A golden credit card, representing credit card payments and PCI DSS compliance

How to Achieve PCI DSS Compliance as an E-Commerce Business

There are two important truths about PCI DSS in e-commerce environments: It’s easy to reach compliance. But it’s hard to maintain it. 

Well, in comparison, at least. Setting up a PCI DSS-compliant environment for credit card payments is never exactly “easy”. But many e-commerce companies will experience the upholding and the monitoring of measures to secure credit card data as a challenge – especially as the requirements evolve over time. In different phases of business development, e-commerce companies may find themselves struggling with: 

  • Putting up a profound strategy to uphold PCI DSS compliance over time. 
  • Analyzing the effectiveness of PCI security measures put in place. 
  • Discovering deviations from the standard required by PCI DSS. 
  • Educating their teams in putting the specifications into ongoing action. 

As an online retail business, this article may help you understand the requirements of PCI DSS, the challenges those requirements entail and possible actions to become compliant. It will: 

What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard. This standard is mandatory for all organizations (merchants, banks, payment processors, payment software developers etc.) that process, transmit or store the data of credit card holders. PCI DSS presents a set of security requirements for merchants, payment service providers and platform owners on how to transmit and process credit card data during a payment transaction

In 2004, the credit card schemes Visa, MasterCard, JCB International and Discover Financial Services created PCI DSS. Today, the Payment Card Industry Security Standards Council (PCI SSC) administers the PCI DSS and publishes regular updates. In addition, the PCI SSC approves and authorizes Qualified Security Assessors (QSAs). QSAs are organizations who conduct the PCI DSS audits. They examine companies’ security measures and award PCI DSS AoC (Attestation Of Compliance). If a platform transmits, stores or processes cardholder data, it needs to comply with PCI DSS. 

The Four Levels of PCI DSS

Not all PCI DSS requirements apply to all e-commerce businesses. Depending on the number of credit card transactions the platform processes annually, companies fall into one of 4 PCI DSS levels. Identifying their position on this scale determines which of the more than 300 distinct security controls apply to them. For instance, companies of different levels must take different Self-Assessment Questionnaires (SAQs) to ensure PCI DSS compliance, specifically reflecting how they process payment card information.

  • PCI Level 1 – More than 6 million transactions per year: Businesses falling in this category must go through an annual on-site audit by a qualified security assessor (QSA) or an internal security assessor (ISA). Also, the business has to conduct yearly penetration and quarterly vulnerability scans as well as file an Attestation of Compliance (AoC).   
  • PCI Level 2 – 1 to 6 million transactions per year: Businesses in this category only are subject to an on-site audit, if a security breach occurred. Else, filing a Self-Assessment Questionnaire suffices. Aside from that, quarterly vulnerability tests, annual penetration tests and Attestation of Compliance (AoC) are still mandatory.
  • PCI Level 3 – 20 thousand to 1 million transactions per year: In this category, businesses are required to submit an appropriate Self-Assessment Questionnaire and an Attestation of Compliance. They also have to run quarterly network vulnerability and annual penetration tests.  
  • PCI Level 4 – Less than 20 thousand transactions per year: Companies at this level only have to conduct annual penetration tests and scan their networks for vulnerabilities quarterly. Handing in AoCs and SAQs is optional, but best practice among businesses. 
An infographic showing 4 safes containing different quantities of credit cards, each one representing one of the 4 levels of PCI DSS.

Why E-Commerce Companies Must Adhere to PCI DSS? 

The overall goal of PCI DSS is to give guidelines to companies, so that they can develop and maintain a mature payment environment that effectively and continuously protects cardholder data. 

Thus, PCI DSS compliance uplifts the overall security of your e-commerce platform and helps to  prevent data breaches. Being compliant also helps you build trust with customers. PCI DSS compliance sends the message that they can entrust you with their credit card data.  

Failing to adhere to PCI DSS regulations while processing cardholder data can easily culminate in termination of the acquiring contracts or penalty fees, applied by the card schemes.

What Are the Requirements of PCI DSS?

First-off, it’s important to understand that PCI DSS is an evolving set of requirements. It sees regular updates and the application of its standards will react to developments in digital security and payment technologies. This means each audit will be conducted based on a specific PCI DSS version, usually the latest if it’s the first audit for a company. 

Overall, however, the basic requirements of PCI DSS will remain relatively constant through versions with modifications being added as sub-requirements. Here are the 12 main requirements every company dealing with credit card data has to comply. Companies must ensure that those requirements are not only fulfilled, but also thoroughly documented.    

1. Install and maintain a firewall config to protect cardholder data

Firewalls and routers are key components of data security. They block unauthorized access and manage authorized access to cardholder data. A secure infrastructure might need multiple layers of firewalls. 

2. Do not use vendor-supplied defaults for system passwords and other security parameters

All passwords of applications in your system should adhere to secure password standards, including integrated third-party systems. 

3. Protect stored cardholder data

Cardholder data must be stored in a secure vault. The vault system must serve this one purpose: No other applications must run in the same encapsulated environment. In addition, access to the environment must be highly restricted, monitored and documented.

4. Encrypt transmission of cardholder data across open, public networks

It’s important to encrypt cardholder data whenever it’s transmitted. For internal usage as well as merchant and customer facing applications, you may use tokens and masked card numbers (for instance, you must adhere to 6×4 standard, only displaying the 6 first and 4 last numbers of a credit card number). 

5. Protect all systems with anti-virus software

The software in question has to perform regular system scans on schedule. It must be set up in a way that users or staff members cannot turn it off. 

6. Develop and maintain secure systems and applications

The payment software development team should be trained in secure coding practices and security awareness. It should mind the OWASP Top 10 to avoid the most common security flaws. 

7. Restrict access to cardholder data by business “need-to-know” principles

The affected companies have to define a clear rights and roles concept within the team – and deny access by default. 

8. Identify and authenticate access to system components

Any access to sensitive data must be documented. 2-factor authentication and limited session duration have to be implemented, so that users are automatically logged out, when a predefined amount of time passes without any action.  

9. Restrict physical access to cardholder data

Physical security also plays a crucial part in the PCI DSS rulebook. Cardholder data may only be stored on servers hosted within a PCI DSS certified data center or in certified cloud environments where both physical security controls and access control are implemented accordingly. 

10. Track and monitor all access to network resources and cardholder data

Monitor access to cardholder data. Here, it’s not only important to verify the log file’s integrity, to log user IDs, types of events, date and time – companies also have to synchronize those with a central logging server to prevent falsification attempts. Companies have to review logs for suspicious activity on a daily basis.  

11. Regularly test security systems and processes

Companies must always follow predetermined test protocols. This means conducting penetration tests and vulnerability scans for ensuring the confidentiality, integrity, and availability of one’s data and network.

12. Maintain a policy that addresses information security for all personnel

The companies have to establish, publish, maintain and disseminate a security policy. They also must refresh their team’s qualifications with regular security awareness training and secure coding workshops.

How Can Your Company achieve  PCI DSS Compliance

PCI DSS is nothing your e-commerce company will do on the fly. To achieve compliance you need to have experts in PCI DSS and secure coding as part of your payment team. Alternatively or in addition you could work with external professionals for payment security and regulatory compliance. Once you have the expertise on board, you are ready to implement the PCI DSS guidelines, one step at a time. 

A comprehensive PCI DSS strategy, a trained team and a well-planned payment software infrastructure will pay off in the long run, as regulations, customer demands and technologies evolve and your business has to adapt to them.

From Scratch Or From Running Operations? 

The requirements of the PCI DSS rule set remain largely the same for all e-commerce companies. However, there are serious differences in implementation efforts, depending on the maturity stage of a business. 

In any case, it is more difficult to implement PCI DSS regulations in day-to-day operations. At the same time, the rule set is designed in such a way that an e-commerce company doesn’t have to cease operations in order to work on its compliance.  

Compliance for Start-Ups

PCI DSS compliance is easy to achieve. But it also comes with high-effort, for companies that are just starting to build their payment infrastructure. They can create the space for all PCI DSS requirements in the initial planning phase. Then, they can implement them as development goes along.

Compliance for Mature Companies

By contrast, mature companies wanting to reorganize their infrastructure to meet PCI DSS requirements could face a variety of challenges. 

The 7 Steps of Reaching PCI DSS Compliance

Whatever specific challenges and business models come into play with an e-commerce platform, the path to PCI DSS compliance always includes these 7 steps. 

1. Understand card data flows in your environment

Identify the card data environments (CDEs) on all your platforms. CDEs are all software environments and servers that call up, transmit or store sensitive cardholder data. Analyze the applications and processes the cardholder data passes through during payment and storage processes. Set up documentation for the overall system architecture and card data flows.

2. Reduce your card data environment to the absolute minimum for PCI DSS

In PCI DSS, less is more. To reach compliance, make sure to minimize the number of components / applications that touch sensitive cardholder data. Every application that deals with cardholder data is a potential security risk and has to be included into the PCI DSS audit scope. 

3. Start a “gap analysis”

Find out where your new, descoped environment has weak spots and where cardholder data might be in jeopardy in case of a security breach. Pay special attention to the encryption of the sensitive data – it may not be displayed in clear text anywhere within your system. 

4. Close gaps according to PCI DSS

Closing  gaps in a descoped environment will mean a number of different things – from resetting standard passwords to establishing regular monitoring routines and training your team in security awareness / secure coding techniques. 

5. Release descoped environment into production

Devise the best way to release the changes without affecting your day-to-day business. Make a rollout schedule and follow it, but make sure to test all changed environments before going live.

6. Run necessary scans and fix issues

Have a team of well trained experts ready, that fixes PCI DSS related problems that occur in live environments. 

7. Conduct an official audit

As a last step, have a certified auditor (QSA) validate your infrastructure and your business processes for PCI DSS compliance. Solve the problems that they may find, so you receive an Attestation of Compliance (AoC). 

A diagram showing the 12 requirements of PCI DSS

PCI DSS? We Can Help 

The logo of the payment and e-wallet software development company trimplement

At trimplement, building payment systems in accordance with PCI DSS guidelines has been our line of work for over a decade.

We have helped international businesses set up software infrastructures that keep credit card data secure, relying on our expert team of solution architects, project managers and software engineers.

How you will benefit from a partnership with us:  

  • We offer secure coding and security awareness workshops, educating your employees about the intricacies of payment security
  • Our experts can conduct technical reviews of your existing payment solution, and help you to define a PCI DSS compliant concept.
  • All custom payment products we create follow strict security standards but are flexible enough to adjust should new regulations demand changes to the system – if you plan to build a PCI DSS compliant solution from scratch or to restructure an existing system, we are the right implementation partner for your custom payment software. 

Want to know more? 

Book a free consultation session with us and we will help you with your PCI pains!

Christoph Laurer

Christoph Laurer is the Content Editor at trimplement, taking care of Social Media, SEO and analytics as an added bonus. With his storytelling, graphic and video editing skills, honed by working for different industries, he distils fintech and banking topics down to legible form. If you don’t find Christoph at his writing desk, you will probably meet him at the cinema.

Leave a Reply

Your email address will not be published. Required fields are marked *