What is PCI DSS?

Note: This blog post was originally published on April 6, 2022, and was reviewed and republished by internal Thoropass experts on August 4, 2023.

Whether you conduct transactions online or in person, every business needs to be prepared for a security breach. You need to ensure that your customers’ credit card information is secured. In 2006, Visa, Mastercard, JCB, Discover, and American Express co-founded the Payment Card Industry (PCI) Security Standards Council to help businesses and financial institutions protect themselves and others from breaches, theft of cardholder data, and fraud.

In this piece, we will review PCI compliance, why it matters, and how using a complete compliance and audit solution like Thoropass can assist you in protecting your data every step of the way.

What is PCI compliance, and why does it matter?

PCI compliance refers to adhering to the Payment Card Industry Data Security Standards (PCI DSS). These information security standards apply to any entity that processes, stores, or transmits credit card information. The payment card brands mandate the standards. Compliance is enforced by these payment card brands and acquiring banks.

Not only is compliance with these requirements critical in keeping data secure, but they are also an industry standard. Merchants and service providers of all sizes are responsible for maintaining compliance with PCI DSS.

Maintaining PCI compliance is critical for any business that processes credit card payments. It helps keep sensitive customer payment information secure and reduces the risk of a costly data breach. Non-compliance can result in fines, higher transaction fees, and loss of the ability to process credit card payments. Being PCI compliant is not only mandatory but also essential for building trust with customers and maintaining a reputation for security.

Who needs PCI DSS compliance?

Any entity that processes, stores, or transmits credit card data must comply with PCI DSS regulations. If your organization is new to compliance, following so many regulations can be daunting, especially if you are unsure which requirements or standards your organization needs to follow. One set of requirements or standards does not fit all. Your journey to PCI DSS compliance will change depending on the entity type, the number of transactions, and your organization’s customer requirements. 

Before beginning the PCI DSS compliance process, get familiar with the compliance standards. Then, once you are familiar with the requirements and standards you need to put in place, it’s time to determine what level of compliance your organization needs to follow. The levels of PCI compliance for merchants and service providers are as follows:

• Level 1: Process over 6 million transactions a year across all channels
• Level 2: Between 1 and 6 million transactions annually across all channels
• Level 3: Between 20,000 and 1 million online transactions annually
• Level 4: Fewer than 20,000 online transactions a year, or any merchant processing up to 1 million regular transactions per year

12 PCI DSS requirements

Depending on your organization’s level, the requirements for PCI compliance can vary. However, there are 12 requirements for PCI DSS Compliance regardless of level:

1. Install and maintain network security controls

2. Protect Account Data: Apply secure configurations to all system components.

3. Protect stored account data

4. Protect cardholder data with strong cryptography during transmission over open, public networks 

5. Protect all systems and networks from malicious software

6. Develop and maintain secure systems and software 

7. Restrict access to system components and cardholder data by business need to know

8. Identify users and authenticate access to system components

9. Restrict physical access to cardholder data 

10. Log and monitor all access to system components and cardholder data

11. Test security of systems and networks regularly 

12. Support information security with organizational policies and programs

While meeting and maintaining compliance with all of these can be overwhelming, Thoropass can help. As a complete compliance platform that automates workflows, infosec monitoring, and vendor due diligence in one single, collaborative space, Thoropass combines automation with self-assessment support so you can stay on top of all of these compliance standards and prepare for the due diligence process.

Define your cardholder data environment

To operationally prepare for a real-world data security breach, you need to understand the scope of your Cardholder Data Environment (CDE). Your CDE documentation forms the basis for any effective PCI compliance program. Your CDE includes POS terminals, internal or customer-facing applications, external websites, internal networks, and any components involved in processing, storing, and transmitting card transactions.

Identify gaps and evaluate solutions

Once your CDE is defined and documented, evaluate which PCI standard (SAQs, P2PE or ROC) applies to your given roadmap based on your CDE and merchant level. Your compliance architect will help, test, and identify any requirements that are noted as non-compliant. Once completed, all documentation of your CDE, requirements, and report will be delivered to you on the Thoropass platform. This enables you to trace, audit, and maintain your compliance data out of one centralized unit for easy accessibility. Refer to this road map as your central source of truth for staying within compliance.

Your road to certification

The process of your certification depends on what level your organization. If you are a Level 2, 3, or 4, a Qualified Security Assessor from Thoropass will review and test all the evidence you provided and update your Self-Assessment Questionnaire (SAQ). There are various SAQ types, and your Thoropass team can help you determine which one is appropriate for your organization. The SAQ covers the 12 PCI DSS requirements and will document your organization’s compliance posture according to the standard. Once the SAQ is complete, the next step is to have your dedicated SAQ help you complete and sign off on an Attestation of Compliance (AOC). Keep a copy of the AOC in your records to prove compliance with PCI DSS.

If your organization is a Level 1, your next step to compliance is going through a Level 1 audit by a certified QSA and getting a Report on Compliance (ROC) and AOC to demonstrate your compliance with PCI DSS.  The ROC is mandatory only for Level 1 organizations. 

The Thoropass team will walk you through these steps to ensure you are on the right path to achieving compliance.

Stay certified in evolving requirements

Certifications and security requirements evolve to keep high standards of protection. Thoropass evolves and scales with you as well, offering support on an ongoing basis. We will perform workshops with your team each quarter to ensure best practices and bidirectional awareness across a number of impending changes, such as:

• Changes in any PCI security standards
• Your CDE evolving due to your product roadmap
• Any other business operational change that may bear on your compliance with PCI

Thoropass is your partner in continuous compliance and support.

Your end-to-end PCI compliance solution

Thoropass is your complete compliance solution that acts as an extension of your team. We streamline and accelerate your certification to help you achieve stronger results that help grow and scale your business. The Thoropass team provides unmatched expertise and support for both technical and non-technical measures to ensure you get—and stay—PCI DSS compliant for years to come. 

Curious to find out how Thoropass can work for you? Reach out to try a free demo of our platform today.