PCI DSS is a set of security standards created in 2004 by Visa, MasterCard, Discover Financial Services, JCB International, and American Express. The compliance plan managed by PCI SSC aims to secure credit and debit card transactions against data theft and fraud.

While PCI SSC has no statutory authority to enforce compliance, it is a requirement for any business that handles credit or debit card transactions. PCI certification is also considered the best way to protect sensitive data and information, helping businesses build long-lasting and trusted relationships with their customers.

PCI DSS Certification

PCI certification ensures the security of card data in your business through a set of requirements set by PCI SSC. These include a number of widely known best practices such as:

  • Installing firewalls
  • Encryption of data transfers
  • Use of anti-virus software

Additionally, businesses should restrict access to cardholder data and monitor access to network resources.

PCI-compliant security provides a valuable asset to customers, letting them know that your business is safe to transact. Conversely, the cost of non-compliance, both monetary and reputational, should be enough to convince any business owner to take data security seriously.

A data breach that exposes sensitive customer information can have serious repercussions for a business. A breach can result in fines from payment card issuers, lawsuits, reduced sales and severe reputational damage.

After a breach occurs, a business may be forced to stop accepting credit card transactions or be forced to pay subsequent costs that are higher than the initial cost of security compliance. Investments in PCI security procedures are measures to ensure that other aspects of your business are protected from malicious online actors.

PCI DSS Compliance Levels

PCI compliance is divided into four levels based on the number of annual credit or debit card transactions in a business process. The classification level determines what a business must do to remain compliant.

Level 1: Applies to merchants who process more than six million real-world credit or debit card transactions per year. Conducted by an authorized PCI auditor, they must undergo an internal audit once a year. Additionally, they must submit to a PCI scan quarterly by an Approved Scan Vendor (ASV).

Level 2: Applies to merchants who process between one and six million real-world credit or debit card transactions annually. They must complete an assessment once a year using the Self-Assessment Questionnaire (SAQ). In addition, quarterly PCI scans may be required.

Level 3: Applies to merchants who process between 20,000 and one million e-commerce transactions per year. They must complete an annual assessment using the relevant SAQ. A quarterly PCI scan may also be necessary.

Level 4: Applicable to merchants who process less than 20,000 e-commerce transactions per year or up to one million real-world transactions. An annual assessment should be completed using the relevant SAQ and quarterly PCI screening may be required.

PCI Compliance and Web Application Firewalls

Since its inception, PCI DSS has gone through several iterations to keep up with changes in the online threat landscape. The ground rules for compliance remain constant, while new requirements are added periodically.

One of the most important of these additions was Requirement 6.6, introduced in 2008. It was created to protect data against some of the most common web application attack vectors, including SQL injections, RFI, and other malicious input.

Meeting this requirement can be achieved by application code reviews or by implementing a web application firewall (WAF).

The first option includes a manual review of the web application source code along with a vulnerability assessment for application security. While a qualified internal source or third party is required to conduct the review, final approval must be obtained from an external organization.

Alternatively, businesses can protect against application layer attacks using a WAF distributed between the application and clients. WAF examines all incoming traffic and filters malicious attacks.