What is PCI DSS?
The PCI DSS is the Payment Card Industry Data Security Standard. It is as a mandatory compliance standard for all service providers and businesses that process credit cards.
Its compliance authorizes the processing, transmission and storage of credit card data, i.e. sensitive shopper data that must be processed in compliance with the technical security requirements proposed by the PCI Security Standard Council. A global committee formed by the world's leading credit and debit card companies (American Express, Discover, JCB International, MasterCard, and Visa Inc) for the continuous development, improvement, storage, dissemination and enforcement of security standards for the protection of account data.
In 2004, the aforementioned committee, under the acronym PCI SSC, published the first version of the PCI DSS security standard. Currently they are about to publish version 4.0, however, despite its mandatory compliance for the industry, it is still not a legislated regulation, so no law penalizes its violation. Despite this legal vacuum, there are numerous risks to be taken into account when processing online payments and sensitive data, which we will explain below, as well as all the security requirements that must be met to protect our customers' data.
What is PCI Compliance?
Being PCI Compliant is not just advertising it on your website with a seal. Being PCI Compliant means committing to comply with the security standards set forth by the PCI DSS, which imply the execution of technical actions and implementations in a company's work scheme. This would be, broadly speaking, adopting measures in three areas or stages within the credit card purchase process:
1. By transmitting and processing data securely.
2. By storing and storing that data in compliance with the 12 PCI security requirements.
3. By monitoring the operation of security controls and periodically validating them.
Starting from these three key phases of credit card processing, we can further develop each of these requirements that we will have to apply in the previous points.
Any company (whether small, medium or large) that deals with credit cards needs to be PCI Compliant.
Do I have to comply with the PCI DSS requirements?
This is the main question that companies ask when starting to make online sales , as they process personal and sensitive buyer data. Selling through a website or e-commerce does not necessarily mean being protected or having a secure system to process such data. At this point it is logical to ask who is obliged to comply with PCI regulations, how to do it, what alternatives are available or even if there is a way to avoid this procedure.
As we have already mentioned, compliance is not mandatory by law, but it is necessary for all companies that accept online credit card payments, as they are exposed to major threats and risks. The primary account number (PAN), the expiration date or the cardholder are some of the sensitive data we are talking about, which are exposed to possible online attacks if they are not protected with the appropriate systems.
In short, any company (whether small, medium or large) that deals with credit cards needs to be PCI Compliant, whether it makes millions of transactions or small ones. The responsibility for compliance or non-compliance ultimately rests with the company itself.
The threats and risks without being PCI DSS compliant
As mentioned, the main reason for PCI compliance is to ensure the security of all shoppers who leave their credit card information in our system.
There are many types of fraud with bank cards, and identity theft is multiplied when it is processed through the Internet. Although we all know it, sometimes it is forgotten that the Internet is a place where there are thousands of threats that put our clients' information and ours at risk.
Given this situation, the PCI DSS is one of the forms of defense against threats such as the following:
- Malware. Malware is a malicious software designed by cybercriminals to infiltrate a computer system and steal payment data.
- Phishing. The main form of transport and distribution of malicious software is through e-mails. This phenomenon is known as "phishing" and takes the form of emails that appear authentic and trustworthy, but contain malicious links or files that can infect our device.
- Ransomware. It is the malware threat that has been rising the most in recent years. Ransomware is what we could call "data hijacking". It consists of preventing access to a business's computer systems, files or networks and demanding a reward (usually financial) for returning them.
- Website and software vulnerabilities. Having outdated computer or browser software is an invitation to cyber-attacks on our system. Criminals implant ransomware on websites to attack outdated systems from there.
- Fines and penalties. In addition to the dangers for customers or ourselves, there are also financial risks to be taken into account, since not respecting the minimum security standards with regard to credit card data can lead to fines of between 5,000 and 500,000 dollars. As well as penalties from banks or payment providers.
How to comply with PCI certification?
Knowing what PCI is and knowing the dangers and risks of transacting online without a security system to protect us, it is necessary to explain each of the requirements that every business must meet to be PCI Compliant and what types of certification we find ordered from the highest to the lowest level.
Levels of PCI DSS
This analysis is based on the volume of credit card transactions processed by a company.
- PCI DSS Level 1: Organizations that process more than 6 million transactions per year through Visa or Mastercard (plus 2.5 million through American Express).
- PCI DSS Level 2: Organizations that process between 1 and 6 million transactions per year.
- PCI DSS Level 3: Organizations that process between 20,000 and 1 million online transactions per year or less than 1 million in total.
- PCI DSS Level 4: Organizations that process less than 20,000 online transactions per year or up to 1 million in total.
The 12 requirements of PCI DSS
The requirements for each of the above levels vary depending on the size of the organization, with level 1 having the most PCI DSS requirements. For some companies, the high technical complexity of obtaining certification is beyond their knowledge. That is why we have summarized the best security practices proposed by PCI in its 12 requirements:
Develop and maintain secure systems and networks
- 1. Install and maintain a firewall configuration to protect cardholder data. Given the ease with which online theft is committed, it is first necessary to have a permanent firewall that blocks unauthorized access to untrusted sources. For it to work properly, it is essential to check it frequently and ensure that all devices and users that connect to the network have one.
- 2. Do not use system passwords and other security parameters provided by the vendors. It is not at all advisable to keep the passwords supplied by the provider, whether for a router, firewall or any other installation. Likewise, new passwords should not be weak because they will remain a vulnerability of the system.
Protect cardholder data
- 3. Protect cardholder data that was stored. Storing cardholder data is necessary to finalize a transaction, but it is not recommended to do so for longer than necessary. If the payment is made on a recurring basis and the data is stored for future payments, maximum protection strategies such as tokenization should be followed. With this system, the PAN is encrypted through a token code that is uniquely associated with the card data. In any case, it is not advisable to store data longer than the time necessary to close the transaction and it is advisable to clean it from time to time.
- 4. Encrypt the transmission of cardholder data on open public networks. Applying encryption systems protects data from cybercriminals when they are on public networks. Encrypting information before sending it and decrypting it upon receipt is an essential security requirement.
Maintain a vulnerability management program
- 5. Protect all systems against malware and update antivirus programs or software regularly. Updating the antivirus is a less common gesture than we think and is of great help in protecting the system against malicious software. It prevents potential hacks and identifies threats, so we can keep track of their status and take action in time.
- 6. Develop and maintain secure systems and applications. In the case of using internal software developed by and for a single organization, it is necessary to identify vulnerabilities and create the correct software patches to prevent malware or cybercriminals from compromising cardholder data processed in that application.
Implement strong access control measures
- 7. Restrict access to cardholder data according to the company's need-to-know. Another essential measure is to control who accesses the information and restrict that access. This means keeping internal company control over who is requesting access and why.
- 8. Identify and authenticate access to system components. To control these accesses, it is mandatory to implement an identification system that provides a unique ID for each person and tracks their steps in the system. In addition, two-step authentication provides more control over those requesting access and their actual authorization.
- 9. Restrict physical access to cardholder data. Since digital access must be perfectly protected, we must not forget physical access to protect the space where they are stored and leave no trace of sensitive data in our environment, as well as to restrict the entry of anyone who finally accesses them.
Monitor and evaluate networks on a regular basis
- 10. Track and monitor all access to network resources and cardholder data. Recognizing all user movements and receiving alerts about them is essential for the prevention, detection or minimization of risks to which data is exposed.
- 11. Regularly test security systems and processes. Once the security requirements have been implemented, they should be tested periodically to ensure their effectiveness over time.
Maintain an information security policy
- 12. Maintain a policy that addresses information security for all staff. To ensure the commitment of all members of the organization, it is necessary to share the security policy that has been developed. Making everyone involved aware of the systems and security measures that have been put in place is the final part of completing a secure, effective and lasting protocol.
Tips for offering secure payments in your business
In addition to meeting the 12 PCI requirements there are many other ways to protect a business from malicious attacks. These are some of the tips that you can simply apply in the day-to-day running of your business to avoid future mishaps and are an extra help for security.
- Create secure passwords. Change passwords regularly and make them difficult to guess. The most secure passwords are usually longer than 7 characters and combine uppercase and lowercase letters, numbers and symbols.
- Protect card data, and if it is not necessary, do not store it. Limit the risk of hacking by storing card data only when it is essential for your company. If you do so, use encryption and tokenization systems to protect the data.
- Check payment terms. If you process payments through hardware, keep it in sight at all times and check if it has been tampered with. Also check who does the repairs and make sure it is always an official service.
- Count on reliable partners. Have a list of all the suppliers you may need when there are problems, such as payment system management companies or banks.
- Install patches and update your software frequently. Many software can have security holes or bugs, so it is important to install all patches and updates from the provider. Avoid all vulnerabilities and do everything in your power, always relying on the resources offered by your trusted providers.
- Limits internal access to sensitive data. 25% of system vulnerabilities involve internal actors. This means that a quarter of security problems have been caused by members of the company itself. Limiting access to sensitive data to only a few decision-makers is a measure that should be implemented in many companies.
- Avoid making it easy for hackers. Disable remote access and offer it only to people you trust. Opening a security breach in your system is easier than we think, and avoiding it will save you future problems. Do not delegate card information to third parties and do not trust everyone.
- Use an antivirus software. Having an up-to-date and properly installed antivirus software helps to detect unusual activity on systems and to warn us of anything that goes unnoticed at first glance.
- Analyze the vulnerability of your system . Recurrent scanning of the device by means of an antivirus is also a key tip.
- Use secure payment solutions. There are many payment solutions available on the market, but not all of them are equally secure. Comparing and consulting with experts can be two exercises that will save a lot of trouble in the future. PCI DSS compliance is a must for this.
- Protect your internet. Protecting the Wi-Fi network, using a firewall and using the device used to manage online payments only for this purpose are the keys to protecting our system on the Internet. The digital sphere is where most attacks occur, so more measures must be taken there.
- Make your data worthless. The best way to avoid risks is to make the data sought by cybercriminals worthless. This way, even if they manage to breach your system, they will not be able to do anything with the encrypted data.
What can I do to obtain a PCI DSS certification?
Once the risks, requirements and, above all, the benefits of PCI certification are known, it is time to talk about the steps to follow to become PCI Compliant.
Applying for PCI is a long, complex and costly process. To verify that the 12 PCI DSS requirements have been met to perfection, the company undergoes several phases of examination by the PCI Standard Security Council, which will verify each of the security points through rigorous testing. The annual report (ROC), quarterly scans (QSA), security assessments, assessment questionnaire (SAQ), attestation of compliance (AOC)... are just some of the requirements a company must demonstrate to be approved by the PCI SSC.
In short, this is an extremely technical procedure that involves a full-time dedication from the technology area of a company, so the most common practice is to hire external personnel specialized in the area to achieve it. This also implies an added cost for the company in addition to the cost of the PCI certification itself.
Your company will not need to be PCI certified when your transactions are made with Uelz.
How can Uelz help you receive secure payments?
It's possible that technical terms and acronyms are not well-known by many companies and will normally remain outside the knowledge of many people. As this is a common situation, we want to support you. If your company operates online and uses credit cards to process online payments, here at Uelz we offer you an invoice management platform that not only centralizes and digitizes your sales in a single place, but also complies with all PCI DSS requirements. Uelz, as payment management platform, complies with the maximum PCI level, which authorizes us to process, transmit and store your customers' credit card data with maximum security.
Making your sales secure does not require a large investment in time or money. Your company will not need to be PCI certified when your transactions are made with Uelz and, at the same time, it will comply with all the security requirements demanded to receive secure online payments in the easiest way possible.
Source: PCI Security Standards Council