The Ultimate Guide to PCI Compliance

What does Payment Card Industry (PCI) compliance have to do with flying passengers? Just like an airline needs to comply with harsh safety standards, to get a license to fly passengers, it must comply with PCI security standards to get a permit to use and process credit and debit cards[...]
By Daniella Balaban
image April 27, 2022 image 10 MIN READ

What does Payment Card Industry (PCI) compliance have to do with flying passengers? Just like an airline needs to comply with harsh safety standards, to get a license to fly passengers, it must comply with PCI security standards to get a permit to use and process credit and debit cards.

Every use of a payment card (credit or debit) involves sensitive data creation, transmitting, storage, and processing, while each step of the way is prone to cyber-attacks. Payment card data breaches come with a cost: IBM’s 2021 Cost of a Data Breach report found that the average cost is $4.24 million per incident and rising. That is why credit card giants started imposing security standards during the 1990s and eventually, from 2004 onward, created the PCI DSS (Payment Card Industry Data Security Standard).

Any enterprise wishing to use payment cards must be fully compliant with the PCI DSS requirements (12 main requirements and over 300 sub-requirements). Non-compliance can result in huge fines and compensations (dozens and sometimes hundreds of millions of dollars) and, in the worst-case scenario, losing the privilege to process payment cards.

As PCI compliance applies to any company processing payment card information, this guide is essential for CISOs, InfoSec professionals, corporate security execs, security operation managers, cyber security professionals, and compliance officers.

In this guide to PCI Compliance, you’ll learn: 

What is PCI compliance?

PCI compliance means constantly complying with the 12 requirements (and their sub-requirements) stipulated in the most recent version of the PCI DSS. The 12 requirements (grouped under 6 control objectives) are:

Control objectives one: Build and Maintain a Secure Network 1. Use and maintain a firewall to protect cardholder’s sensitive data.

2. Change and modify default security parameters such as vendor-supplied passwords.

Control objectives two: Protect Cardholder Data 3. Use encryption, hashing, masking, truncation, and erasing data when needed.

4. Data must be encrypted when stored or transferred, using strong encryption standards, especially when using public networks.

Control objectives three: Maintain a Vulnerability Management Program  5. Install antivirus applications on all systems and constantly update them.

6. Immediately update any application with the latest security patches.

Control objectives four: Implement Strong Access Control Measures 7. Restrict access to cardholder’s data to authorized personnel on a need-to-know basis.

8. Assign a unique ID to each person having access to the system and its components.

9. Restrict physical access to systems containing sensitive cardholder data.

Control objectives five: Regularly Monitor and Test Networks 10. Continuously track all access to cardholder data and network resources.

11. Regularly test/ check every security system, application, and process to reveal vulnerabilities proactively.

Control objectives six: Maintain an Information Security Policy 12. All personnel, such as employees, vendors, contractors, etc., must be managed under a security policy including, regular background checks, routine security briefings, etc.

The consequences of PCI non-compliance

As mentioned above, PCI compliance is relevant to all organizations that use and process payment card data (that virtually means everyone). Non-compliance that ends in data breaches can bring direct financial damage (up to $500,000 per incident, fines, legal fees, and compensation) and future financial costs coming from losing clients, reputation damage, and the right to use and process payment cards.

However, as PCI compliance is continuously monitored and audited, failing to be compliant can cause damage in the shape of fines and penalties, even if it hasn’t led to data breaches. According to the PCI SCC (Payment Card Industry Security Standards Council), payment brands may, at their discretion, impose fines of $5,000 to $100,000 per month for PCI compliance violations.

Moreover, compliance audit procedures are dependent on the level of compliance needed (there are four levels of compliance according to the number of transactions made annually, as discussed in detail below). Failure to comply means that the requirements will become harsher in subsequent quarterly and yearly audits, i.e., you’ll need to spend more time and money on compliance audits.

The consequences of PCI non-compliance

How to build a successful PCI compliance strategy

After reviewing the basics, we’ll now discuss building a successful PCI compliance strategy. One of the best ways would be to begin with, Sun Tzu’s quote from the timeless book “The Art of War”: “Know thyself, know thy enemy. A thousand battles, a thousand victories.

Understand what you’re protecting:
Locate, map, and classify all your data and data flows

The first step of “Knowing thyself” in achieving PCI compliance is to understand what exactly you’re protecting: what kind of data, where that data is located and processed, and how it gets there (i.e., data flow). All this can be done by using automated AI-based tools:

Understand your current system vulnerabilities:
Conduct risk assessments and make sure you constantly address them

The second step in “Knowing thyself” is learning your vulnerabilities, i.e., where and what your system’s weak points are. Vulnerabilities are divided into two categories:

Addressing technical compliance is relatively easy. It consists of very straightforward actions and processes (as stipulated by the PCI DSS) that can be automatically resolved, such as installing and constantly updating firewalls and antivirus application encryption protocols, security patches, etc. 

Handling human-linked vulnerabilities can be more difficult and require briefing, monitoring, and training. The more knowledgeable and practiced your employees are in handling weak points and in how to comply with security standards, the better they will handle these weaknesses and be sure to maintain compliance constantly.

Continuously check for weaknesses:
Regularly search for old and new weak points and remediate them

Knowing where your weak points are is not a one-time static action but rather an ongoing process. As your systems and applications regularly change and evolve, old hazards that were dealt with might rise again, and new ones may come to life. All relevant security systems, system components, networks, applications, and processes must be continually monitored and tested. To save much of this labor-intensive work and reduce human error, it is advisable to automate this process as much as possible.

The human-derived weaknesses must also be subjected to the same approach. All practices and protocols (and their adherence) must be regularly tested and constantly monitored.

As a rule, the preemptive approach is always the most efficient and effective one. Instead of dealing with ongoing breaches and containing their consequences, it is wiser to prevent them from occurring through ongoing frequent training of all employees.

Know thy enemy:
Conduct threat assessments and confirm countermeasures compliance

After mapping all the data that needs to be protected (what data, how it’s created, where its located, and how it flows), conducting risk and vulnerability assessments, addressing and monitoring for weak points (technical and human), it’s now time to address the “enemy.”

Risk and vulnerability assessments examine how strong (or weak) your security protection measures are, i.e., how good your defenses are and how likely they are to prevent attacks from succeeding. Threat assessments deal with the “offensive,” i.e., the type, scope, and strength of offensive threats and their likelihood to occur. That means studying and assessing old and new malware (such as Ransomware, Viruses, Worms, Trojans, Rootkits, etc.) and their countermeasures. 

IBM’s 2021 Cost of a Data Breach Report found that almost half of all data breaches originated from internal threats like phishing, use of unauthorized devices, and apps, theft of company devices, etc. This is another example of why employees should be educated, briefed, and trained regarding the need for strict compliance with security protocols and procedures, the type and scope of potential threats, and how to best avoid (if possible), identify, and respond to them whenever they occur.

Always be prepared:
Create and update compliance policies and make sure you are up to date with new requirements

Now that you “Know thyself” and “thy enemy,” it’s time to make sure you are prepared for the current state of compliance and future changes.

As technology evolves, new risks appear, and the tools and practices used by attackers improve. The number of attacks also continues to grow: A 2021 report by the intelligence firm IDC  found that 98% of the companies surveyed had experienced at least one cloud data breach in the prior 18 months. According to the Theft Resource Center (ITRC), during Q3 of 2021, 160 million people were victims of data compromise, caused mainly due to unsecured cloud databases. This number is higher than Q1 and Q2 2021 combined. To counter these issues, PCI DSS is constantly changed and updated. 

To ensure you are always in compliance, you have to create PCI compliance policies and ensure they’re always implemented and updated. Once again, this is not a one-time effort, but an ongoing process and employees should be at the focal point of that effort. Coping with new attack technologies is relatively straightforward: using faster security and compliance automatic tools. Training employees to be prepared for new threats and compliance demands is more challenging but crucial.

Resources for PCI compliance

Resources for PCI compliance

We’ve talked about PCI compliance, why/to whom it matters, and how to build a successful PCI compliance strategy. We will now explore some resources for PCI compliance that will give you the knowledge and tools needed to apply this strategy.

How to Train Employees for PCI Compliance

As shown above, training employees is essential. Here are some key points addressing this issue:

The 2022 Guide to PCI Compliance Levels

Depending on the volume of transactions processed by an enterprise, the PCI DSS specifies four levels of compliance:

 

Level

Definition (num. of transactions processed annually by the enterprise) Annual requirements

Quarterly requirements

1 More than 6 million transactions of Visa or MasterCard, more than 2.5 million for American Express, or had a data breach in the past. Submit:

– An annual Report on Compliance (ROC) is done by a Qualified Security Assessor (QSA) or by an internal auditor if signed by an officer of the company.
– An Attestation of Compliance (AOC) Form.

Conduct a network scan by an Approved Scan Vendor (ASV).
2 1 – 6 million payment card transactions on all channels. Submit:

– A ROC or Self Assessment Questionnaire (SAQ) by a Qualified Security Assessor (QSA) or an internal assessor if signed by a company officer.

– An Attestation of Compliance (AOC).

Conduct a quarterly network scan by an Approved Scan Vendor (ASV)
3 20,000 – 1 million payment card transactions on all channels. – Complete a Self-Assessment Questionnaire (SAQ) signed by a company officer.

– Submit an Attestation of Compliance (AOC) Form.

Conduct a Network scan by an Approved Scan Vendor (ASV).
4 Fewer than 20,000 payment card transactions on all channels. – Complete a Self-Assessment Questionnaire (SAQ) signed by a company officer.

– Submit an Attestation of Compliance (AOC) Form.

Conduct a Network scan by an Approved Scan Vendor (ASV).

The Complete Requirements List to PCI DSS 3.2.1 Update

As of 2022, the PCI SSC issued several updates, the most recent one was version 4.0, published on March 31. Version 3.2.1 (published in May 2018) will continue to remain active until it is retired on March 31, 2024 ( to provide organizations with the required time to understand the changes in version 4.0 and implement any updates needed).

Version 3.2.1 is an update of previous version 3.2 published in February 2018 and mainly includes clarifications intended to clear any misunderstanding regarding the effective dates for PCI DSS 3.2:

The compensating control example included in the PCI DSS Appendix B of v3.2.1 has been updated since PCI DSS requirement 8.3.1 had become mandatory.

The Ultimate Guide to PCI Compliance

Launch your PCI compliance program

In this guide, you learned about PCI compliance (the basics, why it matters, etc.) and how to achieve compliance by building a compliance strategy, using automated tools, and training employees. When launching your PCI compliance program, make sure you follow these essentials:

Adopting these essentials will help you and your employees achieve the most optimal PCI compliance possible.

Request a demo or take a self-guided virtual tour

Your employees’ readiness is your greatest security and compliance asset!

See how a fully automated compliance tool like AuditReady can help your team prepare for cybersecurity training audits. Take a self-guided tour through BLAST phishing simulations, continuous awareness bites (CAB) security awareness training, and reporting and data management. These tools create a fully automated platform that will help you drive a cultural change via fun and engaging practices to enhance employees’ cyber security awareness and PCI compliance.

4a34e52d-562b-4e1e-8b71-5c005a7559a9