Key Points:

• PCI DSS (Payment Card Industry Data Security Standard) compliance is crucial for merchants and service providers handling payment card transactions to safeguard customer payment data and prevent breaches.
• Compliance involves adhering to 12 PCI DSS requirements, covering areas like network security, encryption, vulnerability management, access control, monitoring, and information security policies.
• PCI compliance applies to any entity that stores, processes, or transmits cardholder data. This includes all businesses accepting card payments, except for cash-based businesses. Non-compliance can result in fines, increased transaction fees, and reputational damage.
• Metomic's data security software can help businesses achieve PCI DSS compliance by providing visibility, access controls, data location identification, and employee training on handling sensitive data in SaaS applications.

In a world where cash is no longer king, the protection of your customer payment data has become non-negotiable.

Whether you’re a merchant or a service provider, you’re required to comply with the ever evolving Payment Card Industry Data Security Standard (PCI DSS) or be subject to hefty penalties, business disruption, and reputational damage as a resulting failure to do so.

PCI DSS v4.0 was launched in March 2024, and organisations must comply with its 51 new requirements by March 2025, including updates to password rules, expanded multi-factor authentication and stronger protection of cardholder data.

In this guide, we’ll take a look at what it means to be PCI DSS compliant, and what the upcoming regulations will require.

What is meant by being PCI DSS compliant?

The PCI DSS was established in 2006 to ensure payment data is protected when transactions are made, preventing malicious entities from getting their hands on customer information.

All merchants or service providers handling payment cards are required to be compliant with PCI DSS. Although it’s not a law, the standard is regarded globally as the guideline when it comes to payment card regulations.

To comply with PCI DSS, you’ll need to follow 12 requirements as laid out by the PCI SSC (Payment Card Industry Security Standards Council), which is made up of the five big payment card providers - Mastercard, Visa, American Express, Discover, and JCB.

It’s important to comply with PCI DSS, in addition to the aforementioned risks of failure to comply, there is the added impact of significant fines, increased transaction fees, and potentially, the revocation of card processing privileges to organisations, levied by the PCI SSC.

What are PCI DSS standards?

Every payment card provider has their own individual requirements, but essentially, there are four levels of PCI standards. The level you fall into will depend on how many card transactions you process each year:

• Level 1: More than 6 million annual payment card transactions
• Level 2: Between 1 million to 6 million annual payment card transactions
• Level 3: Between 20k and 1 million annual payment card transactions
• Level 4: Fewer than 20k annual payment card transactions

What are the 12 PCI DSS requirements?

Regardless of the level you fall into, you must abide by the 12 PCI DSS requirements to ensure you’re PCI compliant.

They are split into six different categories:

1. Build and maintain a secure network and systems

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

2. Protect account data

3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

3. Maintain a vulnerability management program

5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications

4. Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

5. Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

6. Maintain an information security policy

12. Maintain a policy that addresses information security for employees and contractors

Who does PCI DSS compliance typically apply to?

Any merchants or service providers who are using or accepting payments by card must comply with PCI.

The PCI guidelines state:

‍‘The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you.’

You’ll only be exempt if you’re a cash-based business, and don’t take card transactions.

How do you know whether your business is PCI DSS compliant?

Once you’ve understood the level you fall into and the standards you’ll need to comply with, you should undertake a self assessment to see whether your business is adhering to PCI DSS requirements. With a self assessment in place, you’ll be able to see where your weaknesses lie and where you can improve.

The PCI Security Standards website has many useful guides to help you better understand PCI compliance and how to perform a self assessment, including a self-assessment questionnaire: https://www.pcisecuritystandards.org/merchants/.

You should also establish who in your organisation is responsible for overseeing this project, having an individual or team responsible for managing your compliance means it won’t be overlooked.

Ben van Enckevort, Chief Technology Officer at Metomic, says:

Updating the standards

New PCI DSS v4.0 regulations are set to redefine payment data security standards, with the initial changes already in effect from March 31st, 2024.

These changes are not just a by-the-numbers standard update, but instead, reflect the need for organisations to strengthen their defences against evolving threats and vulnerabilities.

These include things like:

• Software vulnerabilities in payment processing applications or systems.
• Sophisticated cyber attacks like malware, phishing, and social engineering attacks targeting payment systems.
• Insider threats posed by employees, contractors or third-parties with access to payment data.

What are the key changes in PCI DSS v4.0?

The transitions to PCI DSS v4.0 bring significant changes to data security standards, including:

• The introduction of 13 new broad requirements by March 31st, 2024.
• These 13 requirements revolve around protecting cardholder data, maintaining a vulnerability management program, implementing strong access controls, regularly monitoring and testing networks, and maintaining an information security policy.
• A further 51 new technical requirements to be implemented by April 2025.
• Updated Self-Assessment Questionnaires (SAQ) to reflect the evolving payment security landscape, with additional requirements to address emerging threats.

For a more detailed and granular breakdown of the requirements your organisation will need to follow, please check the official Payment Card Industry Data Security Standard version 4.0 guidance.

Addressing common questions

As your organisation transitions to PCI DSS v4.0, you may have questions about assessment validity, and the compliance of your service provider.

These include payment processors, hosting providers, managed service providers (MSPs) and any third party that handles payment information on your behalf.

It’s crucial to get clarity on any issues you may be facing to ensure a smooth transition.

These questions could include:

• Will assessment results under PCI DSS v3.2.1 remain valid after the retirement date?
• How should organisations handle meeting PCI DSS v4.0 requirements if their service providers haven't made the transition yet?
• Are there any other important things to consider regarding assessment validity during the transition?
• What steps can organisations take to make sure they're communicating effectively with their service providers during this transition?
• How can organisations reduce risks associated with service provider compliance during the transition?

Effective communication and collaboration with your service provider will be the key to a smooth transition process.

6 steps to becoming PCI DSS compliant

To ensure your business is compliant with PCI DSS, there are a few key steps to follow:

1. Designate responsible person(s)

Knowing who is accountable for PCI DSS compliance makes it easier to manage. It's recommended to designate one responsible person who can oversee compliance, or a team who will work together to ensure compliance is achieved, so that PCI DSS compliance isn't missed.

2. Define the scope of your environment

Understanding where your cardholder data lives is a crucial aspect of PCI DSS compliance. You should identify all of the systems and assets that contain payment card data, and determine the PCI level you will fall into. Remember to take third-party systems that handle cardholder data into account too.

3. Conduct a risk assessment

A data risk assessment will uncover any vulnerabilities to the cardholder environment, and the impact of potential data breaches or leaks.

• Are your existing security controls enough to mitigate the risks to your environment?
• Are there any other measures you can put in place?

4. Implement crucial security controls

The PCI DSS standard requires specific security controls to be put in place, such as access controls to limit unauthorised access to cardholder data, system patching to protect your environment, encryption, and monitoring.

Use the PCI Self-Assessment Questionnaire to help you cover all the necessary steps.

5. Monitor your security measures

To ensure PCI compliance, security measures need to be consistently monitored to analyse network activity, and detect unauthorised access to the cardholder environment. Vulnerability assessments and penetration testing can help identify vulnerabilities quickly, so that action can be taken immediately.

6. Maintain the necessary documentation

You will need to demonstrate compliance with PCI DSS requirements, so documentation is vital. This includes policies and security incident response procedures that you will need to show to stakeholders, and regulatory authorities.

PCI DSS compliance is an ongoing process, so regular assessments should be carried out to ensure the organisation is still able to trade. Qualified PCI assessors will be able to work with you to establish a comprehensive audit for your PCI compliance status.

What happens if you don’t comply with PCI DSS?

You could end up paying fines that range from $5k to $100k per month to the payment card providers. How much you pay will depend on the level you fall into and the circumstances behind the non-compliance.

For instance, companies that are in the Level 1 category will likely pay out a lot more than those in the Level 4 category. Fines are also dependant on the severity of breaches - if data was breached and it took a long time to fix the issue, you could end up with a heavier fine.

For example, in 2017, British Airways was fined $229 million for a data breach that affected 500,000 customers.

You’ll also lose the trust of your customers who are expecting you to protect their sensitive data. Reputational damage could hurt you long-term, even after you’ve paid the monetary penalties. If your clients find that you’ve put their data at risk, they’re likely to take their business elsewhere.

To sum it all up

The transition to PCI DSS v4.0 is a critical step for organisations that in any way deal with payment data and security, and by March 2025, your organisation needs to be ready to comply with the 51 requirements of the new standard.

Understanding the key changes, updating SAQs for compliance, and addressing any common questions will be integral to the success of this process.

By effectively implementing all of these measures, you can stay compliant with industry standards and strengthen your overall security posture around payment data and security.

How does Metomic help you comply with PCI DSS?

• The Metomic platform gives you full visibility and control over financial data held in your SaaS apps like Google Drive, Slack, and Jira.
• Helps you put access controls in place, limiting over-exposure of sensitive information
• Identify where sensitive data is stored and who has access to it
• Reinforce PCI DSS compliance by sending employee notifications to your staff when they share sensitive data within SaaS apps

Request a personalised demo today to learn more about how we can help your business comply with PCI DSS.