Data breaches only happen to the giants. Businesses like Sony, Home Depot, and Target have had their challenges with cardholder data theft, but smaller businesses aren’t worth a hacker’s trouble… right?
Not exactly.
In this blog post, you'll learn how small and medium-sized enterprises (SMEs) are just as vulnerable to data breaches, how PCI compliance can help, and how to find your current level of PCI compliance.
We will also discuss the changes in PCI DSS 4.0, so you have a full understanding of how it impacts your business and your security processes.
The Four PCI Compliance Levels (And Why Compliance Matters)
The PCI DSS council was founded by major credit card companies. Each card brand has its own compliance levels: Visa, Mastercard, Discover, American Express, and JCB.
While Visa, MasterCard, and Discover have their own table of merchant levels, if you compare them, you will note that Visa, MasterCard, and Discover have gotten together and decided to use the same criteria for determining merchant levels. So, if the only credit cards you accept as a merchant are Visa, MasterCard, and/or Discover, you only need to reference the Visa tables as their merchant-level criteria are all the same.
But for those merchants that accept American Express and/or JCB in addition to the other card brands, do not fret. The card brands have made things easy for you as well. If you are a given merchant level for any other card brand, you are at that merchant level for every card brand.
The following are the 4 levels of PCI compliance:
- Level 1: Merchants processing over 6 million card transactions per year.
- Level 2: Merchants processing 1 to 6 million transactions per year.
- Level 3: Merchants handling 20,000 to 1 million transactions per year.
- Level 4: Merchants handling fewer than 20,000 transactions per year.
Cardholder Data Threats
Before you declare there's nothing to fret about and that you're not putting your customers' payment card data at risk because you're a small business, consider the following statistics:
- Forbes states that researchers at Barracuda Networks found that, small businesses are three times more likely to be targeted by cybercriminals. Also, on average, small businesses with fewer than 100 employees will experience 350% more social engineering attacks than larger enterprises, allowing cybercriminals to compromise the infrastructure successfully.
- The latest report by Verizon on PCI compliance highlights PwC research findings of an alarming increase in data breach cases, estimated at an average of 66 percent per year since 2009.
- IBM reveals that data breaches each cost an average of 9.44 million dollars in the United States this year.
Judging from these figures, you might conclude that SMEs are scrambling in a panic over the thought of data breaches. If fraudsters can fool the big guy, surely small businesses are more likely to be vulnerable, right?
It turns out this hasn’t historically been the case. In 2014, the same year data breaches were happening left and right, a survey revealed that SMEs underestimated the threat of cyber attacks. A whopping 82 percent of SMEs declared they weren't worried about the attacks because they didn't have anything worth stealing.
You can avoid joining the thousands of SMEs who underestimate cyber attacks on cardholder data by following PCI compliance requirements, and preparing your organization to defend against threats using self-assessment questionnaires. We will cover all of this information in this article.
PCI Compliance Requirements
The Payment Card Industry Data Security Standard (PCI DSS) was drafted to address the growing threat of data breaches among payment cards.
According to the PCI Security Standards Council, PCI DSS is a set of universally accepted standards that help protect the safety of customer data. PCI DSS sets the operational and technical requirements for organizations accepting or processing payment transactions and for software developers and manufacturers of the applications and devices used in those transactions.
Put simply, any business entity involved in accepting, processing, and storing payment card information must comply with PCI DSS.
PCI DSS Version 4.0 was issued in March of 2022. Businesses have until March 31, 2024 to transition to the new requirements.
Currently, there are twelve requirements for businesses to meet in their PCI compliance journey, ranging from securing firewall configurations to utilizing a robust file-monitoring integrity system. These requirements not only ensure organizations are compliant for a certain period of time but that they are also continuously tracking and monitoring critical changes.
PCI DSS 4.0 Requirements
Your organization must meet the twelve requirements required by PCI-DSS 4.0. These are split into six categories, which we’ll discuss in more detail below. Changes from 3.2.1 to 4.0 are categorized by the PCI SSC as a change type.
Change types are defined as:
- Evolving requirement: Changes to ensure that the standard is up to date with emerging threats and technologies, and changes in the payment industry. Examples include new or modified requirements or testing procedures, or the removal of a requirement.
- Clarification or guidance: Updates to wording, explanation, definition, additional guidance, and/or instruction to increase understanding or provide further information or guidance on a particular topic.
- Structure or format: Reorganization of content, including combining, separating, and renumbering of requirements to align content.
Source: Summary of Changes from PCIDSS Version 3.2.1 to 4.0
Let’s now look at the six categories and the twelve requirements laid out by PCI-DSS 4.0:
Build and Maintain a Secure Network and Systems
- Install and Maintain Network Security Controls
- Apply Secure Configurations to All System Components
Protect Account Data
- Protect Stored Account Data
- Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
Maintain a Vulnerability Management Program
- Protect All Systems and Networks from Malicious Software
- Develop and Maintain Secure Systems and Software
Implement Strong Access Control Measures
- Restrict Access to System Components and Cardholder Data by Business Need to Know
- Identify Users and Authenticate Access to System Components
- Restrict Physical Access to Cardholder Data
Regularly Monitor and Test Networks
- Log and Monitor All Access to System Components and Cardholder Data
- Test Security of Systems and Networks Regularly
Maintain an Information Security Policy
- Support Information Security with Organizational Policies and Programs
Maintaining PCI Compliance by Level
Noncompliance with PCI-DSS may result in a fine of $5,000 to $500,000 for the acquiring bank, who in turn passes along the fines to the offending merchant. For those who are already PCI compliant, data breaches could translate to another set of fines, including suspension of credit card acceptance. It's important to note that the council won't penalize you for non-compliance. However, your bank may hold you accountable for non-compliance.
PCI compliance requirements are separated by compliance level. Let’s take a look at the specific requirements by level:
- Level 1: Over six million annual card transactions
-
- Complete an annual Report on Compliance
- Complete quarterly network scans
- Complete an Attestation of Compliance form
- Level 2: One to six million annual card transactions
-
- Complete an annual Self-Assessment Questionnaire
- Complete quarterly network scans
- Complete an attestation of Compliance form
- Level 3: Twenty thousand to one million annual card transactions
-
- Complete an annual Self-Assessment Questionnaire
- Complete quarterly network scans
- Complete an attestation of Compliance form
- Level 4: Fewer than twenty thousand annual card transactions
- Complete an annual Self-Assessment Questionnaire
- Complete quarterly network scans
- Complete an attestation of Compliance form
Self Assessment Questionnaires
Two myths persistently follow PCI Compliance:
- The first is that meeting requirements is an unnecessary headache. In actuality, the requirements are beneficial and make good business sense.
- The second is those small businesses that handle just a few credit card transactions a year don't have to comply with PCI-DSS.
PCI compliance exempts no one. And meeting all 12 requirements doesn't have to feel like you're on an expedition to climb Mt. Everest.
Now that it's clear how PCI compliance is critical not just to protect your customers' data but to also project the trustworthiness of your business, figuring out your merchant compliance level is your first step to PCI compliance.
Who Will Validate Your PCI Compliance Level?
Depending on your level, validating compliance is either accomplished through a Self-Assessment Questionnaire (SAQ) or annual audits by qualified security assessors who will come up with their findings through a ROC (Report on Compliance).
Take note that card brands and/or your acquiring bank may impose additional requirements before they can declare that your organization is a level 1, 2, 3, or 4.
Banks bear the brunt of noncompliance fines from card brands before it gets to you. Picture acquiring banks as the middleman. Thus, it's only fitting for them to assess where you are exactly on the compliance map.
How CimTrak Lightens Your PCI Compliance Load
Given that data breaches still occur in organizations that are already compliant with PCI DSS, continuous monitoring is critical.
As an advanced integrity and PCI compliance tool, CimTrak's job is to detect and notify you of suspicious changes. It also has the ability to instantaneously revert these changes. Think of CimTrak as your PCI compliance cop who's on call 24-7.
Whether you're at Level 1 or Level 4 with PCI compliance, our resident PCI geeks are adept at answering all your PCI compliance questions. Contact us today!
