• Trustwave

    PCI 101

  • Speak with a Trustwave sales specialist to learn more.

    Looking for support? Use our global network of support specialists to get help. Get support now
  • A Guide to Understanding PCI Compliance

    Whether you have a large corporation that spans the globe or a small company that serves your local community, maintaining compliance with the Payment Card Industry Data Security Standard (PCI DSS) is a must for all merchants who accept credit cards.

    Cyber criminals are targeting payment card information because it's a high value target, so the PCI DSS was put in place to help reduce risk to your business and protect the customers you serve. Just as you lock the doors of your business each night to protect your physical assets, you need to lock the doors to your company's network to protect your digital assets.

  • Overview: Getting Started with TrustKeeper (3 mins)

    See how merchants just like you are using the PCI DSS and Trustwave's PCI Manager to better protect their customers.

What is the PCI DSS?

  • Businesses that accept credit cards as a form of payment as part of day-to-day operations must comply with the Payment Card Industry Data Security Standard, or PCI DSS. Developed as a collaborative effort among Visa, MasterCard, American Express, JCB and Discover, the PCI DSS requires all merchants to demonstrate that sufficient systems and processes are in place to adequately secure customer credit card information.

    Built on a foundation of security, the PCI DSS standard was designed to help you assess your business and find any flaws or weaknesses that could leave you exposed to threats and risk, and ensure your business is securing sensitive cardholder data – in all forms and locations.

    While the type of validation varies based on the number of card transactions you process each year, all merchants are required to comply with the PCI Data Security Standard. Regardless of the size of your business, you have a responsibility to protect cardholder data. You must validate your compliance with the PCI DSS on a regular basis and demonstrate that the security measures you have taken are effective.

    PCI SSC: The Evolution of Payment Card Security Through the Ages

    (3 mins)

What does the PCI DSS help you protect?

  • In order to protect cardholder data, it's important to understand what it is and where it can be found. The PCI DSS applies wherever account data (such as a primary account number from a credit card) is stored, processed or transmitted.

    Account data consists of Cardholder Data plus Sensitive Authentication Data:

    Cardholder Data Includes:
    Primary Account Number (PAN)
    Cardholder Name
    Expiration Date
    Service Code
    Sensitive Authentication Data Includes:
    Full magnetic stripe data or data on a chip
    CAV2 / CVC2 / CVV2 / CID
    PINs / PIN blocks

    The purpose of the PCI DSS is to help you protect cardholder data. Why? Because it is a very valuable target for hackers - by obtaining the Primary Account Number (PAN) and sensitive authentication data, a thief can impersonate the cardholder, use the card, and steal the cardholder's identity.

    Sensitive cardholder data can be stolen from many places, including:

    • Compromised card reader
    • Paper stored in a filing cabinet
    • Data in a payment system database
    • Hidden camera recording entry of authentication data
    • Secret tap into your store's wireless or wired network

    It's important to know what kind of data you have, where the data is stored and how data moves in your organization. Make sure you have protection in place for:

    • Point-of-sale systems and card readers
    • The business network - both wired and wireless
    • Electronic payment card data storage and transmission
    • Physical payment card data that is stored (like paper receipts)

    Trustwave 2014 Global Security Report (PDF, 8.6MB)

Why is PCI compliance important to your business?

  • Protecting Cardholder Data is Good For Your Business

    PCI compliance may seem like a nuisance, or another confusing job to add to your endless list of tasks as a business owner. But in fact, becoming compliant with the PCI DSS can secure your business and help you avoid very serious consequences that could impact your business and your revenue.

    By complying with the PCI DSS you can:

    • Minimize the risk of a security breach and lost profits
    • Avoid losing the ability to process payment cards
    • Avoid heavy fines and fees
    • Protect brand integrity and reputation
    • Provide peace-of-mind that you are protecting your business and customers

    Who Wants You to be Compliant?

    Your acquirer (also known as merchant bank, ISO, credit card processor) is ultimately responsible for ensuring that you're aware of PCI compliance and they also enforce the policies that track the compliance of all their merchants.

    The payment card brands handle the validation process, definition of merchant and service provider levels and all penalties, fees and compliance deadlines. Additionally, in the case of an actual or suspected breach, the payment brands are responsible for forensics and response efforts related to the data compromise.

What are the requirements of the PCI DSS?

Merchant and Validation Levels

  • Merchant Levels
    Merchant levels are defined by the volume of payment card transactions that you store, process or transmit over a 12-month period. In addition to the validation requirements of your acquirer/credit card processor for PCI compliance, each card brand may have additional documentation required based on your merchant level.

    Level 1
    Any merchant processing over 6,000,000 Visa or MasterCard transactions per year (all channels of acceptance).
    Any merchant processing over 2,500,000 American Express transactions per year (all channels of acceptance).
    Any merchant that Visa or MasterCard determines should meet the Level 1 merchant requirements to minimize risk to the system.
    Level 2
    Any merchant processing 1,000,000 to 6,000,000 Visa or MasterCard transactions per year (all channels of acceptance).
    Any merchant processing between 50,000 and 2,500,000 American Express transactions per year (all channels of acceptance).
    Level 3
    Any merchant processing 20,000 to 1,000,000 Visa or MasterCard e-commerce transactions per year.
    Any merchant processing less than 50,000 American Express transactions per year (all channels of acceptance).
    Level 4
    All other merchants.

    Validation Levels
    A company's validation level is essential to know and is determined by how financial information is stored, processed and handled. The validation level determines which Self-Assessment Questionnaire (SAQ) you must fill out to document compliance. Currently, there are five SAQ Validation levels. The table below provides a brief description of each.

    SAQ Description
    A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
    B Imprint-only merchants with no electronic cardholder data storage, or standalone, dialout terminal merchants with no electronic cardholder data storage.
    C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
    C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage.
    D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.

Where to start: Steps to PCI DSS compliance

  • While many believe that achieving compliance is a one-time event, validating compliance is just the first step in an ongoing process that every merchant must maintain. To remain compliant, you need to continuously assess your operations, fix vulnerabilities that are identified, and make the required reports to the acquiring bank and card brands you do business with.

    Here are six key steps to establishing and maintaining compliance.

    1. Step 1: Know Your Business Environment and Potential Risks

      Credit card hackers depend on naive business owners to keep their crime organizations running b. To implement a successful plan to become compliant and secure your network, you must understand and map out your business environment. Key steps to assessing your network environment include:

      • Assess your business environment: Identify all technology and process vulnerabilities that could pose a risk to the security of cardholder data being transmitted, processed or stored.
      • Determine the flow of payment card data: Determine how payment card data flows from beginning to end of the transaction process – including POS machines, terminals, PCs and laptops.
    2. Step 2: Stay Educated and Aware

      Much of the Data Security Standard is comprised of creating policies that protect your environment. Creating an Information Security Policy (ISP) is the first step to building a proactive security environment for your organization. This compliance tool protects data by defining procedures, guidelines and practices for handling and using sensitive information. Keep in mind, an ISP is only successful when it is communicated, accepted and reinforced throughout your entire company.

    3. Step 3: Implement Proper Security Measures

      Although compliance is mandatory, it is best approached as a means to strengthening security, instead of simply meeting compliance standards. By implementing a comprehensive solution, like Trustwave, you can achieve both. Key security steps include:

      • Install and maintain a firewall with proper configurations
      • Use a PA-DSS compliant Payment Application
      • Ensure regular system and anti-virus updates are installed
      • Change passwords often
      • Use unique user IDs for all employees
      • If you provide Wi-Fi hotspot access for your customers, ensure it is properly configured
      • If you need remote access, use two-factor authentication
    4. Step 4: Test and Monitor Systems

      Continually monitoring and updating security is essential for every organization. This helps to identify and remediate any threats and vulnerabilities found to ensure your network is protected and keep your business compliant. Key processes for monitoring and testing your systems include:

      • Perform quarterly Approved Scanning Vendor (ASV) vulnerability scans
      • Complete an Annual Penetration Test
      • Aggregate and review device and system log reports
      • Implement File Integrity Monitoring
    5. Step 5: Remediate Any Problems

      Once the network environment has been scanned, if any issues or vulnerabilities are found, merchants are required by the PCI DSS to repair them. Only after the vulnerabilities have been fixed, can merchants re-scan the network to ensure a passing scan.

      Remediation can be one of the most difficult stages for merchants since many don't understand how to address issues that a scan identifies. However, with Trustwave services, our engineers will simplify the scan results so that you get a summary of action steps that need to be completed. If the vulnerability is related to any services we manage, remediation is handled for you and a rescan is done automatically.

    6. Step 6: Validate Compliance

      Once you have completed the steps detailed above, you need to document your compliance. Typically merchants that fall into Levels 2, 3, or 4 will validate compliance by providing their acquirer/credit card processor with the required validation forms. Validation forms include:

      • Quarterly Vulnerability Scans: These external network scans must be completed by an Approved Scanning Vendor to be considered valid.

      • Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC): Developed by the PCI Security Standards Council, this compliance tool is used by merchants to review and validate compliance with the PCI DSS. Depending on your validation level, every organization that isn't required to an on-site audit must complete an SAQ.

Frequently Asked Questions

  • What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for?

    The PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International), to help facilitate the global adoption of consistent data security measures. The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures intended to proactively protect customer account data.

    The card brands each have their own programs that help businesses enforce compliance with the PCI DSS. The PCI Security Standards Council was founded in 2006 to oversee the standard itself, but each of the card brands issues fines, fees and schedule deadlines through their own enforcement programs.

    Visa's Cardholder Information Security Program (CISP)

    MasterCard's Site Data Protection (SDP) program

    Discover's Discover Information Security and Compliance (DISC) program

    American Express Data Security Operating Policy (DSOP)

    PCI Security Standards Council

    Back to Questions

    Are all Businesses and Service Providers required to comply with the PCI DSS?

    Yes. All entities (businesses or service providers) that store, process, or transmit cardholder data must comply with the PCI DSS. The requirements apply to all acceptance channels including retail (brick-and-mortar), mail/telephone order (MOTO) and e-commerce. Validation requirements vary depending on Service Provider or Merchant level.

    Back to Questions

    Is it a one time requirement?

    No. Validation actions vary depending on Service Provider or Merchant level. However, the credit card associations require all businesses accepting card-based payments to comply with PCI DSS at all times. There are two main components of validation:

    1. Completing the PCI Self-Assessment Compliance Questionnaire annually
    2. Undergoing Vulnerability Scans performed by an Approved Scanning Vendor quarterly

    Back to Questions

    What are the requirements for PCI DSS?

    There are 12 requirements that fall into six categories:

    1. Build and Maintain a Secure Network: Install and maintain a firewall, and use unique, high-security passwords, with special care to replace default passwords.
    2. Protect Cardholder Data: Whenever possible, do not store cardholder data. You must also encrypt any data passed across public networks, including your shopping cart and web-hosting providers.
    3. Maintain a Vulnerability Management Program: Use anti-virus and keep it up-to-date. Develop and maintain secure operating systems and payment applications. Ensure the applications your use are compliant (see www.visa.com/pabp).
    4. Implement Strong Access Control Measures: Access - both electronic and physical access - to cardholder data should be on a "need-to-know" basis. Ensure those people with access have a unique ID and password. Do not share logon information.
    5. Regularly Monitor and Test Networks: Track and monitor all access to networks and cardholder data. Ensure you have a regular testing schedule for security systems and processes: firewalls, patches and anti-virus.
    6. Maintain an Information Security Policy: It's critical that your organization has a resource for how data security is handled at your business. Ensure you have a policy and that it's disseminated and updated regularly.

    Back to Questions

    What is the Visa deadline for compliance for newly-boarded businesses?

    To promote payment application security awareness and increase adoption of secure payment applications, Visa instituted a number of payment application security mandates in October of 2007. Effective October 1, 2008, newly boarded Level 3 and Level 4 merchants must be PCI DSS compliant or must use PA-DSS compliant applications.

    Back to Questions

    How is "cardholder data" defined?

    Cardholder data is the full magnetic stripe or the Primary Account Number plus any of the following:

    • Cardholder Name
    • Expiration Date
    • Service Code

    The PCI DSS applies to any businesses that store, process, transmit or have access to cardholder data.

    Back to Questions

    Can I store magnetic stripe data? How about the CVV2 and CVC?

    It is never acceptable to store magnetic stripe data after authorization of the transaction. It is also never acceptable to retain CVV2 and CVC, (the last three digits printed on the signature panel) after transaction authorization.

    Back to Questions

    What is the PCI Self-Assessment Questionnaire?

    The PCI Self-Assessment Questionnaire is a list of questions used to assess your compliance with the requirements of the PCI DSS. In February of 2008, the PCI Security Standards Council released four versions of the questionnaire to account for different business environments.

    1. SAQ A: Addresses requirements applicable to businesses who have outsourced all cardholder data storage, processing and transmission.
    2. SAQ B: Created to address requirements pertinent to businesses who process cardholder data via imprint machines or standalone dial-up terminals only.
    3. SAQ C: Constructed to focus on requirements applicable to businesses whose payment applications systems are connected to the Internet.
    4. SAQ D: Designed to address requirements relevant to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by SAQ A, B or C.

    Back to Questions

    What is a Network Vulnerability Scan?

    A network vulnerability scan is an automated, non-intrusive scan that assesses your network and web applications from the Internet (on the external-facing IPs). The scan will identify any vulnerabilities or gaps that may allow an unauthorized or malicious user to gain access to your network and potentially compromise cardholder data. The scans provided by Trustwave will not require you to install any software on their systems, and no denial-of-service attacks will be performed.

    Back to Questions

    What if I fail the scan?

    If you fail the network vulnerability scan in TrustKeeper, this means that the scan has discovered areas of vulnerability in your network of high severity. TrustKeeper will help guide you to remediate a failed scan and work toward achieving compliance. First, you'll want to login to TrustKeeper to review the scan results. The report will provide a description of the identified issues and resources to begin fixing the problems. You'll need to address each of the problems and then schedule a directed scan to ensure your remediation of the problem meets the PCI DSS.

    Back to Questions

    What is a Directed Scan?

    Many times a vulnerability scan will discover vulnerabilities that need to be resolved in order to maintain compliance. Once you resolve these vulnerabilities, a directed scan can be run upon your request to verify that you have resolved any compliance issues. You may also run a directed scan after you have made changes to your network to ensure that the changes have not affected your compliance status. These are additional scans above and beyond the regular quarterly scans.

    Back to Questions

    What are the penalties and fines associated with a security breach?

    Per the card associations, the penalties and fines for failure to comply with requirements or to rectify a security issue can be severe. These fines range from $10,000 to $500,000 per incident. If a security breach occurs in your environment, you will be liable for the cost of the required forensic investigations, fraudulent purchases, and the cost of re-issuing cards. Please note that you may also lose your credit card acceptance privileges.

    Back to Questions

    Do I have to use a QSA? Where do I find one?

    Yes, you must use a Qualified Security Assessor (QSA) that has been approved by the PCI Security Standards Council (PCI SSC). A list of approved Qualified Data Security Companies can be found on the PCI SSC's website at www.pcisecuritystandards.org. Trustwave is both a certified QSA and an Approved Scan Vendor (ASV).

    Back to Questions

    Is there a deadline to be compliant?

    Yes. All businesses are supposed to be compliant with the PCI DSS. However, the deadlines vary depending on your PCI DSS level. Your PCI DSS level is determined by the number and type of payment card transactions you process in a year. Acquirers may also set their own deadlines for compliance. Please note that compliance is not a one-time requirement. You should achieve and maintain compliance on an ongoing basis.

    Back to Questions

    What if my business does not go through this compliance procedure?

    If you do not comply with the security requirements of the card associations, you put your organization at risk of payment card compromise. Your acquirer may also pass fines levied by the card associations for non-compliance on to you.

    Back to Questions

    Do I get anything to prove I am compliant, if so, will it be automatically sent to Visa or MasterCard?

    Once you have successfully completed the compliance program, Trustwave will issue you a Certificate of Compliance. Any reporting to your acquirer will be facilitated by TrustKeeper. It is the acquirer's responsibility to report statuses to the Card Associations.

    Back to Questions

    Can our internal staff validate our compliance?

    No. The card associations require that you use an Approved Scanning Vendor to perform the quarterly vulnerability scans. However, your internal staff can complete the Annual PCI Self-Assessment questionnaire.

    Back to Questions

    We don't have time for this. How long will this take?

    The length of the process varies. Once non-compliance issues have been identified, the length of time it takes an organization to implement solutions to resolve the issues will affect the length of the PCI DSS compliance process. The length of time also varies depending on the resolution and the complexity of the environment.

    Back to Questions

More resources

  • Documents

  • Videos

    • video thumbnail


      Getting Started with PCI