The ultimate guide to payment card industry compliance (PCI) compliance

The ultimate guide to payment card industry compliance (PCI) compliance

July 11, 2023

Achieving and maintaining PCI compliance can seem like daunting tasks, but both are very achievable with the right approach, procedures, and technology in place. The NICE Compliance Center allows you to keep your contact center PCI compliant by design. With features such as Assurance Dashboards, Policy Makers, retroactive encryption, system monitoring, and real-time notifications, the NICE Compliance Center simplifies and strengthens the process of maintaining PCI compliance. Visit our product page to learn more about the NICE Compliance Center solution.

This article is meant to serve as a guide to PCI compliance and aims to provide clarity on what organizations need to plan for and execute against in order to achieve PCI compliance. For contact centers, this is an absolute must-have requirement as sensitive data is exchanged and collected and stored through numerous channels. Even for PCI compliant organizations, the following information on PCI should help deliver a refresher on what needs to be systemically and organizationally cared for and implemented.

Overview

Complying with Payment Card Industry Data Security Standard, or PCI DSS, is required for businesses to continue handling, processing, and / or accepting payments through methods such as credit and debit cards. But more importantly, in this age of resourceful hackers, PCI compliance is a measure that reduces the risk of data breaches that can expose sensitive consumer information.

Businesses that want to be successful at safeguarding customer data should embrace PCI requirements and incorporate them into their internal data security protocols. Not only will this simplify things when it’s time to report on PCI compliance, it also may save them from devastating data breaches.

What is PCI DSS?

Developed by a consortium of the leading payment card companies, PCI DSS is a multifaceted set of security standards that must be followed by businesses that accept, process, store or transmit credit card data. The standard includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

There are twelve specific requirements of PCI compliance that map to six objectives, all designed to ensure businesses safely handle, store, and transmit credit card information. While businesses of all sizes must comply with PCI DSS, there are four different levels of PCI compliance with varying levels of reporting requirements based on the annual number of payment card transactions. PCI requirements, objectives, and levels will be discussed in more detail in later sections of this guide.

It's important to note that PCI DSS is not a law. Rather, it’s a contractual requirement of doing business with a credit card company. Failure to meet PCI standards could result in financial penalties and / or loss of the ability to accept credit card payments, also discussed in a later section of this guide.

How did PCI DSS come about? A brief history

The PCI Security Standards Council (PCI SSC) was formed in 2006 by Visa, Mastercard, Discover, American Express, and JCB International. Concerned by the increased vulnerability of payment card information caused by surging online transactions, these credit card giants came together and developed PCI DSS. The council still administers and updates PCI standards.

Over the years, PCI DSS has undergone numerous iterations to accommodate evolving data security challenges. For example, PCI DSS 4.0, set for a phased rollout between March 31, 2024 and March 31, 2025, adds 63 new sub-requirements for businesses to comply with.

What is the importance of PCI compliance?

A business that’s in compliance with PCI DSS reduces the risk of data breaches, and therefore decreases the likelihood of its customers becoming victims of fraud and identity theft.

There are numerous points of vulnerability where the security of customer data can be compromised, including:

  • Wireless hotspots
  • Paper records
  • Contact center agents and systems
  • Online e-commerce sites

A properly scoped PCI compliance program applies more controls over all these vulnerable spots, which helps organizations avoid the costs, diminished reputations, and loss of customers and revenue caused by data breaches.

Understanding PCI compliance

Let's now dig into more of the details of PCI compliance.

Who is responsible for PCI compliance?

According to the PCI SSC website, “PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE).” If they are involved in payment account processing, “merchants, processors, acquirers, issuers, and other service providers” are required to comply with PCI DSS requirements.

As an example, merchants who accept payment by credit, debit, and / or cash cards must comply with PCI requirements regardless of size or channel in which that payment is received.

Cardholder data that's protected by PCI requirements includes information such as the primary account number and cardholder’s name, while sensitive authentication data refers to information such as PIN numbers and card verification codes.

What are the PCI DSS requirements?

There are 12 core PCI DSS requirements that map to six major principles of PCI compliance. These PCI requirements apply to systems (ex., software and servers), people, and processes involved in the storage, processing, or transmission of cardholder or authentication data. Additionally, system components that have unrestricted access to other system components that store, process, or transmit payment card information are within scope, as are system components, people, and processes that can impact the security of the cardholder data environment.

The twelve PCI requirements (mapped to the six major objectives) are as follows.

PCI Objective 1: Build and maintain a secure network

PCI requirement 1: Install and maintain network security controls

Network security controls safeguard networks from unauthorized traffic. While this has traditionally been handled by firewalls, newer technology such as virtualization/container systems and cloud access controls are examples of other methods that can be used.

PCI requirement 2: Apply secure configurations to all system components

This requirement for PCI compliance has a heavy focus on changing default passwords assigned by vendors for different system components. These vendor-assigned passwords are readily available on the internet and represent a significant data security vulnerability. The requirement also focuses on other risk mitigating activities, such as disabling unused accounts and systems.

PCI Objective 2: Protect account data

PCI Requirement 3: Protect stored account data

This requirement emphasizes that there should be a business need for storing payment account data and that sensitive authentication data should never be stored following authentication. Additionally, stored data should be rendered unreadable through methods such as encryption.

PCI Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks

Untrusted, public, and misconfigured wireless networks can be easily targeted by hackers to gain access to payment card information. To mitigate this risk, the PCI SSC advises that primary account number transmissions “can be protected by encrypting the data before it is transmitted, or by encrypting the session over which the data is transmitted, or both.”

PCI Objective 3: Maintain a vulnerability management program

PCI Requirement 5: Protect all systems and networks from malicious software

Malware such as viruses and spyware exploit a system’s or network’s weaknesses to give hackers unauthorized access to data or the ability to cause harm to an organization's systems or technical infrastructure. This requirement specifies that businesses must protect payment card data from malware through measures that include preventing malware attacks and being able to detect and address malicious acts. Compliance with this PCI requirement also calls for the implementation of anti-phishing mechanisms.

PCI Requirement 6: Develop and maintain secure systems and software

Requirement 6 stipulates that in-scope custom developed software needs to have security best practices included in the design. Additionally, any third-party systems within the payment card data environment must have the latest vendor-provided critical security patches installed.

PCI Objective 4: Implement strong access control measures

PCI Requirement 7: Restrict access to cardholder data by business need-to-know

Sometimes data is compromised by internal bad actors. For compliance with this PCI requirement, organizations must limit employee access to cardholder data according job responsibilities and on a need-to-know basis. Employees should have access to the least amount of data required to do their jobs.

PCI Requirement 8: Identify users and authenticate access to system components

For PCI compliance, organizations need to assign unique accounts to each employee involved in the processing, storage, and transmission of payment card data, as well as having strong authentication measures in place. This requirement provides safeguards against unauthorized system access as well as the ability to trace system use.

PCI Requirement 9: Restrict physical access to cardholder data

Compliance with PCI DSS requires organizations to physically safeguard their payment card data so that no one walks away with hard copies containing sensitive information, or servers and other hardware used for storing, processing, or transmitting cardholder data.

PCI Objective 5: Regularly monitor and test Networks

PCI Requirement 10: Log and monitor all access to system components and cardholder data

System activity logs allow organizations to detect anomalies and conduct forensic investigations in case data is compromised. Therefore, this requirement for PCI compliance calls for organizations to implement logging mechanisms and have the ability to track user activities.

PCI Requirement 11: Test security of systems and networks regularly

Hackers are constantly scanning for system weaknesses, and so should PCI compliant businesses. Changes to technical environments such as the implementation of new systems can introduce new vulnerabilities. Therefore, organizations are required to regularly test the security of systems and networks.

PCI Objective 6: Maintain an information security policy

PCI Requirement 12: Support information security with organizational policies and programs

A formal data security policy communicates what is expected of employees regarding the security of cardholder information and emphasizes the organization's commitment to keeping this data safe. Accordingly, requirement 12 holds organizations accountable for activities such as ongoing training, employee screening, and identifying what is in scope for PCI compliance.

Levels of PCI compliance

There are four different levels of PCI compliance. Merchants are divided into compliance levels based on their annual volume of credit and debit card transactions. Each level has its own reporting requirements to maintain PCI compliance.

  • Level 1: Merchants processing over 6 million card transactions per year.
  • Level 2: Merchants processing 1 to 6 million transactions per year.
  • Level 3: Merchants handling 20,000 to 1 million transactions per year.
  • Level 4: Merchants handling fewer than 20,000 transactions per year.

It's important to note that different payment brands may have their own criteria for the different levels and compliance reporting. Additionally, they may move merchants who have experienced data breaches to higher levels with more stringent assessment requirements. Merchants should understand these payment brand requirements to ensure they are compliant with them as well as PCI DSS.

Depending on their PCI level, merchants need to complete the following activities and reports on an ongoing basis:

Report on compliance (ROC)

Only merchants at PCI level one are required to complete a report on compliance. The ROC is an annual assessment of a merchant’s data security controls, completed by a third-party qualified security assessor (QSA). The QSA evaluates whether an organization is in adherence with the twelve PCI requirements and documents any deficiencies.

Vulnerability scan

A PCI vulnerability scan is an automated test that identifies potential data security vulnerabilities in an organization's IT infrastructure. Merchants at all PCI levels must undergo a quarterly vulnerability scan conducted by an approved scanning vendor (ASV).

Attestation of compliance (AOC)

Merchants at all PCI compliance levels must complete an attestation of compliance (AOC) Form, which formally certifies the results of a PCI assessment, as documented in ROCs or self-assessment questionnaires. AOCs are completed annually by either a QSA or merchants that do their own assessments.

Self-assessment questionnaire (SAQ)

Depending on their PCI level, businesses may be able to conduct their own annual PCI assessments and report the results on a self-assessment questionnaire. There are eight different versions of the SAQ and merchants need to choose the right one according to their business model. For example, an e-commerce company and a brick-and-mortar business would complete different versions of the SAQ.

Achieving PCI compliance

Although there are only 12 main PCI requirements, there are a multitude of sub-requirements that may apply to a business, making the achievement of PCI compliance a complex undertaking. Organizations that are seeking compliance with PCI DSS should treat it like a major initiative and follow a detailed, structured approach.

Step-by-step process for achieving PCI Compliance

The PCI Security Standards Council recommends using a process they developed for PCI compliance called the prioritized approach. The approach breaks down the process for becoming PCI compliant into six risk-based security milestones:

  • Milestone 1: Do not store sensitive authentication data and limit cardholder data retention
  • Milestone 2: Protect systems and networks and be prepared to respond to a system breach
  • Milestone 3: Secure payment applications
  • Milestone 4: Monitor and control access to your systems
  • Milestone 5: Protect stored cardholder data
  • Milestone 6: Complete remaining compliance efforts, and ensure all controls are in place

The prioritized approach, which is based on lessons learned and feedback from security experts, maps the twelve PCI requirements and all sub-requirements to the six milestones. The approach is designed to mitigate risk as an organization works towards PCI compliance. In other words, the milestones and corresponding PCI compliance checklist are designed so that the most impactful data security measures are implemented early in the process.

Examples of requirements that support Milestone 1 include “An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks” and “SAD (sensitive authentication data) is not retained after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process.”

Following this step-by-step process for becoming PCI compliant provides much needed structure to a complex project, enables “quick wins,” and provides measurable progress milestones. The 49-page prioritized approach checklist is for the latest version of the PCI DSS requirements and can be found on the PCI Security Standards Council website.

Best practices for PCI compliance

In addition to following a structured approach for PCI compliance, there are several best practices an organization can follow to ensure their efforts are successful.

  • PCI Best Practice 1 - Identify the scope of your PCI efforts. Spending sufficient time and effort identifying the people, processes, systems that are within the scope of PCI DSS requirements will ensure that credit card data is appropriately safeguarded and help organizations avoid negative surprises during PCI assessments.
  • PCI Best Practice 2 - Limit your PCI scope. In addition to identifying the scope, organizations should also try to limit it by taking measures such as storing cardholder data in its own environment, separate from other customer and operational data. Minimizing scope reduces vulnerabilities and decreases the administrative burden associated with being PCI compliant.
  • PCI Best Practice 3 - Use role-based system access. Role-based access controls can also help organizations narrow PCI scope as well as provide an audit trail of everyone accessing or handling credit card data.
  • PCI Best Practice 4 - Ensure any applicable vendors are also PCI compliant. Your organizations can have the best data security controls in place, but if a vendor who stores, processes, or transmits cardholder data on your behalf has lax security practices, your customers can still suffer the consequences of a data breach. As an example, if you outsource sales volume to a BPO contact center, make sure they’re PCI compliant.
  • PCI Best Practice 5 - Ensure employees understand their PCI compliance roles and responsibilities. Compliance with PCI DSS requirements isn't just an IT effort. Employees, such as operational staff, also need to do their part in protecting customer data. All “in scope” employees need to understand the organization’s security policies, as well as what is expected of them regarding PCI DSS requirements.

Also remember not to be stingy when it comes to purchasing security tools such anti-virus software. Investing in top-notch security solutions has a fantastic ROI when it helps organizations avoid costly data breaches.

The ultimate guide to payment card industry compliance (PCI) compliance - Overview

Maintaining PCI compliance

Achieving PCI compliance is only one side of the coin - the other side is maintaining compliance. After the initial push for PCI compliance, it can be easy to relax security standards, but organizations need to fight this tendency and continue strong data security practices in the spirit of PCI DSS requirements.

Importance of ongoing monitoring and testing

Because PCI compliance is something organizations should be concerned about throughout the year (not just when assessments are due), organizations should regularly monitor and test their data security practices. It’s not enough to perform well during annual audits - businesses need to make sure customer data is always protected by consistently employing data security best practices.

Organizations should establish automated security alerts to warn them when data security is at risk. Additionally, they need sound procedures for responding to these alerts and addressing whatever triggered them. Organizations should also periodically perform their own risk assessments to ensure those PCI standards they worked so hard to implement are still in place and being adhered to.

Common challenges faced while maintaining PCI compliance

The PCI Security Standards Council has identified the following common challenges to staying in compliance with PCI DSS requirements:

  • “Pressures to adapt to ever-increasing customer demands and emerging technologies and the resulting changes to an organization’s business goals, structure, and technology infrastructure.”
  • “Organizational complacency, assuming what was good enough last year will be good enough in future years.”
  • “Overconfidence in organizational practices, resulting in a lack of resources devoted to regular monitoring of compliance program effectiveness.”
  • “Inability to assign the right people, tools, and processes, and lack of executive leadership commitment to maintaining compliance.”
  • “Failure to accurately scope the organization’s cardholder data environment (CDE) as business practices evolve with the introduction of new products or services, or acquisitions.”

As businesses evolve and add new technologies, new lines of business, and different partners, they need to reassess and possibly update the scope of their PCI efforts. They also need to continue making PCI compliance a priority across the organization. And becoming complacent with data security is an invitation to hackers - organizations need to diligently protect cardholder data at all times.

Tips for maintaining PCI compliance

The PCI Security Standards Council has also published tips for staying in compliance with PCI DSS requirements. These tips and best practices include the following:

Consequences of non-compliance

Not complying with PCI DSS requirements can be financially burdensome. For example, credit card providers can fine businesses anywhere from $5,000 to $100,000 per month for noncompliance. Additionally, they can assess a hefty fine per cardholder record if a data breach occurs, or even take away a business’s ability to accept or process credit cards. These penalties and fines, on top of lost revenue due to a diminished reputation, can wreak havoc on a P&L statement.

Heartland Payment Systems felt this financial pain several years ago when a hacker breached their systems. Heartland, a provider of credit and debit card processing, payment and check management services, discovered malware on systems that processed approximately 100 million card transactions per month. As a result of this sizable breach, the business was forced to stop processing major credit cards for 14 months and had to pay around $145 million in compensation.

How NICE can provide support of your PCI compliance goals

If your contact center is within the scope of your PCI program, expect some complexity around call recording. As mentioned previously, organizations can’t store sensitive authentication data which means call recordings can't include that information. NICE’s call and screen recording solution solves this problem and enables organizations to maintain PCI compliance with features such as on demand and automated pausing. Additionally, Sycurio, a Premier NICE DEVone partner offers easy secure payment options for contact centers that require PCI, enabling organizations to safeguard interactions in every channel while delivering an exceptional customer experience that builds trust and loyalty.