PCI DSS Compliance Requirements
Last updated on October 28th, 2019
PCI DSS Compliance Requirements Guide & Checklist
All ecommerce websites must follow the requirements outlined by the Payment Card Industry Data Security Standards (PCI-DSS). These requirements are governed by the major credit card companies to ensure the secure transmission, storage, and handling of cardholder information.
This is not legal advice. There are additional laws, regulations, and guidelines that may not be related to ecommerce websites.
Customers of your online store depend on you to protect their data. This guide will explain the goals and requirements of PCI compliance, best practices for securing ecommerce websites, and tactics to combat threats against online stores.Protect your Site
What is PCI Compliance?
The PCI Data Security Standards (PCI DSS) includes general practices, such as restricting cardholder information and the need for creating safe, non-default passwords, as well as more in-depth practices like encryption and the use of a firewall.
The PCI Security Standards Council is a global organization formed by major credit card companies, including Visa, Mastercard, Discover, and American Express.
If you operate an ecommerce site, PCI compliance is mandatory. It is not dictated by the volume of transactions or restricted solely to storage, transmission, and processing; it applies to any business that allows credit card payments.
With PCI, everything is about reducing the attack surface. For an ecommerce site, this specifically involves the Card Data Environment (CDE) – the manner in which you handle credit cards on your site. Even if you leverage third-party services like Stripe, Recurly, PayPal, or another secure payment option, you have an obligation to follow the requirements as set forth by PCI DSS.
Small merchants are not excluded from these requirements. Unprotected ecommerce websites are prime targets for data thieves.
If sensitive customer data or cardholder information is stolen from a website that you’re responsible for, you could incur penalties, large fines, and even lose the ability to accept payment cards.
Why is PCI Compliance Important?
Trust is the key to your online business. If a security incident occurs, it can wreak havoc on traffic, revenue, and brand reputation. Online shopping is growing in popularity, and ecommerce websites are targets for cybercriminals looking to steal sensitive customer data and credit card information.
How big of a target is your ecommerce website? With automated scripts, hackers can find websites with an online store, scan for vulnerabilities, and gain unauthorized access. Small web stores with few sales aren’t exempt — criminals are opportunists and will target any accessible websites or server resources. It is often easier to hack a thousand small ecommerce websites than it is to hack one large online retailer.
Ecommerce websites are susceptible to a number of risks and threats:
- Credit card stealers put your customers at risk of identity theft or credit card fraud.
- Hijacking causes loss of sales when customers are redirected to a fake shopping cart.
- Injected website content can spread spam, malware, and malvertising.
- Server resources can be stolen and used in malware campaigns, DDoS attacks, etc.
- Hacked sites can be blocked by search engines, antivirus programs, and browsers.
Because there will always be some level of risk, security is a continuous process. A proper ecommerce security strategy requires frequent assessment and diligence.
What Happens If You’re Not PCI Compliant?
If a merchant is found to be non-compliant with the PCI-DSS, there can be a variety of penalties & consequences ranging from fines, loss of time, and reputation damage.
1PCI Non-Compliance Fines
Non-PCI compliant websites can suffer hefty penalties by payment industry regulators if customers experience fraudulent transactions. The average cost of a data breach for a small business is $86,500, with enterprise organizations paying 4 million dollars.
Under GDPR, any business that experiences the breach of EU residents’ personal information has 72 hours to notify supervisory authorities or risk facing heavy fines. This regulation joins a number of US federal and state laws which hold organizations accountable for the security of customer data.
3Suspension of Credit Cards
Perhaps worse than fines, the ability to accept credit card payments may be revoked. The PCI standards are created by the major credit card companies, and this is their defense against irresponsible merchants. If a data breach occurs for your ecommerce store, the PCI council can revoke the privilege of using their payment cards.
4Mandatory Forensic Examination
Merchants suspected of a data breach are required by the PCI-DSS to undergo a mandatory forensic examination, which requires hiring professionals and conducting a time-consuming investigation. A small business examination may cost between $20K to $50K.
5Notification and Credit Monitoring
If a compromise of financial information is suspected, a number of states require the merchant to notify customers and inform them of the breach. Merchants may also need to produce up to a year’s worth of credit monitoring or counseling services to affected customers.
6Liability for Fraud Charges
Lawsuits may claim liability on merchants for security breaches. It is important to emphasize that protecting your customer’s sensitive information is your responsibility as a business owner. That is why having a secure website is vital.
7Credit Card Replacement Costs
Card issuers may require merchants to pay the cost of reissuing credit cards, which includes shipping, activation, and communication to the customer. These fees can range from $3 to $10 per card.
8Reassessment for PCI Compliance
In order for a website to accept credit card transactions again, a complete PCI reassessment by an external Qualified Security Assessor (QSA) must be performed.
PCI Compliance Checklist
The latest version of PCI DSS is version 3.2,1 released May 2018.
The requirements are divided into multiple sub requirements and hundreds of actions. At first glance, meeting all of these requirements can feel like a daunting task for a small website owner.
We explain each PCI requirement in practical terms for small-to-medium businesses with limited infrastructure (i.e., small number of servers, leveraging cloud-based servers, and external providers for payment processing).
1Requirement 1: Build and Maintain a Secure Network
This first requirement directly relates to securing and documenting your network. Depending on your skill level, you can do it yourself or find an affordable service provider who can help.
If you are going through the PCI assessment process, we recommend that you follow these steps:
- Identify your Card Data Environment (CDE). If you’re hosting your website in-house and handling cardholder data, your local network is likely part of the CDE.
- Write a “Firewall Process” document that lists all of your servers, their purpose, who has access to them, what is externally accessible, and what services are running there.
- Based on your new document, create a firewall rule that blocks everything and only allows what’s needed for required business functions. This should be applied to both inbound and outbound traffic.
- Write these rules into your new “Firewall Process” document and apply the rules and restrictions to all of your servers.
Completing these steps will help you meet the requirements for knowing your web assets, as well as restrict and separate access between environments through a firewall.
2Requirement 2: Do Not Use Vendor-Supplied Defaults
PCI Requirement 2 states that you should not use vendor-supplied defaults for system passwords and other security parameters. By fulfilling requirements 1 and 2 of the PCI DSS, you are meeting the goal to build and maintain a secure network.
Here are our suggestions for fulfilling PCI Requirement 2:
- Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.
- Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
- Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
- Maintain an inventory of system components that are in scope for PCI DSS.
- Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.
- Shared hosting providers must protect each entity’s hosted environment and cardholder data.
3PCI Requirement 3: Protect Cardholder Data
Many online stores use a reputable payment gateway to help process credit card payments and transactions. While this can help you lift some PCI requirements, it doesn’t mean you’re off the hook entirely!
Requirement 3 of the PCI-DSS states that you must secure cardholder data. The best way to meet this requirement is to use a trusted payment gateway and not store credit card details. By only maintaining customer IDs and successful payment confirmations, you significantly reduce the impact of a compromise.
Another important (and sometimes overlooked) recommendation is to enact strong policies with employees and colleagues by enforcing proper security practices.
There are a number of things you can do to comply with Requirement 3:
- Don’t store any cardholder data; one second is enough time to have it stolen.
- If you must store it, retain cardholder data only for as long as needed, then securely delete it.
- Discourage taking orders over the phone, faxing, or emailing card data.
- Let customers input their own cardholder data into payment gateways.
- Never transmit cardholder data without encryption.
The commission taken by payment processors (i.e. PayPal) is far less than an average business would pay to ensure ongoing security of payment details. Small online shops pose a serious threat to their customers, which is why non-compliance may lead to financial consequences and legal liability.
4PCI Requirement 4: Encrypt Transmission of Cardholder Data
Requirement 4 of the PCI-DSS states that you must encrypt transmission of cardholder data across open, public networks.
SSL/TLS is the technology used for securing and encrypting sensitive data as it travels between two systems. While technically different protocols, the term “SSL” is commonly used to refer to any encrypted HTTP connection, including TLS. When using an SSL certificate, the website can be accessed over HTTPS rather than HTTP.
As a website that accepts payments, using TLS v1.1 and higher is mandatory for PCI compliance.
Encrypting sensitive data like credit card numbers, card holder information, and passwords protects your customers and prevents fraudulent transactions and data breaches.
The use of TLS prevents man-in-the-middle attacks (MITM), which occur when bad actors secretly intercept and possibly modify sensitive user data and credentials via insecure networks.
SSL certificates are also good for establishing and maintaining trust. This allows the green padlock icon to be visible in the browser address bar.
Using SSL can also improve your SEO rankings. Search authorities like Google have encouraged webmasters to secure their websites by ranking sites with HTTPS higher than those without certificates.
Many hosting providers offer free and paid SSL certificates. They may even help implement certificates for you. If you’re a Sucuri Firewall user, we offer free LetsEncrypt SSL certificates by default.
5PCI Requirement 5: Maintain a Vulnerability Management Program
Under most circumstances, bad actors don’t manually hand-pick websites to attack since this is very time consuming. The majority of attacks against websites are automated and performed by bots who are looking for websites with known vulnerabilities.
PCI DSS Requirement 5 states that you must protect all systems against malware and regularly update antivirus programs.
In order to comply with PCI Requirement 5, we suggest the following:
- Deploy antivirus software on all systems commonly affected by malicious software (particularly personal computers and servers).
- Ensure that all antivirus mechanisms are maintained.
- Ensure that antivirus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.
- Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.
Solutions like Sucuri can help mitigate malware threats at the site and server levels, but you’ll need to employ an antivirus on the computers of anyone who accesses the site and its data. You’ll also need to protect against attack vectors outside of the site directory, including access via SSH and FTP.
6PCI Requirement 6: Develop and Maintain Secure Systems and Applications
PCI Requirement 6 states that website owners must ensure system components are protected from known vulnerabilities and common coding vulnerabilities must be addressed.
It doesn’t matter if you’re just starting out and your website is small with very little traffic. If you have a vulnerable CMS, extension, plugin, or theme on your website you will likely be identified by a malicious bot at some point in the future.
By keeping your website software and system components patched and up to date, you are not only mitigating the risk of automated attacks, but also ensuring PCI compliance.
If you are unable to update a vulnerable theme or plugin for your CMS, you can still mitigate exploitation attempts with a firewall that offers virtual patching to prevent the exploitation of known vulnerabilities.
We recommend that you take a look at our PCI compliant firewall features and how you can utilize one to secure your website, protect your CDE, and maintain compliance.
PCI Requirements 7, 8, and 9 of the PCI DSS share a common goal of implementing strong access control measures. These access control measures exist to ensure that your customer data is protected against bad actors and only accessible by authorized individuals.
7PCI Requirement 7: Restrict Access to Cardholder Data by Business Need to Know
PCI Requirement 7 states that you must restrict access to cardholder data by business need-to-know. This means configuring your systems so that they’re only accessible to authorized individuals.
In order to comply with Requirement 7 and stay PCI compliant::
- Limit access to only those individuals whose job requires such access.
- Examine written policy for access control and explain its importance.
- Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.
8PCI Requirement 8: Identify and Authenticate Access to System Components
Requirement 8 states that you assign a unique ID to each person with access to system components so you can limit their access and monitor their activities.
Here are some ideas to help comply with Requirement 8:
- Create and document policies and procedures to ensure only specific individuals have access to cardholder data. This can be done by assigning unique and secure IDs.
- Implement two-factor authentication for both employees and third-party vendors.
- Do not use group, shared, or generic IDs, passwords, or other similar authentication methods.
- All access to any database containing cardholder data should be restricted.
- Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties.
9PCI Requirement 9: Implement Strong Access Control Measures
PCI Requirement 9 states that you must restrict physical access to cardholder data. This is especially important for vendors that have onsite personnel or staff, and physically store all of their cardholder data without a third party.
- Physical access can refer to:
- systems of payment card data;
- hardcopies of payment card data and other.
Maintaining strict controls can help identify individuals who physically access areas storing cardholder data. This is also important for protecting personally identifiable information, especially if you need to comply with the requirements of the General Data Protection Regulation (GDPR).
Here are some key restrictions to continue minimizing risk:
Network Jacks: Restricting access to network jacks will prevent bad actors from plugging into readily available inputs that may allow them into your network. Consider turning off network jacks while not in use and reactivating them only when needed. Also, be sure to create private networks for internal use and a public one for visitors to limit exposure to protected information.
Visitors & Unauthorized Personnel: Visitor controls are important to restrict certain areas and ensure they are identifiable as visitors. It makes it easier to spot unusual activity. This may even include employees who have no reason to approach sensitive access points. For example, the social media manager shouldn’t need access to a storage facility where cardholder data is readily available. A log that tracks information about the visitor will be useful in the event of a data breach investigation. Keeping a log can help identify which visitors have physical access to a room and who has potential access to cardholder data. Consider logs at the entry to facilities and especially designated areas where that data resides.
Monitor Cardholder / Personal Data: If a visitor made their way through an authorized sequence of doors within your facility, cardholder data is still susceptible to unauthorized viewing, copying, or scanning if it is unprotected. It can even be accidental if authorized employees are not well informed. A startling number of businesses have cardholder data on portable media, hard drives, sticky notes, or printed hard copies on someone’s desk. This is especially problematic with orders taken by phone, fax, or email. Without proper visibility or protection, data can be stolen and used for fraudulent purposes. It’s important to ensure the data remains hidden/encrypted if not immediately needed. The development of an approved process for handling sensitive data will help in complying with Requirement 9.6: Maintain strict control over the internal or external distribution of any kind of media.
Physical Removal of Data:
- 9.10 Destroy media containing cardholder data when it is no longer needed for business or legal reasons as follows:
- 9.10.1 Shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed.
- 9.10.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.
Steps must be taken to destroy cardholder information contained on electronic devices. Dispose of hard copies via paper shredding. Failure to do so can result in a major data breach, leading to a negative reputation and expensive fines after an investigation.
One thing to consider is “dumpster diving”. This is where bad actors search through trash and recycle bins to search for devices that may contain data. If they happen to find a tossed, unencrypted USB drive that wasn’t wiped prior to disposal or a paper that wasn’t shredded finely enough; the consequences can be major.
Having a process for properly destroying media with cardholder data, including proper storage prior to disposal will help with Requirement 9.8: Destroy media when it is no longer needed for business or legal reasons.
Using strong, unique passwords on your website, restricting the privileges available to users through assigned roles, and enabling two-step or multi-factor authentication is mandatory for PCI compliance. This reduces the risk of a website compromise or data breach by a bad actor.
If you own a website and collaborate with others, the principle of least privilege is a very solid principle to adhere to. This computer science principle has applications and benefits to strengthen your website security posture.
We recommend that you take a look at our blog post on the Principle of Least Privilege.
10Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data
PCI Requirement 10 is one of the most important requirements for PCI compliance. This requirement explicitly states that you must implement audit trails and review logs to monitor your web assets and identify a compromise or data breach.
The intent of PCI Requirement 10 is to essentially determine the “who, what, where, and when” of users accessing your data processing resources and website environments. Knowing this information is critical in the event that sensitive information (like credit card data) goes missing.
If you fail to properly log all internal and external users, you may be unable to pinpoint a breach timeline or identify who is responsible for a compromise.
Integrity monitoring systems verify the files on your website and alert you of any suspicious changes to DNS settings, SSL certificates, or modifications of core files.
11PCI Requirement 11: Regularly Test Security Systems and Processes
PCI Requirement 11 states that you must regularly test security systems and processes. This includes scanning and reporting on potential vulnerabilities in your network both externally and internally.
Bad actors and researchers alike continue to uncover vulnerabilities, especially with the introduction of new software. For example, recently WordPress published a near-immediate patch after Gutenberg’s official debut.
We recommend the following to help comply with PCI Requirement 11:
- Run vulnerability scans every few months and after any big changes.
- Implement a system for website penetration testing.
- Use detection and prevention techniques to safeguard against hackers.
- Monitor any changes to system, configuration, or content files.
- Ensure that security policies and procedures are documented and followed.
12PCI Requirement 12: Maintain an Information Security Policy
PCI Requirement 12 is to maintain a policy that addresses security for all personnel. This policy must be reviewed annually (at least) and include a risk assessment process, incident response plan, and usage policies.
This requirement is broken into several sub-requirements:
- Establish, document, maintain, and follow an information security policy.
- Implement a risk-assessment process and assign security responsibilities.
- Develop usage policies for critical technologies and define proper use of these technologies (such as third-party script and libraries for your website).
- Ensure that the security policies and procedures clearly define what you expect and the responsibilities of any of your employees. Additionally, make them aware of the importance of protecting customers data.
- Screen new hires and any third-party service providers with access to cardholder data to minimize the risk of attacks from internal sources. They should agree to protect cardholder data in writing.
- Implement an incident response plan. Be prepared to respond immediately to a system breach. It can happen to anyone.