An Overview of the 12 requirements of the PCI DSS specification

All merchants need to be aware of and abide by best practices when storing cardholder data and sensitive authentication data alike. Consequences of failure to use best practices can include civil lawsuits, fiscal loss, and an overall failure to uphold an important ethical responsibility. Various standards have been outlined by the Payment Card Industry Security Council which is comprised of the major credit card companies such as Visa and MasterCard.

Outlined below is a brief summary of the 12 requirements outlined by the PCI DSS Specification.

1st and 2nd PCI DSS Requirements

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

These requirements were put in place to make sure that initial preventative measures are used to ensure that cardholder data does not inadvertently fall into the hands of an unlawful third party. Some precautions include maintaining firewall protection on any computer that accesses or stores cardholder information.

3rd and 4th PCI DSS Requirements

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

All cardholder data must be encrypted when transmitted across public networks. Steps should be taken to ensure that sensitive information on private networks must be protected as well. One very important aspect of storing and processing cardholder data is being aware of what data can be stored and what cannot.

With proper security measures in place it can be acceptable to store certain cardholder data such as the primary account number, expiration date, and cardholder name – but the cost to bring your systems to compliance is exponentially increased with each piece of data that you store. Therefore a primary initial focus of achieving PCI compliance should always be to determine the fewest required pieces of data that your business must store in order to conduct your daily operations.

We should mention here that it is never acceptable to store certain sensitive authentication data including full magnetic stripe data, CVV codes, and PINs. In the event a database with cardholder information is hacked, a lack of stripe data, CVV codes, and PINs can mollify damages caused by fraudulent acquisition of cardholder data.

5th and 6th PCI DSS Requirements

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Hackers make it their work to increasingly learn how to illicitly access information. As such merchants must take these necessary precautions to protect cardholder data. Merchants need to use only securly developed and maintained computer interfaces and must regularly update all antivirus software.

Merchant systems will be submitted to scanning and penetration testing before they can be verified as PCI Compliant.

7th, 8th, and 9th PCI DSS Requirements

7. Restrict access to cardholder data by business need to know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Merchants must take physical measures to restrict access to cardholder information based upon who in the organization actually needs access to what data. Not every employee has the same needs for access to data in your systems. Some reasonable and necessary precautions include assigning unique passwords to personnel.

Other physical restrictions include “common sense precautions”, for instance, never keep cardholder data in a notebook or in a simple spreadsheet file. These methods are wide open to anyone to access and could leave your business financially hurting for many years to come.

10th and 11th PCI DSS Requirements

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

PCI compliance requires logging of all system activity. These logs must be centralized and regularly reviewed by an appropriate authority for the organization.

Regular security scans of existing systems is required and a penetration test is required at least annually.

12th PCI DSS Requirement

12. Maintain a policy that addresses information security for all personnel

Merchants must create and a written and exercised security policy that addresses system security for all personnel/employees. Regular training procedures should be in place to ensure that all staff are aware of how to keep cardholder data safe and what to do in the event of a data breach. Having a knowledgeable staff can save you much time and money.

Importance of PCI DDS cardholder data policy

Being knowledgable about these best practice guidelines protects everyone. Merchants who have inadvertently been the victim of a data breach end up paying tremendous fees of of around $250 per lost record. If a business looses just 1,000 customer records they would quickly be responsible for fees starting at $250,000 and more. And the loss of consumer confidence in your business can sting your profits for many years after the fact.

What Merchants Need To Know About CVV Codes

Many people know what a CVV code is even if they do not immediately recognize the term. A CVV code is a three-digit code found on the back of major credit cards.  Mostly, a CVV code is used in a virtual transaction to take further steps to ensure that the person completing the transaction physically has the card which the transaction will be charged to.  CVV codes are meant to protect consumers and merchants from monetary losses as well as help mollify damages in the event the security of a database containing cardholder information is compromised.

Can merchants store CVV codes?

Merchants are not authorized to store the following sensitive authentication data per PCI DSS standards: full magnetic stripe data or equivalent on a chip, CVV codes, and PINs.  CVV codes are not necessary to complete a transaction.  Merchants are allowed to store cardholder data including primary account number, cardholder name, and expiration date – which can be used to complete a transaction – but storing this data is not recommended for most merchants as it vastly increases the scope of PCI Compliance and consequently drastically increases the cost to achieve and maintain PCI Compliance.

Why merchants use CVV codes?

CVV codes offer further assurance that it is, in fact, the authorized cardholder who is attempting to complete a transaction.  According to the Card Acceptance Guidelines for Visa Merchants, merchants should treat virtual credit card transactions like a transaction in a store.  In short, first the payment must be processed and necessary precautions must be taken to ensure that the card is being charged lawfully before the customer receives any merchandise.

Collecting payments virtually, either via phone or online, presents new challenges for merchants.  Merchants should take further measures to verify cardholder identity as well as properly store cardholder information in addition to sensitive authentication data.  Some measures that can be used as a substitute for a physical card, signatures, and an official form of identification include asking for the cardholder’s billing address and CVV code.  However, CVV codes can present a problem when completing a transaction.  They may be illegible, or the cardholder may not be able to locate the CVV code.  Additionally, since CVV codes are not required to complete transactions, and since collecting them increases the scope of PCI Compliance, many merchants opt not to collect them at the point of transaction.

Why can’t merchants store CVV codes?

Every day thousands of merchants are attacked and a great number are being successfully hacked.  If merchants were allowed to store this CVV data hackers would gain access to it as well, and it would no longer serve its intended purpose of showing that the card is physically in the possession of the party to the transaction. Therefore merchants are not allowed to record CVV codes in an effort to mollify damages incurred in the event a large quantity of cardholder information gets in the wrong hands.  It is common for hackers to sell cardholder information to 3rd parties.  Whereas illicit purchases can still be made using the illegally obtained information, lacking CVV codes can be a preventative measure to minimize the amount of damage suffered by unsuspecting merchants and banks.

Most banks will drop fees and illicit charges against consumers for the charges associated with stolen card numbers if the cardholder signs an affidavit explaining the situation.  The same is not true however for merchants who have been hacked due to a lack of full PCI Compliance. For merchants, the costs are extremely steep. Typically fees average around $20,000 for each compromised credit card account. You can imagine the cost if just 1,000 credit card accounts were illegally obtained from your non-compliant systems.

Learn more about merchant requirements

Much of the information available for merchants regarding achieving PCI Compliance and securing your business against massive fines just isn’t clear or accessible for the average merchant who is just interested in doing what is necessary to protect their business and their customers.

If you’re a merchant who is looking into PCI Compliance – good for you! Most businesses will eventually be hacked if they are not fully protected. The trafficking of stolen credit card data is extremely big business, and the small merchant ends up as the victim in this case.

If you’re just getting started and need some help learning about what you will need to do to protect your business, please contact us for a free consultation on securing your business and achieving PCI Compliance. We’re happy to talk with you about your existing systems and seek the most economical solution for you to obtain full PCI Compliance.