The Four-Step Process to PCI DSS Compliance

If you work in a small or medium-sized business, you might have opened your mail recently and found a letter from the bank that handles your credit card processing, asking you to certify your compliance with the Payment Card Industry Data Security Standard (PCI DSS) or face substantial fines and surcharges. What does this letter mean, and how does a small business comply with PCI DSS?

The PCI DSS standard isn’t new. It’s been around since 2005, and large businesses have spent a significant amount of time and money over the past seven years ensuring that their systems comply with the standard. Now that most major retailers are PCI DSS compliant, banks are turning their attention to smaller businesses and asking them to certify compliance for the first time.

Inside the Payment Card Industry Data Security Standard

Unlike many technology compliance issues, the foundation of PCI DSS does not rest in the law. Instead, the obligation to comply with PCI DSS rests in a company’s agreement with their credit card merchant bank. Buried somewhere in the fine print is either an explicit agreement to comply with the PCI DSS or a more general agreement to follow “rules set out by payment card associations” or similar language. That language compels businesses to follow the credit card security standards in all of their card processing activities.

Most security professionals agree that the standard is a codification of many of the best practice security principles that they’ve been preaching for years. PCI DSS simply enumerates these and contains detailed specifications and testing procedures to evaluate an organization’s compliance.

The requirements are rolled up into 12 categories, often referred to as the “Digital Dozen”:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update antivirus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for all personnel.

While these high-level requirements may sound straightforward, it is important to understand that they are only a summary of the detailed requirements found in the full PCI DSS standard document. This 75-page document contains detailed implementation instructions for each of these requirements. For example, the implementation checklist for the 12th requirement is six pages long, including such details as creating a usage policy for removable electronic media and designating personnel to respond to security alerts on a 24x7 basis.

The good news for small businesses is that all 75 pages of the PCI DSS might not apply to them. Generally speaking, the less complex your technical infrastructure and the more you outsource, the fewer the requirements that apply to you. For example, businesses who fully outsource credit card processing and do not electronically store, process or transmit cardholder data need only to complete a simple two-page questionnaire. Those that run their own card processing systems are subject to the full 75-page assessment.

The PCI Security Standards Council offers a flowchart to help businesses determine their specific assessment requirements. It appears on the last page of their instructions and guidelines for the PCI DSS Self-Assessment Questionnaire.

Where to Start with PCI DSS?

If you’re trying to achieve PCI DSS compliance for the first time, you may feel like you’ve been charged with boiling the ocean. However, by breaking your compliance effort down to a four-step process, it’s possible to reduce the amount of time and money you’ll spend on PCI DSS compliance:

1. Identify card processing activities. While this might sound basic, many organizations simply don’t have a good handle on all of the ways they process credit cards. Try to draw business process diagrams showing the following elements:

• ways you receive credit card information from your customers;
• methods you use to transmit card information to your bank and other partners;
• technologies used to process credit card transactions.

2. Outsource what you can. If you can outsource portions of your card processing activities to a validated service provider, you can greatly reduce the compliance burden on your organization. Couple the use of one of these providers with point-to-point encryption and tokenization technology, and you may be able to create an environment in which your business never sees a credit card number and will have very little compliance burden.

3. Reduce your scope with segregation. The biggest challenge that most SMBs find when they tackle PCI DSS is that their card processing activities aren’t separated from their normal business computing. In this situation, the entire business must comply with PCI DSS, and that’s often an unmanageable burden. Reduce the scope of your PCI DSS environment by segregating the systems that process credit cards onto a separately firewalled network and then focusing compliance efforts on that limited network.

4. Secure what’s left. Once you’ve outsourced as much as you can and segregated the rest, turn to meeting the detailed requirements of the PCI DSS. Hopefully, you can reduce your scope enough that this will now be a manageable undertaking.

While many small businesses are intimidated the first time they receive a PCI DSS compliance letter, it’s important to remember that PCI DSS compliance can be achieved. Thousands of businesses around the world, large and small, have already done so. By following this four-step process, it’s possible to find a successful pathway to PCI DSS compliance.