If your organization accepts card payments, you may have come across the Payment Card Industry Data Security Standard (PCI DSS).
\r\nPCI DSS is a set of security standards to help protect cardholder data during transactions. It pertains to any organization that processes, stores, or transmits credit card information, regardless of its size or number of transactions. (Yes, even if you process a single credit card payment a year, PCI DSS still applies to you!)
\r\nIn this article, we cover the basics of PCI DSS, its primary goals and requirements, and what you need to prove compliance.
\r\nOur latest webinar on PCI DSS walks you through how to streamline and accelerate your road to compliance. Click to watch now.
\r\n\r\n
What is PCI DSS?
\r\nThe Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all organizations that process, store, or transmit credit card information maintain a secure environment.
\r\nIt was created by the Payment Card Industry Security Standards Council (PCI SSC), an independent body founded by the major payment card brands, namely American Express, Discover, JCB, MasterCard, and Visa.
\r\nThe primary goal of PCI DSS is to protect cardholder data during payment card transactions, reducing the risk of breaches and fraud. By establishing standard policies and procedures, PCI DSS provides an actionable framework that prevents, detects, and reacts to security incidents.
\r\nPCI DSS applies to all merchants, financial institutions, service providers, and any other organization involved in the payment card ecosystem. Failure to comply can result in fines, penalties, or card processing restrictions.
\r\nIt's important to note that PCI DSS is not a law. Rather, it’s a global security standard many jurisdictions have elected to incorporate into their regulations. For example, Nevada, Minnesota, and Washington have written portions of the PCI DSS into their state laws. PCI DSS compliance is also a common inclusion in contractual agreements between organizations and payment brands.
\r\nDetermining how PCI DSS applies to your organization can be complicated. The cards you work with and the number of transactions you process per year determine which PCI DSS controls apply to you. The first step is to find out whether your organization is a merchant, a service provider, or both.
\r\n\r\n
What is a Merchant?
\r\nThe PCI SSC defines merchants as “any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard, or Visa) as payment for goods and or services.”
\r\nWhile each of the payment brands has its own specific compliance program, merchants are classified into four general levels:
\r\n- \r\n
- Level 1 Merchants: More than 6 million payment card transactions annually \r\n
- Level 2 Merchants: Between 1 million and 6 million payment card transactions annually \r\n
- Level 3 Merchants: Between 20,000 and 1 million payment card transactions annually \r\n
- Level 4 Merchants: Fewer than 20,000 online transactions annually \r\n
\r\n
\r\n
What is a Service Provider?
\r\nService providers are defined as “any business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.”
\r\nThis includes companies that provide services that control or could impact the security of cardholder data, such as call centers, hosting providers, and network support. Unlike merchants, service providers are only classified into two levels:
\r\n- \r\n
- Level 1 Service Providers: More than 300,000 payment card transactions annually \r\n
- Level 2 Service Providers: Less than 300,000 payment card transactions annually \r\n
If an organization’s service includes storing, processing, or transmitting cardholder data on behalf of other merchants or service providers, then it’s considered both a service provider and a merchant.
\r\nFor example, an internet service provider is a merchant because it accepts payment cards for monthly billing. But it’s also a service provider if it hosts other merchants as customers.
\r\n\r\n
\r\n
PCI DSS compliance checklist: Goals and requirements
\r\nRegardless of which level you fall under, PCI DSS outlines six goals and 12 requirements to enhance the security of payment card account data:
\r\nBuild and maintain a secure network and systems
\r\n- \r\n
- Install and maintain network security controls \r\n
- Apply secure configuration to all system components \r\n
Protect account data
\r\n- \r\n
- Protect stored accounts data \r\n
- Protect cardholder data with strong cryptography during transmission over open public networks \r\n
Maintain a vulnerability management program
\r\n- \r\n
- Protect all systems and network from malicious software \r\n
- Develop and maintain secure systems and software \r\n
Implement strong access control measures
\r\n- \r\n
- Restrict access to system components and cardholder data by business need-to-know \r\n
- Identify users and authenticate access to system components \r\n
- Restrict physical access to cardholder data \r\n
Regularly monitor and test networks
\r\n- \r\n
- Log and monitor all access to system components and cardholder data \r\n
- Test security of systems and networks regularly \r\n
Maintain an information security policy
\r\n- \r\n
Support information security with organizational policies and programs
\r\n \r\n
\r\n
\r\n
Who performs a PCI DSS audit?
\r\nA Qualified Security Assessor (QSA) is an individual certified by the PCI SSC to perform an onsite audit.
\r\nSome entities may also sponsor an employee to train as their Internal Security Assessor (ISA). ISAs are able to conduct internal assessments and act as a liaison with an external QSA.
\r\nDuring an audit, the QSA will assess whether the entity has met PCI DSS requirements. This includes scoping or identifying all system components and workflows included in your cardholder data environment, completing the required documentation (more on this in the next section), and other forms of gap analysis or remediation to prepare for the upcoming audit.
\r\n\r\n
What are the PCI DSS compliance reports?
\r\nWhile PCI DSS compliance is different for every organization, the process typically involves three types of reporting documentation:
\r\n\r\n
Self-Assessment Questionnaire (SAQ)
\r\nThe Self-Assessment Questionnaire (SAQ) is a validation tool for entities that are not required to submit a Report on Compliance (ROC) and eligible to perform their own assessment.
\r\nA SAQ is composed of yes-or-no questions. There are eight available SAQ forms for merchants and one for service providers, varying by the type of business activities, transaction methods, or other criteria.
\r\n\r\n
Report on Compliance (ROC)
\r\nA Report on Compliance (ROC) is the most thorough documentation of compliance, detailing whether the entity meets all 12 standard requirements or if any deficiencies were discovered during the assessment.
\r\nROCs are completed by a QSA after performing the on-site audit, and then submitted to the acquiring bank and payment brand for verification.
\r\n\r\n
Attestation of Compliance (AOC)
\r\nAn Attestation of Compliance (AOC) is documented evidence of an entity's PCI DSS compliance, affirming that its security practices effectively protect the cardholder’s data. AOCs must be signed by the entity and the QSA (if applicable) and submitted to the acquiring bank or payment brand, along with the SAQ, ROC, and any other requested documentation.
\r\n\r\n
How long does PCI DSS take?
\r\nThe PCI DSS assessment typically takes six to 12 weeks. The exact duration, however, varies depending on the project’s size, the number of systems, and how many security measures and policies are already in place. (Note that this is only the estimated time for performing PCI SAQs.)
\r\nPCI DSS implementation also fluctuates from company to company. As PCI DSS only applies to the infrastructure that contains credit card data, a good way to lower implementation cost and time is by limiting the server storage and management of credit card data as much as possible.
\r\nPCI DSS compliance certificates are valid for one year. To maintain compliance, entities are required to complete a self-assessment questionnaire.
\r\nIf there are any changes in infrastructure or environment, or even a new feature release, that impacts cardholder data, then PCI DSS compliance is no longer valid. The organization will need to revalidate compliance for its current state.
\r\nFurthermore, the PCI DSS requirements are frequently updated (with the latest version PCI DSS v4.0 issued March 31, 2022), which requires entities to implement new standards.
\r\n\r\n
How often should you get a PCI DSS audit?
\r\nCertain entities are required to undergo annual audits in order to maintain PCI DSS compliance. This includes:
\r\n- \r\n
- Level 1 Merchants that process more than 6 million payment card transactions annually \r\n
- Level 1 Service providers that process more than 300,000 payment card transactions annually \r\n
- Any entity that recently experienced a breach or cyberattack \r\n
The exact frequency of audits, however, depends on the payment brand you choose to work with, as the PCI DSS does not mandate a specific frequency.
\r\n\r\n
How much does a PCI DSS compliance cost?
\r\nThe cost for PCI DSS compliance can be divided into three main categories:
\r\n- \r\n
- The cost to prepare and implement PCI DSS standards \r\n
- The cost to certify or document your compliance status \r\n
- Annual costs to maintain PCI DSS compliance \r\n
While the exact PCI DSS compliance cost depends on the organization, it’s usually based on a few key factors:
\r\n- \r\n
- Organization type (merchant, service provider, or both) \r\n
- Organization size \r\n
- Number of annual transactions (as classified by PCI DSS) \r\n
- Any other requirements from acquiring bank or payment brand \r\n
- Current security environment and compliance readiness \r\n
In most cases, the cost for PCI DSS compliance can range from at least $20,000 (for startups and small organizations that handle fewer transactions) to upwards of $300,000 for larger enterprises. The exact amount will depend on the factors listed above and your merchant or service provider level.
\r\n\r\n
Prepare for your PCI DSS compliance with OneTrust
\r\nDespite its numerous benefits, maintaining a PCI DSS compliant system can be a complicated process. OneTrust helps streamline the process with our automated scoping wizard that generates all the required PCI DSS controls, policies, and evidence tasks. Stay continuously compliant with automated evidence collection capabilities that can integrate directly into your tech stack.
\r\nWith OneTrust Certification Automation, you can build, scale, and automate your security compliance program, reduce your cost of compliance up to 60%, and obtain certifications 50% faster.
\r\n"}}" id="text-e5a415c0a6" class="cmp-text">信用卡和借记卡号码是一些最有价值的位数与一个人有关。它们不仅等同于现金,最近的一项调查显示超过90%的美国人使用信用卡或借记卡作为他们的主要支付方式。
如果您的组织接受信用卡支付,你可能遇到支付卡行业数据安全标准(PCI DSS)。
PCI DSS是一组安全标准来帮助保护持卡人数据在事务。它适用于任何组织,流程,商店,或传送信用卡信息,不管其大小或数量的事务。(是的,即使你处理一个信用卡支付一年,PCI DSS仍然适用于你!)
在本文中,我们介绍PCI DSS的基本知识,它的主要目标和需求,你需要证明合规。
我们最新的网络研讨会在PCI DSS走你通过合规如何简化和加速你的道路。点击观看现在。
PCI DSS是什么?
支付卡行业数据安全标准(PCI DSS)是一组需求的设计,以确保所有的组织过程中,存储或传输信用卡信息维护一个安全的环境。
它是由支付卡行业安全标准委员会(PCI SSC),一个独立的身体由主要的支付卡品牌创立,即美国运通,发现,JCB,万事达卡,签证。
PCI DSS的主要目标是保护持卡人数据在支付卡的交易,减少违规和欺诈的风险。通过建立标准的政策和程序,PCI DSS提供了一个可行的框架,可以防止,检测,对安全事件的反应。
PCI DSS适用于所有商家、金融机构、服务提供商和其他组织参与支付卡的生态系统。未能遵守会导致罚款,罚款,或卡处理限制。
重要的是要注意,PCI DSS不是法律。相反,它是一个全球安全标准许多司法管辖区当选纳入他们的规定。例如,内华达,明尼苏达州,华盛顿PCI DSS的写了部分国家法律。PCI DSS合规组织之间也是一个常见的包含在合同协议和支付品牌。
确定PCI DSS适用于您的组织如何复杂。可能和你一起工作,你处理的事务数每年确定哪些PCI DSS控制适用于你。第一步是确定您的组织是一个商人,一个服务提供者,或两者兼而有之。
一个商人是什么?
PCI SSC商人定义为“任何接受付款卡轴承的实体标识的PCI SSC的五名成员(美国运通、发现、JCB卡、万事达卡或签证)货款和或服务。”
虽然每个支付品牌都有自己的特定的合规计划,商家一般分为四个级别:
- 1级商家:每年超过600万的支付卡的交易
- 二级商户:从100万年到600万年每年支付卡的交易
- 3级商家:从20000年到100万年每年支付卡的交易
- 四级商家:每年不到20000在线交易
什么是服务提供者?
服务提供者被定义为“任何商业实体,它不是一个支付品牌,直接参与处理、存储或传输的持卡人数据代表另一个实体”。
这包括提供服务的公司控制或可能会影响持卡人的安全数据,如呼叫中心、托管提供商和网络支持。不像商人,服务提供商只分为两个层次:
- 1级服务提供商:每年超过300000的支付卡的交易
- 2级服务提供商:每年不到300000支付卡的交易
如果一个组织的服务包括存储、处理或传输持卡人数据代表其他商户或服务提供者,然后它被认为是一个服务提供者和一个商人。
例如,一个互联网服务提供商是一个商人,因为它接受信用卡支付每月账单。但它也是一个服务提供者如果主机其他商家的客户。
PCI DSS依从清单:目标和需求
无论你属于哪个级别,PCI DSS概述了六个目标和12需求增强的安全付款信用卡帐户数据:
建立和维护一个安全的网络和系统
- 安装和维护网络安全控制
- 安全配置适用于所有系统组件
保护账户的数据
- 保护存储账户数据
- 与强大的加密保护持卡人数据在传输过程中在开放的公共网络
维持一个漏洞管理程序
- 保护所有系统和网络免受恶意软件
- 开发和维护安全的系统和软件
实现强大的访问控制措施
- 限制对系统组件的访问和持卡人数据由业务需要
- 识别用户和认证系统组件的访问
- 限制对持卡人数据的物理访问
定期监控和测试网络
- 日志和监控所有系统组件和持卡人数据的访问
- 定期测试系统和网络的安全
维护一个信息安全政策
支持信息安全与组织的政策和程序
执行一个PCI DSS审计谁?
一个合格的安全评估员(QSA)是一种个人认证的PCI SSC进行现场审计。
一些实体也可以赞助一个员工培训作为他们的内部安全评估员(ISA)。账户可以进行内部评估和外部QSA作为联络。
在审计期间,QSA将评估该实体是否符合PCI DSS要求。这包括范围或确定所有系统组件和工作流包含在您的持卡人数据环境,完成所需的文档(这在下一节),和其他形式的差异分析或补救准备即将到来的审计。
PCI DSS合规报告是什么?
而PCI DSS合规是不同的每个组织,流程一般包括三种类型的报告文档:
自我评估问卷(SAQ)
自我评估问卷(SAQ)是一个验证工具的实体不需要提交一个报告合规(ROC)和资格来执行自己的评估。
一个SAQ由“是”或“不是”的问题。有八个可用SAQ形式为商人和一个服务提供者、不同类型的商务活动、交易方法,或其他标准。
报告合规(中华民国)
合规报告合规(ROC)是最彻底的文档,详细描述实体是否符合所有12个标准要求或如果任何缺陷被发现在评估。
中华民国由QSA完成后执行现场审核,然后报收购银行验证和支付品牌。
合规认证(AOC)
合规的认证(AOC)是记录一个实体的PCI DSS合规的证据,确认其安全实践有效地保护持卡人的数据。家必须签署由实体和QSA(如果适用)和提交收购银行或支付品牌,随着SAQ,中华民国,和任何其他请求文档。
PCI DSS需要多长时间?
PCI DSS评估通常需要6至12周。确切的时间,然而,取决于项目的规模、数量的系统,有多少安全措施和政策已经到位。(注意,这仅仅是估计的时间执行PCI saq)。
PCI DSS的实现也从公司波动。PCI DSS只适用于基础设施,包含信用卡数据,实现低成本和时间的一个好方法是通过限制信用卡服务器存储和管理的数据尽可能多。
PCI DSS合规证书有效期为一年。为了保持合规,实体都必须完成一个自我评估问卷。
如果有任何基础设施或环境的变化,甚至是一个新功能发布,影响持卡人数据,然后PCI DSS合规不再有效。组织需要重新验证合规的当前状态。
此外,PCI DSS需求频繁更新(与最新版本PCI DSS v4.0发布3月31日,2022),这需要实体执行新的标准。
多长时间你应该得到一个PCI DSS审计吗?
某些实体都必须接受年度审计为了保持PCI DSS合规。这包括:
- 1级商人,每年处理超过600万支付卡事务
- 1级服务提供者这一过程超过300000每年支付卡的交易
- 最近经历了违反任何实体或网络攻击
然而,审计的具体频率取决于您选择的支付品牌,随着PCI DSS并不要求一个特定的频率。
PCI DSS合规成本多少钱?
PCI DSS合规的成本可分为三大类:
- 准备和实施PCI DSS的标准成本
- 证明或文档你的合规成本状态
- 年度成本维持PCI DSS合规
虽然确切的PCI DSS合规成本取决于组织,通常是基于几个关键因素:
- 组织类型(商人,服务提供者,或者两者兼而有之)
- 组织规模
- 年度交易(以PCI DSS)分类
- 任何其他要求获取银行或支付品牌
- 当前的安全环境和遵从性准备
在大多数情况下,PCI DSS合规成本的范围可以从至少20000美元(对于初创企业和小型组织,处理事务)少300000美元以上的大企业。确切的数量将取决于上述因素和你的商业或服务提供者的水平。
准备你的PCI DSS符合OneTrust
尽管它的许多好处,维持一个符合PCI DSS系统可以是一个复杂的过程。OneTrust有助于简化流程和我们的自动化范围向导生成所有必需的PCI DSS控制,政策,和证据的任务。保持持续符合自动化证据收集功能,可以直接集成到你的技术堆栈。
与OneTrust认证自动化,您可以构建、规模和自动化安全合规计划,减少你的合规成本高达60%,并获取证书快50%。
