Information Security Policy | 12. All personnel, such as employees, vendors, contractors, etc., must be managed under a security policy including, regular background checks, routine security briefings, etc. |
The consequences of PCI non-compliance
As mentioned above, PCI compliance is relevant to all organizations that use and process payment card data (that virtually means everyone). Non-compliance that ends in data breaches can bring direct financial damage (up to $500,000 per incident, fines, legal fees, and compensation) and future financial costs coming from losing clients, reputation damage, and the right to use and process payment cards.
However, as PCI compliance is continuously monitored and audited, failing to be compliant can cause damage in the shape of fines and penalties, even if it hasn’t led to data breaches. According to the PCI SCC (Payment Card Industry Security Standards Council), payment brands may, at their discretion, impose fines of $5,000 to $100,000 per month for PCI compliance violations.
Moreover, compliance audit procedures are dependent on the level of compliance needed (there are four levels of compliance according to the number of transactions made annually, as discussed in detail below). Failure to comply means that the requirements will become harsher in subsequent quarterly and yearly audits, i.e., you’ll need to spend more time and money on compliance audits.
How to build a successful PCI compliance strategy
After reviewing the basics, we’ll now discuss building a successful PCI compliance strategy. One of the best ways would be to begin with, Sun Tzu’s quote from the timeless book “The Art of War”: “Know thyself, know thy enemy. A thousand battles, a thousand victories.”
Understand what you’re protecting:
Locate, map, and classify all your data and data flows
The first step of “Knowing thyself” in achieving PCI compliance is to understand what exactly you’re protecting: what kind of data, where that data is located and processed, and how it gets there (i.e., data flow). All this can be done by using automated AI-based tools:
- Make sure you locate and check all systems, applications, networks, and processes in the organization that interact with credit card data (on-site payment terminals, online shopping sites, networks, local and cloud databases, phone call logs, ERP, and CRM platforms, sales emails, etc.).
- Map data creation and location: understand how and where the data is created and where it is located and stored.
- Map data processes and flow: understand how the data flows across your system and how and where it’s processed.
- Label all data for classification purposes.
Understand your current system vulnerabilities:
Conduct risk assessments and make sure you constantly address them
The second step in “Knowing thyself” is learning your vulnerabilities, i.e., where and what your system’s weak points are. Vulnerabilities are divided into two categories:
- Technical vulnerabilities (such as multiple on-site payment terminals spread out over various locations and many sites on different servers using different technologies).
- Vulnerabilities derived from the human factor: the weakest link is usually the human operator; therefore, it is advisable to apply particular emphasis on systems where data is created manually, like emails and phone call logs.
Addressing technical compliance is relatively easy. It consists of very straightforward actions and processes (as stipulated by the PCI DSS) that can be automatically resolved, such as installing and constantly updating firewalls and antivirus application encryption protocols, security patches, etc.
Handling human-linked vulnerabilities can be more difficult and require briefing, monitoring, and training. The more knowledgeable and practiced your employees are in handling weak points and in how to comply with security standards, the better they will handle these weaknesses and be sure to maintain compliance constantly.
Continuously check for weaknesses:
Regularly search for old and new weak points and remediate them
Knowing where your weak points are is not a one-time static action but rather an ongoing process. As your systems and applications regularly change and evolve, old hazards that were dealt with might rise again, and new ones may come to life. All relevant security systems, system components, networks, applications, and processes must be continually monitored and tested. To save much of this labor-intensive work and reduce human error, it is advisable to automate this process as much as possible.
The human-derived weaknesses must also be subjected to the same approach. All practices and protocols (and their adherence) must be regularly tested and constantly monitored.
As a rule, the preemptive approach is always the most efficient and effective one. Instead of dealing with ongoing breaches and containing their consequences, it is wiser to prevent them from occurring through ongoing frequent training of all employees.
Know thy enemy:
Conduct threat assessments and confirm countermeasures compliance
After mapping all the data that needs to be protected (what data, how it’s created, where its located, and how it flows), conducting risk and vulnerability assessments, addressing and monitoring for weak points (technical and human), it’s now time to address the “enemy.”
Risk and vulnerability assessments examine how strong (or weak) your security protection measures are, i.e., how good your defenses are and how likely they are to prevent attacks from succeeding. Threat assessments deal with the “offensive,” i.e., the type, scope, and strength of offensive threats and their likelihood to occur. That means studying and assessing old and new malware (such as Ransomware, Viruses, Worms, Trojans, Rootkits, etc.) and their countermeasures.
IBM’s 2021 Cost of a Data Breach Report found that almost half of all data breaches originated from internal threats like phishing, use of unauthorized devices, and apps, theft of company devices, etc. This is another example of why employees should be educated, briefed, and trained regarding the need for strict compliance with security protocols and procedures, the type and scope of potential threats, and how to best avoid (if possible), identify, and respond to them whenever they occur.
Always be prepared:
Create and update compliance policies and make sure you are up to date with new requirements
Now that you “Know thyself” and “thy enemy,” it’s time to make sure you are prepared for the current state of compliance and future changes.
As technology evolves, new risks appear, and the tools and practices used by attackers improve. The number of attacks also continues to grow: A 2021 report by the intelligence firm IDC found that 98% of the companies surveyed had experienced at least one cloud data breach in the prior 18 months. According to the Theft Resource Center (ITRC), during Q3 of 2021, 160 million people were victims of data compromise, caused mainly due to unsecured cloud databases. This number is higher than Q1 and Q2 2021 combined. To counter these issues, PCI DSS is constantly changed and updated.
To ensure you are always in compliance, you have to create PCI compliance policies and ensure they’re always implemented and updated. Once again, this is not a one-time effort, but an ongoing process and employees should be at the focal point of that effort. Coping with new attack technologies is relatively straightforward: using faster security and compliance automatic tools. Training employees to be prepared for new threats and compliance demands is more challenging but crucial.
Resources for PCI compliance
We’ve talked about PCI compliance, why/to whom it matters, and how to build a successful PCI compliance strategy. We will now explore some resources for PCI compliance that will give you the knowledge and tools needed to apply this strategy.
How to Train Employees for PCI Compliance
As shown above, training employees is essential. Here are some key points addressing this issue:
- Create a comprehensive PCI compliance policy: this should include all aspects of compliance (technical and human) for all your employees, vendors, and customers.
- Ensure employees understand security risks, threats, and consequences: employees should be regularly educated and updated regarding technical vulnerabilities, malware, and social engineering (like phishing), including the technical and financial damage they can cause.
- Ensure employees understand non-compliance risks and their consequences: as discussed above, you don’t have to suffer from actual data breaches to suffer financial damage.
- Confirm that all employees are knowledgeable about up-to-date compliance requirements and the company’s PCI compliance policies.
- Make security and PCI compliance training a mandatory ongoing procedure: having established the importance of PCI compliance training, it must become a mandatory company policy.
- Make training engaging: imaginative tools and simulations can make cyber and compliance awareness training extremely engaging and effective.
- Keep training materials up to date.
The 2022 Guide to PCI Compliance Levels
Depending on the volume of transactions processed by an enterprise, the PCI DSS specifies four levels of compliance:
|
Level |
Definition (num. of transactions processed annually by the enterprise) | Annual requirements |
Quarterly requirements |
| 1 | More than 6 million transactions of Visa or MasterCard, more than 2.5 million for American Express, or had a data breach in the past. | Submit:
– An annual Report on Compliance (ROC) is done by a Qualified Security Assessor (QSA) or by an internal auditor if signed by an officer of the company. |
Conduct a network scan by an Approved Scan Vendor (ASV). |
| 2 | 1 – 6 million payment card transactions on all channels. | Submit:
– A ROC or Self Assessment Questionnaire (SAQ) by a Qualified Security Assessor (QSA) or an internal assessor if signed by a company officer. – An Attestation of Compliance (AOC). |
Conduct a quarterly network scan by an Approved Scan Vendor (ASV) |
| 3 | 20,000 – 1 million payment card transactions on all channels. | – Complete a Self-Assessment Questionnaire (SAQ) signed by a company officer.
– Submit an Attestation of Compliance (AOC) Form. |
Conduct a Network scan by an Approved Scan Vendor (ASV). |
| 4 | Fewer than 20,000 payment card transactions on all channels. | – Complete a Self-Assessment Questionnaire (SAQ) signed by a company officer.
– Submit an Attestation of Compliance (AOC) Form. |
Conduct a Network scan by an Approved Scan Vendor (ASV). |
The Complete Requirements List to PCI DSS 3.2.1 Update
As of 2022, the PCI SSC issued several updates, the most recent one was version 4.0, published on March 31. Version 3.2.1 (published in May 2018) will continue to remain active until it is retired on March 31, 2024 ( to provide organizations with the required time to understand the changes in version 4.0 and implement any updates needed).
Version 3.2.1 is an update of previous version 3.2 published in February 2018 and mainly includes clarifications intended to clear any misunderstanding regarding the effective dates for PCI DSS 3.2:
- In v3.2, published on February 1, 2018, PCI Requirements 3.5.1, 6.4.6, 8.3.1, 10.8, 10.8.1, 11.3.4.1, 12.4.1, 12.11, and 12.11.1 went from being “best practices” to mandatory requirements. Hence the note in PCI DSS v3.2 addressing the effective date of these requirements was removed.
- PCI DSS v3.2.1 addresses an error: a reference was changed from PCI Requirement 3.5.1 to 3.5.2.
- In v3.2. Appendix A2 was updated. Therefore requirements A2.1-A2.3 were also updated.
The compensating control example included in the PCI DSS Appendix B of v3.2.1 has been updated since PCI DSS requirement 8.3.1 had become mandatory.
Launch your PCI compliance program
In this guide, you learned about PCI compliance (the basics, why it matters, etc.) and how to achieve compliance by building a compliance strategy, using automated tools, and training employees. When launching your PCI compliance program, make sure you follow these essentials:
- Focus on the human element, even when dealing with the most technical compliance issues. Remember, your organization’s compliance is only as strong as your employees’ compliance.
- Educate, brief, and constantly train your employees on:
- The most up-to-date PCI requirements are relevant to your business and its systems, their rationale, and the consequences and risks arising from non-compliance.
- Old and new security risks and threats and their costs.
- Create a compliance strategy by mapping and classifying all your data and data flows, assessing risks and weaknesses, and investigating threats.
- Build and maintain updated comprehensive PCI compliance policies, plans, and procedures, including mandatory ongoing compliance training.
- Invest in effecting staff awareness training by using machine-learning-based methods and engaging tools. Use these to train employees on how to:
- Identify, respond and prevent security risks and threats.
- Handle PCI compliance (know the basics, follow updates, avoid non-compliance, understand audit procedures, etc.)
- Employ holistic state-of-the-art automated compliance tools whenever possible.
Adopting these essentials will help you and your employees achieve the most optimal PCI compliance possible.
Request a demo or take a self-guided virtual tour
Your employees’ readiness is your greatest security and compliance asset!
See how a fully automated compliance tool like AuditReady can help your team prepare for cybersecurity training audits. Take a self-guided tour through BLAST phishing simulations, continuous awareness bites (CAB) security awareness training, and reporting and data management. These tools create a fully automated platform that will help you drive a cultural change via fun and engaging practices to enhance employees’ cyber security awareness and PCI compliance.
