Think data breaches only target the giants? While businesses like Sony, Home Depot, and Target have had their challenges with cardholder data theft, believing smaller businesses are safe from hackers could be a costly mistake.
Discover why small and medium-sized enterprises (SMEs) are just as vulnerable to data breaches, how PCI compliance can help, and how to measure your current protection level — all in under 5 minutes.
We will also discuss the changes in PCI DSS 4.0,can fully understand how it impacts your business and your security processes.
The Four PCI Compliance Levels (And Why Compliance Matters)
The Payment Card Industry Security Standards Council was established by the world's leading credit card companies, with Visa, Mastercard, Discover, American Express, and JCB each setting their own specific compliance requirements.
While Visa, MasterCard, and Discover have their own table of merchant levels, if you compare them, you will note that Visa, MasterCard, and Discover have gotten together and decided to use the same criteria for determining merchant levels. So, if the only credit cards you accept as a merchant are Visa, MasterCard, and/or Discover, you only need to reference the Visa tables as their merchant-level criteria are all the same.
But for those merchants that accept American Express and/or JCB in addition to the other card brands, do not fret. The card brands have made things easy for you as well. If you are a given merchant level for any other card brand, you are at that merchant level for every card brand.
The following are the four levels of PCI compliance:
- Level 1: Merchants processing over 6 million card transactions per year.
- Level 2: Merchants processing 1 to 6 million transactions per year.
- Level 3: Merchants handling 20,000 to 1 million transactions per year.
- Level 4: Merchants handling fewer than 20,000 transactions per year.
Cardholder Data Threats
Before you declare there's nothing to fret about and that you're not putting your customers' payment card data at risk because you're a small business, consider the following statistics:
- Forbes states that researchers at Barracuda Networks found that cybercriminals are three times more likely to target small businesses. Also, on average, small businesses with fewer than 100 employees will experience 350% more social engineering attacks than larger enterprises, allowing cybercriminals to compromise the infrastructure successfully.
- The latest Verizon report highlights that 57% of breaches involving payment card information involve cybercriminals siphoning data directly from e-commerce sites.
- IBM reveals that data breaches each cost an average of 4.88 million dollars in the United States this year.
Judging from these figures, you might conclude that SMEs are scrambling in a panic over the thought of data breaches. If fraudsters can fool the big guy, surely small businesses are more likely to be vulnerable, right?
It turns out this hasn’t historically been the case. In 2014, the same year data breaches were happening left and right, a survey revealed that SMEs underestimated the threat of cyber attacks. A whopping 82 percent of SMEs declared they weren't worried about the attacks because they didn't have anything worth stealing.
By following PCI compliance requirements and preparing your organization to defend against threats using self-assessment questionnaires, you can avoid joining the thousands of SMEs that underestimate cyber attacks on cardholder data. Let's dive into exactly what you need to protect your business—and your customers.
PCI Compliance Requirements
The Payment Card Industry Data Security Standard (PCI DSS) was drafted to address the growing threat of data breaches among payment cards.
According to the PCI Security Standards Council, PCI DSS is a set of universally accepted standards that help protect the safety of customer data. PCI DSS sets the operational and technical requirements for organizations accepting or processing payment transactions and for software developers and manufacturers of the applications and devices used in those transactions.
Put simply, any business entity that accepts, processes, and stores payment card information must comply with PCI DSS.
PCI DSS Version 4.0 was issued in March of 2022. As of March 31, 2024, businesses are now required to comply with the updated standard.
There are twelve requirements for businesses to meet in their PCI compliance journey, ranging from securing firewall configurations to utilizing a robust file-monitoring integrity system. These requirements ensure organizations are compliant for a certain period of time and are also continuously tracking and monitoring critical changes.
PCI DSS 4.0 Requirements
Your organization must meet the twelve requirements required by PCI-DSS 4.0. These are split into six categories, which we’ll discuss in more detail below. Changes from 3.2.1 to 4.0 are categorized by the PCI SSC as a change type.
Change types are defined as:
- Evolving requirement: Changes to ensure that the standard is up to date with emerging threats and technologies, and changes in the payment industry. Examples include new or modified requirements or testing procedures, or the removal of a requirement.
- Clarification or guidance: Updates to wording, explanation, definition, additional guidance, and/or instruction to increase understanding or provide further information or guidance on a particular topic.
- Structure or format: Reorganization of content, including combining, separating, and renumbering of requirements to align content.
Source: Summary of Changes from PCI DSS Version 3.2.1 to 4.0
Let’s now look at the six categories and the twelve requirements laid out by PCI-DSS 4.0:
Build and Maintain a Secure Network and Systems
- Install and Maintain Network Security Controls
- Apply Secure Configurations to All System Components
Protect Account Data
- Protect Stored Account Data
- Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
Maintain a Vulnerability Management Program
- Protect All Systems and Networks from Malicious Software
- Develop and Maintain Secure Systems and Software
Implement Strong Access Control Measures
- Restrict Access to System Components and Cardholder Data by Business Need to Know
- Identify Users and Authenticate Access to System Components
- Restrict Physical Access to Cardholder Data
Regularly Monitor and Test Networks
- Log and Monitor All Access to System Components and Cardholder Data
- Test Security of Systems and Networks Regularly
Maintain an Information Security Policy
- Support Information Security with Organizational Policies and Programs
Maintaining PCI Compliance by Level
Noncompliance with PCI-DSS may result in a fine of $5,000 to $500,000 for the acquiring bank, who in turn passes along the fines to the offending merchant. For those who are already PCI compliant, data breaches could translate to another set of fines, including suspension of credit card acceptance. It's important to note that the council won't penalize you for non-compliance. However, your bank may hold you accountable for non-compliance.
PCI compliance requirements are separated by compliance level. Let’s take a look at the specific requirements by level:
- Level 1: Over six million annual card transactions
-
- Complete an annual Report on Compliance
- Complete quarterly network scans
- Complete an Attestation of Compliance form
- Level 2: One to six million annual card transactions
-
- Complete an annual Self-Assessment Questionnaire
- Complete quarterly network scans
- Complete an attestation of Compliance form
- Level 3: Twenty thousand to one million annual card transactions
-
- Complete an annual Self-Assessment Questionnaire
- Complete quarterly network scans
- Complete an attestation of Compliance form
- Level 4: Fewer than twenty thousand annual card transactions
- Complete an annual Self-Assessment Questionnaire
- Complete quarterly network scans
- Complete an attestation of Compliance form
Self Assessment Questionnaires
Two myths persistently follow PCI Compliance:
- The first is that meeting requirements is an unnecessary headache. In actuality, the requirements are beneficial and make good business sense.
- The second is those small businesses that handle just a few credit card transactions a year don't have to comply with PCI-DSS.
PCI compliance exempts no one. And meeting all 12 requirements doesn't have to feel like you're on an expedition to climb Mt. Everest.
Now that it's clear how PCI compliance is critical not just to protect your customers' data but to also project the trustworthiness of your business, figuring out your merchant compliance level is your first step to PCI compliance.
Who Will Validate Your PCI Compliance Level?
Depending on your level, validating compliance is accomplished through a Self-Assessment Questionnaire (SAQ) or annual audits by qualified security assessors who will develop their findings through an ROC (Report on Compliance).
Note that card brands and/or your acquiring bank may impose additional requirements before declaring that your organization is a level 1, 2, 3, or 4.
Think of acquiring banks as your compliance gatekeepers. They act as middlemen, absorbing the initial impact of card brand penalties for noncompliance before passing them down to merchants. That's why they're responsible for evaluating your position on the compliance ladder.
How CimTrak Lightens Your PCI Compliance Load
Data breaches can occur even in PCI DSS-compliant organizations, making continuous monitoring essential for maintaining security. CimTrak serves as your advanced integrity and compliance solution, instantly detecting suspicious changes and providing automatic remediation capabilities.
With CimTrak's real-time monitoring and protection, your systems are guarded around the clock. Whether you're a Level 1 or Level 4 merchant, our security experts can help you navigate PCI compliance requirements and strengthen your defense against threats.
Ready to enhance your security posture? Let's talk.
