What is PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud.
While the PCI SSC has no legal authority to compel compliance, it is a requirement for any business that processes credit or debit card transactions. PCI certification is also considered the best way to safeguard sensitive data and information, thereby helping businesses build long lasting and trusting relationships with their customers.
Blog: Meeting PCI Compliance and Data Security with Imperva.
PCI DSS certification
PCI certification ensures the security of card data at your business through a set of requirements established by the PCI SSC. These include a number of commonly known best practices, such as:
- Installation of firewalls
- Encryption of data transmissions
- Use of anti-virus software
In addition, businesses must restrict access to cardholder data and monitor access to network resources.
PCI-compliant security provides a valuable asset that informs customers that your business is safe to transact with. Conversely, the cost of noncompliance, both in monetary and reputational terms, should be enough to convince any business owner to take data security seriously.
A data breach that reveals sensitive customer information is likely to have severe repercussions on an enterprise. A breach may result in fines from payment card issuers, lawsuits, diminished sales and a severely damaged reputation.
After experiencing a breach, a business may have to cease accepting credit card transactions or be forced to pay higher subsequent charges than the initial cost of security compliance. The investment in PCI security procedures goes a long way toward ensuring that other aspects of your commerce are safe from malicious online actors.
Whitepaper: Lessons Learned from Analyzing 100 Data Breaches.
PCI DSS Compliance levels
PCI compliance is divided into four levels, based on the annual number of credit or debit card transactions a business processes. The classification level determines what an enterprise needs to do to remain compliant.
- Level 1: Applies to merchants processing more than six million real-world credit or debit card transactions annually. Conducted by an authorized PCI auditor, they must undergo an internal audit once a year. In addition, once a quarter they must submit to a PCI scan by an Approved Scanning Vendor (ASV).
- Level 2: Applies to merchants processing between one and six million real-world credit or debit card transactions annually. They’re required to complete an assessment once a year using a Self-Assessment Questionnaire (SAQ). Additionally, a quarterly PCI scan may be required.
- Level 3: Applies to merchants processing between 20,000 and one million e-commerce transactions annually. They must complete a yearly assessment using the relevant SAQ. A quarterly PCI scan may also be required.
- Level 4: Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed and a quarterly PCI scan may be required.
PCI DSS requirements
The PCI SSC has outlined 12 requirements for handling cardholder data and maintaining a secure network. Distributed between six broader goals, all are necessary for an enterprise to become compliant.
Secure network
- A firewall configuration must be installed and maintained
- System passwords must be original (not vendor-supplied)
Secure cardholder data
- Stored cardholder data must be protected
- Transmissions of cardholder data across public networks must be encrypted
Vulnerability management
- Anti-virus software must be used and regularly updated
- Secure systems and applications must be developed and maintained
Access control
- Cardholder data access must be restricted to a business need-to-know basis
- Every person with computer access must be assigned a unique ID
- Physical access to cardholder data must be restricted
Network monitoring and testing
- Access to cardholder data and network resources must be tracked and monitored
- Security systems and processes must be regularly tested
Information security
- A policy dealing with information security must be maintained
PCI compliance and web application firewalls
Since its formation, PCI DSS has gone through several iterations in order to keep up with changes to the online threat landscape. While the basic rules for compliance have remained constant, new requirements are periodically added.
One of the more significant of these additions was Requirement 6.6, introduced in 2008. It was established to secure data against some of the most common web application attack vectors, including SQL injections, RFIs and other malicious inputs. Using such methods, perpetrators can potentially gain access to a host of data—including sensitive customer information.
Satisfying this requirement can be achieved either through application code reviews or by implementing a web application firewall (WAF).
The first option includes a manual review of web application source code coupled with a vulnerability assessment of application security. It requires a qualified internal resource or third party to run the review, while final approval must come from an outside organization. Moreover, the designated reviewer is required to stay up-to-date on the latest trends in web application security to ensure that all future threats are properly addressed.
Alternately, businesses can safeguard against application layer attacks by using a WAF, deployed between the application and clients. The WAF inspects all incoming traffic and filters out malicious attacks.
Offered by Imperva, our cloud-based WAF blocks web application attacks using a number of different security methodologies, including signature recognition and IP reputation. Being fully compliant with PCI Requirement 6.6, it can be configured and ready to use within minutes.
To make compliance even easier, the Imperva cloud WAF doesn’t require any hardware installation or management overhead. This enables all organizations—from large companies to startups and small and medium enterprises, which may not have the requisite security infrastructure and staff—to remain protected and PCI DSS compliant.