PCI compliance is not rocket science

The complexity around PCI compliance is often exaggerated, creating closed systems and walled gardens. Of course, PCI compliance is not a one-time exercise. It requires additional time and effort. But it is no rocket science either.

We intend to simplify PCI compliance from first principles. We have also open sourced our PCI certified card vault application code along with the deployment scripts which you can self-host.

PCI Compliance - Why and What?

The current payment networks are built on a chain of trust between banks, card networks, payment processors and merchants. And the result is that "everyone needs to take responsibility" for secure handling of card information. PCI compliance is not determined not enforced by any Government body. It is a set of standards created by the Payment Card Industry Security Standards Council.

Payment Card Industry Security Standards Council (PCI-SSC), was an independent body created by the card networks in 2006. The independent body publishes and manages PCI security standards. However, the enforcement of these standards falls to the card networks and payment processors

The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive set of guidelines for global payments designed to fortify the defenses around cardholder data and uphold the integrity of payments.

In this blog, we will look at the levels of PCI compliance, key requirements and we will understand why it is kinda not that hard to obtain PCI compliance.

Demonstrating PCI compliance

Businesses subject to PCI-DSS must annually demonstrate compliance with the regulation. And PCI-DSS lays out two ways of doing so:

Self-Assessment Questionnaire (SAQ): This is an audit or assessment which can be completed by a business without a independent third-party Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). The person responsible for the payment infrastructure fills out the SAQ. This could be the stakeholder who is the closest to your payment infrastructure - your DevOps Manager, or Information Security Officer, or CTO.
Report on Compliance (ROC): An independent third-party QSA or ISA certified by the PCI-SSC will have to perform the audit and share the findings.

Companies that fall into PCI DSS Levels 2-4 are only required to complete a Self-Assessment Questionnaire (SAQ) and submit to the respective payment processor or acquirer. And that would be all !!

Level of PCI Compliance

Depending on the number of transactions your business processes, you could be subject to different levels of PCI compliance.

Parameter	PCI Level 1	PCI Level 2	PCI Level 3	PCI Level 4
Number of card transactions	Over 6 million	6 million to 1 million	1 million to 20,000	Less than 20,000
Compliance Report	Report on Compliance (ROC)	Self Assessment Questionnaire (SAQ)	Self Assessment Questionnaire (SAQ)	Self Assessment Questionnaire (SAQ)
Assessment type	Independent QSA or ISA	Self assessment	Self assessment	Self assessment
Quarterly network scan by approve QSA	Applicable	Applicable	Applicable	Applicable

Sources: Mastercard guidelines, Visa Guidelines, PCI SSC document library

What is PCI DSS? How to Show Compliance | ISMS.online

About PCI Requirements and Controls

In general PCI compliance is consolidated into 12 Requirements and 224 controls.

Requirements	Number of Controls
Requirement 1: Install and maintain a firewall configuration to protect cardholder data	20
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters	12
Requirement 3: Protect stored cardholder data	20
Requirement 4: Encrypt transmission of cardholder data across open, public networks	4
Requirement 5: Use and regularly update anti-virus software or programs	6
Requirement 6: Develop and maintain secure systems and applications	28
Requirement 7: Restrict access to cardholder data by business need to know	8
Requirement 8: Assign a unique ID to each person with computer access	22
Requirement 9: Restrict physical access to cardholder data	22
Requirement 10: Track and monitor all access to network resources and cardholder data	28
Requirement 11: Regularly test security systems and processes	16
Requirement 12: Maintain a policy that addresses information security for all personnel	38
Total	224

Simplifying your PCI compliance

Self assess your business for PCI compliance

If you are an online business processing less than 6 million card transactions a month, all that you will have to do is a self assessment of PCI compliance as per SAQ D.

Requirement 9

Lets assume all your software systems are cloud native and do not depend upon on-premise servers. In such case your staff will not be able to physically access any cardholder data and hence your business is exempted from Requirement 9.

That is one PCI Requirement less for your business and 22 controls automatically exempted.

Requirement 3

If you choose not to store card holder data on your servers, you will be exmepted from Requirement 3.

So eventually you are left with 10 PCI Requirements and 182 controls to comply with.

This is the reason behind our recommendation of installing a simple setup without the card vault, if your business processes less than 6 million card transactions

Completing the SAQ

There are multiple variants of SAQs applicable for Merchants willing to be PCI compliant. This document explains compliance to SAQ D only.
Examples of merchant environments that would use SAQ D includes but not limited to:
E-commerce merchants who accept cardholder data on their website.
Merchants with electronic storage of cardholder data
Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type

The Official SAQ D has approximately 300 questions to be answered. Most of the aspects are general infrastructure controls, access controls and organizational policies. Answering the questions will be a cake walk if you close few activities upfront. We have divided the activities into three categories

Table of Activity	Description
Organizational and People activities	A set of organization policies, trainings to be underwent by people in the organization
Infrastructure activities	Ensuring security components in your cloud environment which accept and/or stores card data
Access controls	Limiting infrastructure access to critical stakeholders

Simplifying the activities

Are you worried, this is a lot of work?

You don't have to. We have simplified the recipe to help you get this done faster

Project tracker: A spreadsheet which can be handy to project manage and get above activities completed.

Documentation templates: Easy to reuse templates for the Documentation and Process

Scripts: Automation scripts which can help you close most of the Infrastructure activities in few minutes.

You can ping us on slack to get access to the above recipe.

Final steps

Choose an PCI approved Scanning Vendor from this list and get a network scan report. This exercise will have to be done quarterly. This takes less than few hours to complete, because most ASVs have automated tools to run the scan,

Complete the SAQ D report and retain a copy of it for future reference.

You are PCI compliant now!!

You can now upload the Network scan report and the SAQ on your payment processor/ acquirer dashboard. However, most acquirers insist on sharing the compliance reports through email, hence you might have to do that on a quarterly basis.

Displaying the PCI compliant badge on your website not only enhances customer trust but also minimizes cart abandonment by assuring visitors that their payment information is handled with the highest security standards throughout the checkout process.

As you implement these PCI compliance measures, rest assured that each step not only fortifies your defenses against potential frauds but also safeguards the integrity of your transactions and the trust of your customers.