PCI DSS audit standards and requirements

June 4, 2021 Maxpay Blog
PCI DSS audit standards and requirements

Dealing with sensitive credit card data requires a merchant to follow certain standards. The Payment Card Industry Data Security Standard is the set of rules for any business that wants to operate with electronic payments. This Maxpay article is about the PCI DSS, its requirements for eCommerce, and the compliance audit.

What is the PCI DSS?

The PCI DSS is an abbreviation for the Payment Card Industry Data Security Standard. Altogether it is a set of compulsory rules that aim to protect the cardholder’s sensitive data during processing, storing, or transmitting the data of the cardholder. PCI DSS is a must to comply with for all the businesses that operate in the credit card field, no matter the size or income.

The PCI DSS consists of two main structures: The Payment Card Industry and The Data Security Standard. The Payment Card Industry is in charge of the establishment, upgrade, and distribution of international security standards for credit cards issued by all the major card associations. The Data Security Standard provides valid rules for data security during all of the card operations. The Payment Card Industry Data Security Standard is the sum of those rules delivered throughout the globe. 

The Payment Card Industry Data Security Standard was established in 2004 by the main card associations like Visa, MasterCard, Discover Financial, American Express, and JCB International. Since that time the PCI DSS delivers technical and software requirements created especially for data protection from fraud, hacker attacks, and inaccurate usage.

Ecommerce PCI compliance requirements

PCI DSS compliance includes 6 goals that should be followed to process, store and transmit the cardholder’s data securely and legally. 

  1. Build and Maintain a Secure Network
  2. Protect Cardholder Data
  3. Maintain a Vulnerability Management Program
  4. Implement Strong Access Control Measures
  5. Regularly Monitor and Test Networks
  6. Maintain an Information Security Policy

Even though all these rules are an obligation for businesses in the same way, there is a different report system depending on the annual income. In the PCI DSS structure, all the merchants can be categorized into one of the four levels.

Cardholder’s data which is transmitted or processed via an online shopping platform and retail point-of-sale system sum together the transaction volume used. This volume dictates the compliance level of the merchant’s business.

PCI DSS merchant levels

  • Level 1. Merchants that proceed over 6 million card transactions annually. Or any merchant that has suffered a hacker attack which was noted in an Account Data Compromise event.
  • Level 2. Merchants that proceed from 1 to 6 million transactions annually.
  • Level 3. Merchants that proceed from 20,000 to 1 million transactions annually.
  • Level 4. Merchants that proceed with less than 20,000 transactions annually.

The first level of merchants must complete the annual PCI DSS Assessment concluded in the completion of a Report on Compliance. PCI DSS Assessment is an assessment structured in detail issued by a PCI SSC Qualified Security Assessor or by the PCI SSC Internal Security Assessor. The assessment verifies to the acquirer that the business is managing the cardholder data in compliance with the PCI Data Security Standard.

The second, third, and fourth levels ought to submit the Annual Self-Assessment Questionnaire. The Self-Assessment Questionnaire is the verification instrument for eligible businesses that self-assess their PCI DSS compliance and that are not obliged to undergo a PCI DSS assessment concluded in the completion of a Report on Compliance.

Besides that, all the merchants within any level have to perform the External Vulnerability Scan. Vulnerability Scanning is executed by a PCI SSC Approved Scanning Vendor of all the open to the internet system structures that are a part of, or provide a path to, the cardholder data space.

Requirements for open source platforms

Dealing with the third-party, open-source platforms including SaaS or cloud-based eCommerce tools, the Payment Card Industry Data Security Standard compliance is strongly alleviated through the provider. 

In this case, if the business works with cardholder data through open-source platforms or public networks, the data has to be highly protected and the whole environment has to be secure by design. These measures protect the information from being exposed in misconfigured wireless networks as a target of a hacker attack. The PCI security certification requires merchants to prevent the potential data vulnerability within open-source platforms and public networks by encrypting the information and passing it through security protocols and levels of identity authentication.

Completing the Self-Assessment Questionnaire (SAQ)

The Self-Assessment Questionnaire or SAQ is a self-verification instrument for evaluating the protection of the cardholder’s data during processing, storing, or transmitting. SAQ is primarily created for small and medium businesses as a simple range of positive or negative answered questions for each one of the PCI DSS requirements. For every negative answer in the questionnaire, the merchant might receive a request from PCI to present the visible evolving.

There are two components to the Self-Assessment Questionnaire. The first one is the list of questions regarding the PCI DSS requirements created for the service providers and merchants. The second one is An Attestation of Compliance or certification of the eligibility to execute the proper Self-Assessment. 

Along with the components of the SAQ, there are nine types of questionnaires for the PCI DSS audit. The correspondence of each given form must be selected according to the merchant level and to the way, merchants accept payments with credit and debit cards.

Questionnaire typeHow the merchant accepts card payments
ACard-not-present businesses such as eCommerce, mail, or telephone payments. These businesses have completely outsourced all cardholder data activity to PCI DSS compliant third-party providers. Without electronic storing, processing, and transmission of any cardholder data within the business environment. Not relevant for face-to-face businesses.
A-EPeCommerce businesses that outsource the payment processing to PCI DSS compliant third-parties, and that obtain web pages that do not straightly collect cardholder data but still can influence the defense of the transaction. Without electronic storing, processing, and transmission of any cardholder data within the business environment.Relevant only for eCommerce businesses.
BBusinesses using just imprint machines without electronic storage of the cardholder data and/or standalone, dial-out terminals without electronic storage of the cardholder data.Not relevant for eCommerce businesses.
B-IPBusinesses using only standalone, payment terminals with an IP connection to the payment processor. Without electronic storage of the cardholder data.Not relevant for eCommerce businesses.
C-VTBusinesses that manually fill in a single transaction at a time using a keyboard into an Internet-based virtual terminal that is issued and physically held by a PCI DSS compliant third-party service provider. Without electronic storage of the cardholder data.Not relevant for eCommerce businesses.
CBusinesses with payment application systems using the internet. Without electronic storage of the cardholder data.Not relevant for eCommerce businesses.
P2PE-HWBusinesses utilizing just the hardware payment terminals that are incorporated in and performed through a verified, PCI SSC-listed P2PE solution. Without electronic storage of the cardholder data.Not relevant for eCommerce businesses.
DFor all businesses that are not included in descriptions for the above types.
DFor all service providers that are interpreted by a card association as eligible to complete a Self-Assessment Questionnaire.

PCI compliance checklist

There are 12 PCI DSS audit requirements that any business that processes credit and debit cards must follow. In the case of not meeting the compliance of the PCI DSS standard, there are financial charges to be paid and hardened relations with banks to be fixed.

Banks pass the charges together with increased transaction fees or even the termination of the acquiring agreement. Charges though may vary from $5000 to $100 000 per month until the business achieves PCI compliance. 

12 PCI DSS audit requirements

  1. Install and maintain firewall protection and traffic security of cardholder data.
  2. Do not utilize vendor-supplied password defaults and other security measures.
  3. Protect stored cardholder data at rest.
  4. Encrypt transmission of any cardholder data through open and public networks.
  5. Use and regularly update anti-virus software and programs within the environment.
  6. Develop and regularly update secure systems, security patches, and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Set a unique ID to every person with computer access into the environment.
  9. Restrict physical access and physically protect the workplace and cardholder data.
  10. Track and monitor all logging and log to the environment and cardholder data.
  11. Regularly perform vulnerability scans and penetration tests.
  12. Maintain a strategy that addresses data protection for the employees. 

PCI breakdown: time and costs to reach the compliance

To implement all the PCI security standards into the business a merchant has two options: perform the compliance check alone or partner with a certain organization. The first option of meeting the PCI DSS compliance is suitable for small businesses. It normally would take 3-4 weeks for the research, analysis, examine and completion. The cost would depend on the needed implementations in the business.

The medium business and big business would benefit way more from the outsider help for the PCI DSS audit. In this case, the procedure would take 3-4 business days and would cost from $15 000 to $70 000.

How your ecommerce platform affects your PCI compliance

The eCommerce software can be obtained in several ways. The first way is to buy the software and run it on the on-premise hardware. Commercial software is the most expensive choice, but it includes support and maintenance. Plus the business can be ensured in the PCI DSS compliance factor.

The second way is to use open-source software on the on-premise hardware. The main cost would be spent on the hardware, as the open-source items are not that pricey. Still, open-source material would require IT guidance and there is no insurance of its PCI DSS compliance.

The last way is to sign up for the hosted software delivered as SaaS. The less expensive option is based on the monthly fee with no hardware equipment. The support is usually included in the price, along with the PCI DSS compliance.

Maxpay is the payment gateway service provider that is PCI DSS compliant. We offer businesses payment gateways, fraud prevention system, chargeback alerts, and chargeback analysis, help with merchant account openning, provide full client support. To discover more benefits contact the sales department.