PCI DSS compliance is the process of adhering to a set of controls and standards for securing physical and online financial transactions. The term stands for payment card industry data security standard. It was developed by the Payment Card Industry Security Standards Council (PCI SSC) to help mitigate breaches and reduce the theft of payment card and cardholder data.
The types of breaches governed by the PCI DSS include the exposure of primary account numbers (PAN), card verification value (CVV) and personal identification number (PIN). The PCI DSS requires merchants to use security technologies and business processes that safeguard cardholders’ personally identifiable information (PII) and payment data, such as names, addresses and credit card numbers.
The PCI SSC assigns liability to merchants who take card payments and levies regulatory fines on those who do not comply. The Council oversees updates, changes and additions to the PCI DSS to address the evolving needs of the payment card industry. This includes the development of new standards, security technologies and requirements to protect consumers, transactions, funds and data.
Businesses are compliant when they receive a PCI DSS certification. This means they adhere to 12 security standards:
Merchants also follow 200 additional requirements that are subordinate to the major requirements.
The PCI DSS has four levels of compliance based on the number of credit card transactions that merchants process.
There are different processes for achieving each level of certification. All four levels require businesses to complete a self-assessment questionnaire. Level 1 and 2 merchants must also complete a Report on Compliance (RoC). In addition, Level 1 merchants must submit to a yearly compliance audit by a Qualified Security Assessor (QSA) and scan their networks quarterly using an Approved Scanning Vendor (ASV). The PCI SSC maintains a list of approved QSAs and ASVs.
PCI DSS compliance requires merchants to continuously assess their hardware, software and security technologies, and business processes that manage payment card data and transactions. When merchants discover vulnerabilities in their system, they must address those vulnerabilities to maintain the security of card data and transactions. They must keep records of these assessments and how they fixed any vulnerabilities, and regularly share reports on their PCI DSS compliance with the banks and card companies they use.
Merchants must have a robust security infrastructure to achieve and maintain PCI DSS compliance. This means continuously reducing their attack surface and addressing any vulnerabilities to the card processing systems. Some examples of this include:
Compliance with PCI DSS is not a one-time event, but an ongoing process. Organizations must continually assess and improve their security measures to keep up with the evolving threat landscape and ensure that their customers' data remains safe and secure. This means monitoring all systems and transactions for abnormal activity in real time. By doing so, they can build trust with their customers and maintain a positive reputation in the marketplace.
An update to the standard, PCI DSS 4.0, was released in November 2020 and must be fully implemented by March 2025. Several updates, including an increased focus on customer browser protection are part of this version.
One of the most significant changes in PCI DSS 4.0 is the emphasis on secure browsing. Organizations that handle credit card information are now required to ensure that their customers' browsers are secure when they are conducting transactions on their websites. This is essential because many attacks on e-commerce websites occur through vulnerabilities in customers' browsers.
To comply with the customer browser requirements, PCI DSS 4.0 includes updates to existing requirements. The standard now requires organizations to maintain an inventory of all payment software and ensure that only authorized and justified software is used for payment processing. This is important because using unauthorized software can increase the risk of fraud and other security incidents.
Overall, the emphasis on customer browser protection in PCI DSS 4.0 is an important step towards improving the security of e-commerce transactions. By ensuring that customers' browsers are secure when they are conducting transactions on their websites, organizations can prevent fraud and other malicious activities and protect their customers' data.
In order to be compliant to the PCI DSS 4.0 version , businesses must confirm the following for “[all] payment page scripts that are loaded and executed in the consumer’s browser:”
Cybercriminals target point of sale (POS) or point of purchase (POP) systems to steal payment card numbers, PINs, CCVs and other PII from consumers. Their methods include:
Modern web applications are especially at risk of a client-side supply chain attack that could expose PCI data and lead to non-compliance. Developers often source scripts for common functionalities, such as chatbots, social sharing buttons and tracking pixels, from third-party vendors and open source libraries. This code runs on the client side — i.e., users’ browsers instead of the central web server — which leaves website owners blind to its behavior. Cybercriminals take advantage of this blindspot to inject malicious code that captures PCI data. Without the right security tools, malicious client-side code can go undetected for quite some time.
Stolen PCI data can be sold on the dark web and used in future carding attacks and transaction fraud. Fraudsters can use stolen credit, debit and gift card numbers to make fraudulent purchases on e-commerce sites. They can buy goods directly or purchase gift cards that can be redeemed for high-value goods or sold online.
Carding attacks have increased 134% YoY, and research estimates that every dollar in fraud costs merchants up to $3.60 due to chargebacks, fees and replacement of lost merchandise. It is predicted that digital card-not-present fraud will hit $130B by 2023.
Businesses benefit greatly by being PCI DSS compliant.
It is key to remember that maintaining compliance is a continuous process, not a one-and-done activity. This means regularly testing your security systems to ensure that they are up-to-date and proactively mitigating risk.
HUMAN Client-Side Defense provides real-time visibility and granular control into the client-side supply chain attack surface to prevent the theft of PCI data. The solution identifies vulnerabilities and anomalous behavior, and proactively mitigates risk using a combination of Content Security Policy (CSP) and granular JavaScript blocking. This allows website owners to prevent known malicious scripts from loading and transmitting PCI data, as well as to block third-party JavaScript from accessing sensitive PCI form fields without disabling the entire script. Compliance and Supply Chain Defense safeguards users’ PCI data against unauthorized exposure, ensuring PCI DSS compliance.
What is Digital Skimming and How Does It Work?
What is Magecart? | Attack Types & Prevention
Supply Chain Attacks | What They are & How to Prevent Them
What is Personally Identifiable Information (PII) Harvesting?
What is Formjacking and How to Prevent It