Organizations that accept, process, store, or transmit credit card data possess a wealth of sensitive and potentially valuable information. In the modern world of eCommerce and online purchasing solutions, the vast majority of companies accept credit and debit cards as payment methods. The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards that requires these businesses to maintain a secure computing environment. 

Many businesses opening eCommerce sites are small companies or startups with limited information technology (IT) knowledge or resources. Regardless of their size or level of expertise, they are required to comply with PCI-DSS. Due to the extent of these requirements, complying with the rules can be a very challenging objective. 

What is PCI-DSS?

The Payment Card Industry Security Standards Council (PCI SSC) is responsible for developing, administering, and managing the PCI-DSS. The Council was formed in September of 2006 by the major payment card brands Visa, MasterCard, American Express, Discover, and JCB to improve the security of payment transactions. The payment brands are responsible for enforcing the standards, not the PCI SSC. 

Merchants are categorized into one of four tiers or levels based on the volume of transactions they process and, in some cases, their degree of risk. The categories are slightly different though very similar for each payment brand. We are looking at what constitutes compliance levels as defined by Visa:

• Level 1 - Processing over six million Visa transactions annually across all channels.

• Level 2 - Processing between one and six million Visa transactions annually across all channels.

• Level 3 - Processing between 20,000 and one million Visa eCommerce transactions annually.

• Level 4 - Processing less than 20,000 Visa eCommerce transactions annually and other merchants processing up to one million Visa transactions through any channel.

Merchants can also be categorized at Level 1 if they have experienced a data breach that compromised account data. 

Penalties for PCI compliance violations are levied by the payment brands and can range from $5,000 to $100,000 per month based on the severity of the violation and the violator's compliance level. There can be additional fines in the event of data breaches which are calculated by the number of cardholders affected. 

What are the PCI-DSS Requirements?

PCI-DSS addresses technical and operational systems and components that are involved in the processing of cardholder data. The standards are comprised of seven goals encompassing twelve requirements related to cardholder data protection. Following are the goals and associated PCI-DSS requirements with which companies need to comply.

Building and maintaining a secure network is a logical first goal. Since all systems that process and store cardholder data live on your network, it needs to be kept secure from hackers and attacks by cybercriminals. 

• Firewalls must be installed and maintained to protect the network.

• Default and vendor-supplied passwords and credentials cannot be used.

Protecting cardholder data is the overriding purpose of PCI-DSS and is accomplished through a variety of measures. These measures include regularly backing up data, keeping it away from unauthorized users, and encrypting it for additional protection.

• Stored cardholder data must be protected with encryption or other methods.

• Cardholder data transmitted over open networks needs to be encrypted.

Maintaining a vulnerability management program is essential for handling the constantly evolving cybersecurity landscape. 

• Anti-virus software must be installed and regularly updated.

• Secure systems and applications are required to be developed and maintained.

Implementing strong access control measures is necessary to maintain the security and privacy of cardholder data. It must be possible to hold individuals accountable in the event of a data breach or misuse of sensitive information.

• Access to cardholder data needs to be restricted and provided on a need-to-know basis.

• Everyone with computer access to systems storing cardholder data needs to have a unique and identifiable ID.

• Physical access to systems containing cardholder data needs to be restricted.

Monitoring and testing networks regularly are required to ensure they are operating properly and providing cardholder data with the necessary level of protection. 

• All access to networks and cardholder data must be monitored and tracked.

• Security systems and processes need to be tested regularly and modified if found to be lacking.

Maintaining an information security policy is the final component of PCI-DSS and is necessary so everyone in the organization understands their role in protecting cardholder data. 

• An information policy addressing the concerns of employees and contractors needs to be developed and maintained.

When implemented correctly, these goals and requirements protect cardholder data from loss, theft, or misuse. The trick is to implement them correctly. 

Implementing a PCI-DSS Compliant Computing Environment

The scope of the PCI-DSS requirements outlined in the previous section of this article demonstrates the challenges of complying with the regulations. Following are some of the specific challenges a small business with limited IT skills may encounter as they attempt to comply with PCI-DSS.

• Identifying and updating all vendor-supplied and default passwords can be extremely difficult. At a minimum, it requires an inventory of all hardware and software components followed by a detailed investigation of the credentials needed to access the items. It's very easy to inadvertently overlook a default that is not uncovered until the audit following data loss. This can be an expensive oversight. 

• Managing firewalls is another activity that may be beyond the capabilities of a small company's technical team. Misconfiguration of the firewall exposes the network and every system on it to malicious activity.

• Monitoring and maintaining logs of all user activity requires dedicated applications and sufficient storage space for historical archives. These logs must be readily available if requested during an audit or risk assessment. 

• Developing and maintaining a backup policy that addresses all systems involved with cardholder data can be difficult. Large companies often have dedicated backup and recovery teams to handle this activity, but most small organizations do not have that luxury.

• Ensuring that all data is encrypted during transmission and when at rest is a critical part of PCI-DSS. When multiple systems are involved with processing cardholder data, this can be a task beyond the capabilities of a small IT team.

Streamlining PCI-DSS Compliance

Many companies don't have a full-time department equipped to perform self-assessments and determine where in the computing environment there is potential for PCI-DSS violations. They may also lack the technical expertise or manpower required to implement and maintain the components of an infrastructure that complies with the standards. Small companies and those just entering the market might not even have an IT department.

The solution for businesses in this situation is to take advantage of the offerings of PCI compliant hosting providers. A reliable cloud vendor can provide a PCI-compliant infrastructure that allows customers to concentrate on their core objectives and grow their business. They have the technical resources to make sure your cardholder data has a safe place to live.

Customers still bear part of the responsibility for the data they store in the cloud. Partnering with the right PCI hosting provider is a great step toward achieving PCI-DSS compliance. By engaging an experienced and reliable cloud provider, small companies can eliminate the challenges of building a compliant infrastructure for conducting business online.

Author Bio: 

Robert Agar is a regular contributor and blogger for Atlantic.Net living in Northeastern Pennsylvania who specializes in various information technology topics. He brings over 30 years of IT experience to the table with a focus on backup, disaster recovery, security, compliance, and the cloud.