What is PCI DSS compliance? | Requirements & how to comply

PCI DSS compliance is the process of adhering to a set of controls and standards for securing physical and online financial transactions. The term stands for payment card industry data security standard. It was developed by the Payment Card Industry Security Standards Council (PCI SSC) to help mitigate breaches and reduce the theft of payment card and cardholder data.

The types of breaches governed by the PCI DSS include the exposure of primary account numbers (PAN), card verification value (CVV) and personal identification number (PIN). The PCI DSS requires merchants to use security technologies and business processes that safeguard cardholders’ personally identifiable information (PII) and payment data, such as names, addresses and credit card numbers.

The PCI SSC assigns liability to merchants who take card payments and levies regulatory fines on those who do not comply. The Council oversees updates, changes and additions to the PCI DSS to address the evolving needs of the payment card industry. This includes the development of new standards, security technologies and requirements to protect consumers, transactions, funds and data.

Businesses are compliant when they receive a PCI DSS certification. This means they adhere to 12 security standards:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for employees and contractors

Merchants also follow 200 additional requirements that are subordinate to the major requirements.

The PCI DSS has four levels of compliance based on the number of credit card transactions that merchants process.

• Level 1: merchants that process over six million transactions annually
• Level 2: merchants that process one to six million transactions annually
• Level 3: merchants that process from 20,000 to one million transactions annually
• Level 4: merchants that process fewer than 20,000 transactions annually

There are different processes for achieving each level of certification. All four levels require businesses to complete a self-assessment questionnaire. Level 1 and 2 merchants must also complete a Report on Compliance (RoC). In addition, Level 1 merchants must submit to a yearly compliance audit by a Qualified Security Assessor (QSA) and scan their networks quarterly using an Approved Scanning Vendor (ASV). The PCI SSC maintains a list of approved QSAs and ASVs.

PCI DSS compliance requires merchants to continuously assess their hardware, software and security technologies, and business processes that manage payment card data and transactions. When merchants discover vulnerabilities in their system, they must address those vulnerabilities to maintain the security of card data and transactions. They must keep records of these assessments and how they fixed any vulnerabilities, and regularly share reports on their PCI DSS compliance with the banks and card companies they use.

Merchants must have a robust security infrastructure to achieve and maintain PCI DSS compliance. This means continuously reducing their attack surface and addressing any vulnerabilities to the card processing systems. Some examples of this include:

• Basic security tools, like firewalls and antivirus software
• Strong access controls that restrict access to cardholder data for employees, contractors and third-party vendors and record any access events that take place
• Encryption of stored and transmitted data
• Penetration testing of systems to discover vulnerabilities
• Client-side security solutions that provide real-time visibility into the client-side supply chain attack surface to proactively identify vulnerabilities and anomalous behavior
• Granular client-side JavaScript blocking to prevent code from third-party vendors from accessing sensitive payment form fields, without disabling the entire script
• Bot management solutions that stop carding bots from making fraudulent purchases with stolen credit card data

Compliance with PCI DSS is not a one-time event, but an ongoing process. Organizations must continually assess and improve their security measures to keep up with the evolving threat landscape and ensure that their customers’ data remains safe and secure. This means monitoring all systems and transactions for abnormal activity in real time. By doing so, they can build trust with their customers and maintain a positive reputation in the marketplace.

An update to the standard, PCI DSS 4, was released in November 2020 and must be fully implemented by March 2025. Several updates, including an increased focus on customer browser protection are part of this version.

One of the most significant changes in PCI DSS 4 is the emphasis on secure browsing. Organizations that handle credit card information are now required to ensure that their customers’ browsers are secure when they are conducting transactions on their websites. There are two requirements in particular that govern this:

• Requirement 6.4.3 states that organizations must inventory, authorize, justify, and assure the integrity of all client-side payment page scripts
• Requirement 11.6.1 states that organizations must be alerted to unauthorized modification to the HTTP headers as received by the consumer browser

These requirements are essential because vulnerabilities in customers’ browsers can lead to client-side supply chain attacks that steal PII, such as Magecart, formjacking, and malicious redirects.

Overall, the emphasis on customer browser protection in PCI DSS 4.0 is an important step towards improving the security of e-commerce transactions. By ensuring that customers’ browsers are secure when they are conducting transactions on their websites, organizations can prevent fraud and other malicious activities and protect their customers’ data.

In order to be compliant with PCI DSS 4, businesses must adhere to requirements 6.4.3 and 11.6.1.This means that businesses must inventory all client-side code running on payment pages, document why each script is necessary and ensure that the code hasn’t changed since the point when it was determined to be safe.

Though these requirements may seem simple, they can be quite difficult to achieve in practice. Here’s why:

• Lack of visibility at runtime: Payment page scripts run on the client side, on users’ browsers rather than the central web server. It can be difficult to detect changes in scripts that load dynamically at runtime. This includes malicious code injections or modifications by design, such as adding a token to identify a visitor or another desired dynamic function.
• Frequent code changes: Third-party libraries are continually being changed and updated. Even if a script is reviewed when it is first added to a site, it does mean that subsequent modifications are secure. Over 50% of website owners state that the third-party scripts running on their web properties change four or more times every year, sometimes without their immediate knowledge.
• Nth-party vendors: Third-party vendors may themselves obtain code from external libraries. Partners’ dependence on other partners for JavaScript code may be undisclosed, lengthening the software supply chain and increasing business risk. It may be the nth-party script down the line that is vulnerable, and this can affect the entire JavaScript supply chain.
• Insufficient security reviews: Developers rely on third-party code to quickly bring capabilities to market. They don’t want to be slowed down by internal processes and may introduce code to an application without going through the appropriate security reviews. Even if an initial review is conducted, it does not account for future code changes.

Cybercriminals target point of sale (POS) or point of purchase (POP) systems to steal payment card numbers, PINs, CCVs and other PII from consumers. Their methods include:

• Installing malicious software designed to breach brick-and-mortar POS hardware and software and collect card data during transactions
• Modifying or injecting malicious client-side code in e-commerce sites that skims credit card data from online payment forms
• Launching malware on users’ devices to steal their PII
• Attacking the systems where cardholder data is stored

Modern web applications are especially at risk of a client-side supply chain attack that could expose cardholder data and lead to non-compliance. Developers often source scripts for common functionalities, such as chatbots, social sharing buttons and tracking pixels, from third-party vendors and open source libraries. This code runs on the client side — i.e., users’ browsers instead of the central web server — which leaves website owners blind to its behavior. Cybercriminals take advantage of this blindspot to inject malicious code that captures cardholder data. Without the right security tools, malicious client-side code can go undetected for quite some time.

Stolen cardholder data can be sold on the dark web and used in future carding attacks and transaction fraud. Fraudsters can use stolen credit, debit and gift card numbers to make fraudulent purchases on e-commerce sites. They can buy goods directly or purchase gift cards that can be redeemed for high-value goods or sold online.

Carding attacks have increased 134% YoY, and research estimates that every dollar in fraud costs merchants up to $3.60 due to chargebacks, fees and replacement of lost merchandise. It is predicted that digital card-not-present fraud will hit $130B by 2023.

Businesses benefit greatly by being PCI DSS compliant.

• Reduce risk of fraud: Businesses that are PCI DSS compliant have a much lower risk of suffering a cyberattack than those that do not comply.
• Build consumer trust: Consumers feel more secure completing financial transactions on a site that is PCI DSS compliant, so they are more likely to visit PCI DSS certified vendors.
• Avoid fines: Fines from the PCI SSC run up to $500,000 for successful breaches where merchants are not PCI DSS compliant.

It is key to remember that maintaining compliance is a continuous process, not a one-and-done activity. This means regularly testing your security systems to ensure that they are up-to-date and proactively mitigating risk.

HUMAN’s PCI DSS Compliance ​​simplifies compliance with PCI DSS 4 requirements 6.4.3 and 11.6.1. With a single line of JavaScript, the solution automatically delivers a comprehensive risk-scored script inventory and a simple method to authorize, justify, and assure the integrity of scripts. It alerts on unauthorized changes to scripts and HTTP headers, enables investigation of risky script behavior, and allows blocking risky behavior. Customers can generate on-demand audit reports to demonstrate compliance to security assessors.

What is digital skimming and how does it work?

What is Magecart? | Attack types & prevention

Supply chain attacks | What they are & how to prevent them

What is personally identifiable information (PII) harvesting?

What is formjacking and how to prevent it