Suppose your organization handles payment processing, card transactions, storage, authentication, or credit card data electronic transmission. In that case, you’ll be very familiar with PCI DSS (formally known as the Payment Card Industry Data Security Standard). This standard protects debit and credit card transactions and cardholder data from unauthorized access via data breaches, ransomware, and other security breaches with specific compliance requirements.

For many organizations, achieving PCI compliance feels like an onerous, burdensome chore. Achieving compliance, however, brings valuable benefits beyond protecting your customers’ card brands and data – it is a cybersecurity foundation. It helps your business avoid enforcement action from regulators and lawsuits from aggrieved customers, or business partners and can inform a comprehensive information security policy. Ultimately, PCI compliance can reduce the total cost of any data breach. According to one report from IBM and the Ponemon Institute, the average price of a data breach among companies surveyed reached $4.24 million per incident in 2021.

The Basics of PCI Compliance

Is PCI compliance required by law?

PCI compliance, represented by the Payment Card Industry Data Security Standard (PCI DSS), is not a federal law in itself. It is a set of security standards established by major credit card companies, including Visa, MasterCard, American Express, Discover, and JCB, to safeguard cardholder data. The primary intent is to prevent data breaches and enhance cardholder data security.

However, the intersection between PCI DSS and the legal landscape is multifaceted. Firstly, while not dictated by federal law, merchants often have contractual obligations to adhere to PCI DSS. This commitment stems from their agreements with credit card processors or banks. If merchants fail to maintain compliance, they could face penalties, elevated transaction fees, or even the loss of their card processing privileges.

Furthermore, individual U.S. states have incorporated references to PCI DSS within their laws or regulations. For instance, some states mandate that businesses adhere to PCI DSS guidelines as a way to ensure the protection of personal information. If businesses in these jurisdictions do not comply, they could be found in violation of state laws, leading to potential legal repercussions.

Outside of the U.S., some countries might have data protection regulations or specific laws that, while not referencing PCI DSS directly, have requirements similar in nature. In such contexts, while PCI DSS might not be a legal requirement per se, adhering to its standards could help businesses in fulfilling local data protection mandates.

Ultimately, while attestation of compliance is not a legal requirement, it is a highly respected badge of sound business practices.

Can I do PCI compliance myself?

Certainly, businesses can undertake the process of PCI compliance on their own, but the feasibility and advisability of doing so depend on several factors, including the complexity of the business’s payment environment and the technical expertise available in-house.

For many smaller merchants, the Payment Card Industry Security Standards Council (PCI SSC) provides a Self-Assessment Questionnaire (SAQ). The SAQ is a tool designed to help businesses evaluate their adherence to the PCI DSS requirements based on their specific payment processing scenario. Depending on how a business handles card data, there are different SAQ types to complete. For example, a simple brick-and-mortar store with a standalone terminal might have a vastly different assessment than an e-commerce platform that stores, processes, and transmits cardholder data.

While the SAQ provides a pathway for self-assessment, it’s crucial to have a thorough understanding of its requirements. The PCI DSS comprises 12 primary requirements that span a range of security best practices, from maintaining a secure network to regular monitoring and testing. Each of these requirements can involve nuanced technical and procedural elements, necessitating a fair degree of technical know-how. For instance, aspects like encrypting stored cardholder data or securing systems might be challenging without the proper IT background.

Furthermore, certain PCI DSS requirements mandate third-party involvement. Businesses that handle cardholder data electronically often need to undergo quarterly external vulnerability scans by an Approved Scanning Vendor (ASV). This specific task requires an external entity, and while businesses can prepare for these scans, they can’t conduct them independently. Larger merchants or specific transaction methods might also necessitate regular third-party penetration testing.

Documentation is another pivotal component of the PCI compliance process. It’s essential to maintain detailed records of all processes, configurations, and procedures pertinent to cardholder data security. This documentation not only serves as evidence of compliance but also ensures that security protocols are consistently followed.

Lastly, it’s worth noting that PCI compliance is an ongoing commitment. It’s not sufficient to achieve compliance once; businesses must engage in continuous monitoring, updating, and potentially revising their practices in light of changes to their environment or the PCI DSS itself.

How hard is it to get PCI compliance?

The difficulty of achieving PCI compliance varies based on several factors, including the size and complexity of the business, the manner in which it processes card transactions, and the current state of its security infrastructure. Here’s a breakdown of the challenges and considerations:

1. Complexity of the Environment:

  • Businesses with a simple payment setup, like using standalone card terminals not connected to other systems, typically have a more straightforward path to compliance.
  • In contrast, businesses with intricate IT infrastructures, multiple payment channels, or custom-built payment applications usually face more complex compliance challenges.

2. Volume of Transactions:

  • Merchants are categorized based on their volume of card transactions. Those processing a higher volume may undergo more stringent assessment processes, such as an audit by a Qualified Security Assessor (QSA) instead of a Self-Assessment Questionnaire (SAQ).

3. Technical Expertise:

  • Having knowledgeable IT and security professionals on staff can greatly streamline the compliance process. They can more efficiently address technical requirements like firewall configurations, data encryption, and vulnerability management.
  • Smaller businesses without dedicated IT staff might find some technical requirements challenging.

4. Current State of Security:

  • If a business already adheres to best practices in IT security, many PCI DSS requirements might already be met, making the process smoother.
  • Conversely, if a business has historically undervalued IT security, significant changes might be needed, which can be costly and time-consuming.

5. Continuous Monitoring and Maintenance:

  • PCI compliance isn’t just about passing an assessment. Maintaining compliance requires ongoing efforts, including regular vulnerability scans, periodic reviews of security policies, and employee training.

6. External Challenges:

  • For companies that rely on third-party vendors or service providers, ensuring those parties are PCI compliant can add another layer of complexity. Vendor management becomes crucial in such scenarios.

7. Cultural and Organizational Challenges:

  • Achieving PCI compliance often requires a cultural shift. All staff, not just the IT team, need to understand the importance of data security. This might involve changes in daily routines, behavior, or even business processes, which can meet resistance.

8. Cost Implications:

  • Depending on the gaps identified during the initial assessment, there could be costs associated with purchasing new equipment, implementing new software solutions, or even restructuring parts of the IT environment.

While the path to PCI compliance might be relatively straightforward for some businesses, it can be arduous for others. Regardless of the starting point, achieving and maintaining PCI compliance is an ongoing commitment. It’s not just about checking boxes but ensuring that cardholder data is consistently protected. If a business lacks the expertise or resources to navigate this process, seeking assistance from PCI consultants or QSAs can be beneficial.

Key Steps to Becoming PCI Compliant

The latest version of the PCI standard is known as PCI DSS 4.0, released in March 2022. Retailers, merchant banks, and others handling payment card data must achieve compliance with that standard by March 2025.

To ensure that your organization meets the requirements of the current PCI DSS standard, here are five steps you can take:

  1. Determine your scope. Carefully research all PCI requirements to determine which pertain to your organization; not all requirements will. While this research does take time, it will make a big difference in the long run by saving you a significant amount of work at audit time or as you complete your Self-Assessment Questionnaire (SAQ).
  2. Minimize your scope. Your team can take several steps to minimize the risk to your payment card data and devices, including installing firewalls to limit access to your Cardholder Data Environment (CDE), encrypting all payment card data, and disposing of all cardholder data promptly and effectively. The smaller your scope, the lower your costs.
  3. Determine how well you meet applicable requirements. Always examine each item on your list of relevant PCI directives and ask, “How well does my organization comply?”
  4. Test all CDE-related controls. Your evidence must always be current. So even if you have audited relevant controls before, you must test each security control regularly.
  5. Gather your evidence. Having documentation of your compliance-level efforts and results on hand will save your auditor time, work, and enterprise money.

What are the Three Main Areas of PCI Compliance?

You’ll need to perform many steps to comply with the PCI standard; the three principal issues for PCI compliance are as follows.

Dealing With Card Data

Payment card data must be handled carefully, and a business shouldn’t handle card data unless necessary. Third-party solutions, like ZenGRC from RiskOptics, securely accept and store the data, removing a significant amount of complexity, expense, and risk assessment related to PCI compliance. In addition, a company avoiding card data would only need to certify its compliance with 22 simple security rules, such as employing secure networks and passwords, because the card data’s unique ID never touches its systems.

Securing Data Storage

An enterprise must specify the scope of its cardholder data environment (CDE) if it manages or saves credit card data. According to PCI DSS, CDE refers to any system components linked to a system that stores, processes, or transmits credit card data. Therefore, it’s critical to keep your payment environment separate from the rest of the company’s IT systems. This reduces the scope of PCI validation because all 300+ security PCI DSS controls apply to CDE. You don’t want to enforce those controls on every computer, laptop, and device on your organization’s corporate network! Segregate and secure your payment environment to avoid that.

Annual Verification

Organizations must yearly submit a PCI validation form, regardless of how card data is accepted. There are a lot of variables that affect how PCI compliance is assessed, some of which are listed below. Here are three situations when a company can be required to provide evidence of PCI compliance:

  •   Payment processors may request it as part of their mandated reporting to the payment brands.
  •   Business partners may demand it before engaging in commercial transactions.
  •   Customers may ask for it from platform firms (those whose technology enables online transactions between various groups of users) to demonstrate to their clients that data processing is safe.

What is the cost of becoming PCI compliant?

The cost of becoming PCI (Payment Card Industry) compliant can vary significantly based on several factors, such as the size of your business, the way you process card transactions, and the service providers you choose. Below are some general considerations and costs associated with PCI compliance:

1. Business Size and PCI Validation Type:

  • Self-Assessment Questionnaire (SAQ): Smaller merchants might qualify for a self-assessment questionnaire instead of a full audit. There are various SAQ types, each with its own set of requirements.
  • Report on Compliance (ROC): Larger merchants and service providers might need an annual ROC, which requires an assessment by a Qualified Security Assessor (QSA).

2. Direct Costs:

  • External Scanning: If you store or process card data electronically, you’ll need quarterly external vulnerability scans by an Approved Scanning Vendor (ASV). Costs can range from $100 to over $1,000 annually.
  • Penetration Testing: Depending on your PCI requirements, you might need annual penetration testing. Costs can range from a few thousand to tens of thousands of dollars.
  • Audit Costs: Hiring a QSA can be expensive. Small to mid-sized businesses might spend anywhere from $10,000 to $50,000 or more on a PCI audit. Larger enterprises might spend significantly more.

3. Indirect Costs:

  • Remediation: If gaps are identified in your PCI assessment, you’ll need to invest in addressing those gaps. This could mean purchasing new hardware, software, or services.
  • Operational Changes: Implementing secure processes can sometimes increase operational costs. For example, tokenizing credit card data might involve additional fees or more expensive payment processing solutions.
  • Employee Training: Ensuring your staff understands PCI requirements and how to handle card data securely might involve ongoing training costs.

4. Maintenance Costs:

  • Recurring Assessments: Even after becoming compliant, you’ll need to continue validating compliance annually.
  • Security Updates: The threat landscape evolves, and so will the tools and practices needed to stay secure. This means regularly investing in security software, hardware, and services.
  • Recurring Training: As you hire new staff or as requirements evolve, you’ll need ongoing training.

5. Potential Savings:

  • Reduced Risk: By being compliant, you reduce the risk of data breaches which can be much more costly in terms of fines, legal fees, lost business, and reputational damage.
  • Lower Merchant Fees: Some payment processors might offer lower fees to businesses that can demonstrate PCI compliance.

6. Other Factors:

  • Service Providers: If you use third-party service providers, they also need to be PCI compliant. Their costs might be passed on to you in terms of higher fees.
  • Cloud and Third-Party Solutions: Using cloud-based or third-party solutions that offload the responsibility of handling card data can reduce some of your compliance costs but introduce other fees.

Can I become PCI compliant for free?

While it’s theoretically possible to become PCI compliant without incurring external costs, it’s essential to understand what “free” means in this context and to be aware of the potential hidden costs and risks associated with DIY (Do-It-Yourself) approaches.

Here’s a breakdown:

1. Self-Assessment Questionnaire (SAQ):

  • If your business qualifies, you can complete a Self-Assessment Questionnaire (SAQ) rather than undergoing a full audit. SAQs are available for free from the PCI Security Standards Council (PCI SSC) website. However, correctly filling out an SAQ requires a thorough understanding of its requirements and your IT environment.

2. External Scans:

  • Some vendors may offer promotional or limited free vulnerability scans, but these are not always the same as the ones by an Approved Scanning Vendor (ASV). To be PCI compliant, you usually need quarterly scans by an ASV.

3. Internal Resources:

  • If you have knowledgeable IT and security staff in-house, they might be able to handle much of the work required for PCI compliance. However, their time is not “free” – the time they spend on PCI matters is time taken away from other tasks.

4. Open Source & Free Tools:

  • There are many free and open-source security tools available. These can be used for things like vulnerability scanning, intrusion detection, and logging. However, they often require a good deal of expertise to set up and maintain, and they might not cover all the requirements for PCI compliance.

5. Potential Hidden Costs:

  • Misunderstandings & Mistakes: Without expertise in PCI DSS, there’s a risk of misunderstanding requirements, leading to potential non-compliance and associated risks.
  • Data Breaches: If trying to achieve PCI compliance “on the cheap” results in inadequate security, the potential costs of a data breach (in fines, lost business, and reputation) can be astronomically higher than the savings.

6. Potential Savings:

  • Limit Card Data Scope: The less card data you handle and store, the less you need to secure. If you can use payment solutions that keep card data away from your systems altogether (like hosted payment pages), you can reduce the scope and potentially the cost of your PCI compliance efforts.

7. Time Costs:

  • The time required to research, understand, and implement PCI DSS requirements can be significant. If you’re not well-versed in IT security, this process can be extremely time-consuming.

How to Achieve PCI DSS Compliance Using ZenGRC

PCI compliance is a considerable undertaking, with many controls to test and document and many remediation steps you need to be sure take place. Managing all that effort with spreadsheets and manual processes is folly; there’s too much work, and important issues will go overlooked. You need a dedicated tool to help.

ZenGRC is a cutting-edge governance, risk, and compliance management system that offers the most precise PCI evaluation tool. To determine where you are in deciding who needs PCI DSS compliance criteria and where you and your vendors fall short, Zen regularly monitors your public networks and procedures.

Zen’s dashboards with a color-coded “single source of truth” explain how to fix compliance holes quickly and update automatically as the framework evolves. Furthermore, it performs internal audits rapidly and as often as possible while examining the controls around your Cardholder Data Environment (CDE).

Schedule a demo to learn more about how ZenGRC may help your Compliance Management Software.