What Is PCI DSS (Payment Card Industry Data Security Standard)

Source: Freepik

If you’re going to run an e-commerce business in the Philippines, you must ensure the safety and security of your customers. After all, you deal with your customers’ money and data.

Malicious entities lurk in the dark recesses of the online world. Malware, entire companies of fraudsters, hackers that steal data, identity thieves, and so much more are just some of the hostile parties that may harm your users.

Fortunately, the brighter parts of the internet follow the Payment Card Industry Data Security Standard (PCI DSS). But what is PCI DSS, and why is it important?

The term is short for the Payment Card Industry Data Security Standard, and it protects you and your business from fraud. This article will tackle everything you need to know about the PCI DSS and how you can protect your business now.

The Basics of PCI DSS: Definition and Purposes

According to a 2020 report by PwC Philippines, a prestigious international financial services firm, one out of two business respondents reported experiencing fraud in the two years. Their losses range from $5m (280m PHP) to $50m (2bn PHP).

The PCI DSS was developed as a precaution against the horrors of data breaches. It is a set of credit card network agreements implemented to ensure the highest possible degrees of data security for everyone involved.

Major credit card companies, such as Visa, Mastercard, American Express, Discover, and JCB International, created these standards. Practically all the biggest financial networks in the world enforce them.

They do this through their agreements with merchants and payment processors — meaning that when a merchant is certified by PCI DSS, they meet the standards of the world’s highest authorities in credit card transactions.

That means the same for you, too. While you don’t need to get certified, compliance with the best security standard for data security in credit card transactions is still beneficial.

On the other hand, non-compliance means that your transactions are not secure.

Merchants will hesitate to partner with you, and tech-savvy customers will want to avoid you. More than that, you’re just more vulnerable to hacks, information theft, unauthorized access, and all the perils of an unsecured, valuable data network.

Benefits of PCI DSS Compliance to E-commerce Business Owners

The Philippines is rich in business opportunities. It has a highly tech-savvy populace and enjoys widescale high internet penetration. Consumers have warmed up to shopping online more than in other South East Asian countries. 

However, the cybersecurity infrastructure leaves a lot to be desired, meaning that your business’ protection is in your own hands. 

But how do these standards actually help when it comes to safety? Let’s look at the concrete benefits of PCI DSS compliance:

• Protects cardholder data. There are millions of technologically-capable hacker groups and individuals looking for businesses to target. The PCI Data Security Standard protects sensitive cardholder data to prevent it from falling into the wrong hands.
• Builds confidence with your consumers. With news of credit card fraud sprouting like mushrooms, customers are much more wary. Compliance with PCI DSS shows your commitment to data security, something many high-value customers need.
• Reduces the risk of data breaches. A data breach can cripple your business, both financially and reputationally. The PCI DSS implements strong security measures to minimize the chances of malicious hackers and fraudsters breaching your network.
• Ensures the highest security compliance. If you want to use credit card payment systems, pick a merchant that is compliant with the PCI DSS. Otherwise, regulatory bodies will be on you like a hawk and failure to comply will have drastic consequences.
• Lets you contribute to a safer internet. Complying with the PCI standards is a piece of the puzzle towards a better online world.

According to research information by Statista, the Philippines experienced 1.19 million data breaches in 2022 alone. This is down from 43.19 million breaches in 2020, but it’s still a staggering number. Additionally, cybersecurity remains a small market in the country, its size ranking only 12th out of 14 in the Asia-Pacific region.

Key Objectives of PCI DSS

The main purpose of PCI DSS compliance is to ensure safe payments for your users. As an ecommerce store, you do not have much control over it directly. However, by choosing to implement payment systems that are fully compliant, you are safeguarding the payment info of your customers.

The standard is comprehensive and includes several key objectives that we discuss in greater detail in the sections below.

Scope of PCI DSS Compliance

In the first place, who is required to comply with PCI DSS standards?

As a regular e-commerce business, you are not required or even eligible to be certified. The PCI standards are for entities dealing with credit card payment information: storing it, processing it, etc.

But while a simple online business doesn’t need to be compliant, you need to choose processors who are. As an online store, you must integrate payment processors and merchants that meet this standard. Otherwise, you run all the risks mentioned above.

When merchants apply for certification, how they store, process, and transmit cardholder data is examined. They must measure up to the PCI DSS requirements and control objectives discussed below.

Importance of PCI DSS Compliance for Businesses

As previously explained, working with PCI DSS-compliant processors is crucial for the safety of your customers. It can enhance the quality of their shopping experience and improve your online store’s reputation. 

Moreover, it can also reinforce client loyalty, as your customers will recognize that you value their safety and appreciate that the payments they make on your website do not expose them to risk.

Source: Freepik

Requirements and Control Objectives of PCI DSS

As an online business owner in the Philippines, you personally wouldn’t need to register for PCI DSS compliance. Nevertheless, you do still have some responsibility.

Say you partner with payment processors like PayPal or Stripe. While compliance will be on their side, your business must still ensure that you implemented the payment systems properly and that you didn’t introduce new vulnerabilities.

Plus, even if you’re not legally required, PCI DSS best practices will still elevate your security to better protect you and your customers from harm.

That said, this section will discuss the six control objectives and twelve requirements of PCI DSS compliance. Let’s dive right in.

Control Objective 1: Building and Maintaining Secure Systems

Here, the registrant must maintain secure systems, ensuring that cardholder data has all the necessary protection. But what does this actually mean?

Imagine that your business seeking PCI DSS certification is a sari-sari store, and all the important data are their wares inside.

To protect them, you build a strong fence around the store. Maybe you install secure locks on the doors and grills on the windows. You must also regularly check your fence, grills, and locks for weaknesses, as they’ll wear out over time, and then maintain or upgrade them as necessary.

All these measures ensure that only authorized people (your family and trusted helpers) get inside, and there’s strong protection against the outside world.

This is what having robust security does against unauthorized computer access and cyberattacks.

Here are the particular requirements:

• A specific firewall configuration. This is the “fence” that’s protecting the entire store from being broken into. A strong firewall means secure network traffic, meaning it will protect cardholder data from any unsavory types wanting to take advantage.
• Change vendor-supplied defaults. Just like how you’ll customize the locks of your store to your own unique specifications, businesses looking to be certified must also create one-of-a-kind system passwords and other security parameters to prevent security vulnerabilities.

Just like robbers can easily access a physical store if left unguarded, hackers can easily steal sensitive information without good security systems. A strong firewall and customized security systems are a must.

Control Objective 2: Protecting Cardholder Data

Now, say that your sari-sari store’s customers trust you and decide to give you their phone numbers so you can update them whenever their favorite product is stocked.

You need to protect those numbers because bad people (scammers and the like) will steal those phone numbers at the earliest possible opportunities, and who will trust your store if you let their data get stolen?

This isn’t actually how credit card processors work, but the point is that you have precious information that you want to protect. How?

There are two ways to protect your customer’s precious info:

• Protect stored cardholder data you have on hand. Restrict physical access to the data only to trusted people and hide it by encrypting it.
• Encrypt transmission of any sensitive data. Whenever you pass that information (businesses that process your credit cards transmit this sensitive data to different parties), you’ll want to encrypt it.

Encryption is the keyword here. In layman’s terms, encryption is scrambling the data in a puzzle that only the intended recipient can solve. That way, should someone intercept that data, they’ll only see unintelligible gibberish because they don’t have the encryption key.

There are high security standards for encryption, and organizations that want to comply need the best.

Control Objective 3: Maintaining a Vulnerability Management Program

A vulnerability management program is a document highlighting all the steps you and the relevant people need to follow to maintain tip-top shape. If you’re a homeowner, you know exactly how important proactive steps are. You might live in your house every day, but there are hidden things that break down without our notice.

Thus, you make a plan to inspect it for issues and deal with it when the time comes. You look for leaks, cracks, or exposed wires. And when you find them, you deal with them or call someone who will.

Just like anything, things also tend to break down in the virtual world – in networks and systems – and sometimes, these things can go unattended. The biggest difference is that you might suffer minor annoyances when your house has these small problems. But when your security network is similarly compromised, hackers can steal billions of pesos worth of money. Moreover, they can harm the reputation of your business forever.

Thus, you need to have a plan to actively prevent this from happening:

• Anti-virus software. A high-quality, customized anti-virus program is like an automated home inspector that will check your network for potential cracks, leaks, and even pests (viruses and other malware) and fix them as soon as possible. It’s indispensable for your security.
• Always update secure systems. The many different programs you use for your business will need updates from time to time. The manufacturer does this to defend against new viruses or repair old issues. Not updating your systems is risky, so do it regularly.

Just as maintaining your house prevents costly repairs and ensures that it remains safe, having a vulnerability management program keeps your network secure and prevents malicious entities from taking advantage of small issues.

Control Objective 4: Implementing Control Measures for Data Access

Think of a bank vault – those movie-esque gray rooms with gigantic, thick steel doors that are always round for some reason. Not any old customer can just walk up to that big door – access is strictly managed. Only authorized personnel, like bank managers, have the keys and codes to enter.

Similarly, businesses seeking PCI DSS compliance must have equally strict control of access to their virtual data vault. By having only a select few people access the vault of sensitive information, there are fewer potential weaknesses to be exploited.

There are several ways to implement this:

• Restrict access to critical data. For example, give access to cardholder data only to people who absolutely need it for their jobs, like the bank manager in our analogy.
• Unique IDs for everyone. Ensure everyone who can access sensitive info has an unreplicable, one-of-a-kind identification.
• Strong access control measures. There must be tight measures and checkpoints in your virtual and physical networks. That way, you can ensure traceability and accountability for everyone accessing sensitive data.

When seeking PCI DSS compliance, organizations must apply detailed security controls to customer data, just like banks do with their stockpiles of gold. This means restricting who accesses the vault, knowing precisely who goes near it, and monitoring every detail of their approach.

Control Objective 5: Network Maintenance and Updates

Data protection isn’t just a one-time thing; it’s progressive and incremental work. Control objective five deals with your plans to ensure you don’t become complacent.

From the sari-sari store with its various wares to the big banks with their gold reserves, every system that requires protection needs constant maintenance and upgrades. 

There is always an arms race with organized crime and even individual hackers. If you don’t keep up with the latest security standards, your business is all the more vulnerable.

Businesses seeking PCI DSS compliance must, therefore, fulfill these two requirements:

• Continual access monitoring. They should look at who accesses network resources (specifically, cardholder data) and store these records for a required amount of time. This identifies potential cracks in your defense even before they cause problems.
• Regularly test security systems. Conduct frequent security tests. More than that, update your security regularly to keep up with the latest trends, standards, and requirements.

Objective 5 ensures that your network preemptively minimizes risks before they escalate into problems. Without proper implementation, issues often go unnoticed until malicious entities strike – and by then, it might already be too late.

Control Objective 6: Maintain an Information Security Policy

Lastly, this objective ensures that your business has a set policy in place for all of the areas just discussed. Its primary purpose is to document and communicate the security measures being taken or planned across the organization.

It only has one PCI DSS requirement: to develop and maintain a comprehensive security policy. However, it has three distinct aspects.

1. Draft a security policy document. Create an entire ring binder’s worth of paper containing your policy, security protocols, and procedures. Both physical and electronic forms must be created so you can give them to everyone using all organizational channels.
2. Communicate the policy. Ensure that everyone — from your highest executives to your third-party contracted floor maintenance service — is briefed about your security policy. Everyone must understand and follow the security measures to the best possible extent.
3. Regularly review and update your documentation. Keep the document in tip-top shape and ensure it contains all the most recent possible scenarios, trends, etc., of the ever-evolving cybersecurity scene.

Ensuring compliance with this Control Objective creates a security-conscious culture.

A concrete policy to communicate to your organization doesn’t just improve the perception of security. It also disseminates the knowledge and best practices for everyone to use and minimize vulnerability across your entire company.

Roles and Responsibilities in PCI DSS Compliance

Source: Freepik

PCI compliance is a project in and of itself. A business must determine the right people for each of the responsibilities required or at least know who the stakeholders are. Here’s an overview of the most important roles and responsibilities in PCI DSS compliance:

• Compliance Committee. Different departments, like Finance, IT, Legal, Internal Audit, Risk Management, etc., oversee PCI DSS rules.
• Project Manager. Leads the team in following PCI DSS rules and keeping everything organized.
• Business Units. Each department that handles credit card data, like Finance or IT, has a task to ensure PCI DSS compliance. 
• Qualified Security Assessor (QSA). An outside expert checks if a company follows PCI DSS rules and gives a certification. This is typically an independent third party, like a consultant.
• Acquiring Bank or Credit Card Processor. Companies must show their compliance to banks or processors to keep handling card payments. They are the governing authorities ensuring that your business is PCI compliant.

Collaboration among these roles is essential to meet compliance and maintain a secure payment environment.

Compliance Validation Methods

PCI DSS compliance is of primary importance for relevant businesses – but how do regulatory bodies inspect them? How do businesses actually comply?

There are a couple of options:

• Self-Assessment Questionnaire (SAQ). Businesses with lower transaction volumes just fill in a questionnaire that details their compliance actions. They then submit this, along with evidence and other documentation.
• Internal Security Assessor (ISA) Assessment. An ISA is a PCI Security Standards Council-certified employee who will complete the evaluation checklist. It’s cheaper than hiring external assessors, but it is also long-term and time-consuming.
• Qualified Security Assessor (QSA) Assessment. This is when a business hires a third party to do the compliance assessment. Large businesses usually prefer this – it’s costly but time-saving, and they get high-quality, expert insights on compliance action items.

Regardless of the validation methods, the assessor will usually need to perform regular penetration testing and network scans. They will also submit a RoC (Report on Compliance) and other documentation.

Common Challenges in Achieving PCI DSS Compliance

PCI DSS compliance is a lofty goal to strive for, but it’s not something that every business can achieve. That’s why it is of such great significance.

But why is it so difficult?

There are a couple of issues. The first is that PCI DSS is strict by necessity. It has many detailed and technical requirements that are very difficult for most business owners to implement by themselves.

Because of this strictness, achieving compliance is very costly in terms of time, money, and energy. Only the biggest businesses, with the biggest stakes in data security, can afford to invest what is required.

And if that’s not enough, the specifics of compliance also change depending on the ever-evolving technological landscape. This adds another level of high-level complexity.

These challenges make it difficult for small and medium-sized businesses to achieve full PCI DSS compliance, but that doesn’t mean they should just give up. They can apply PCI DSS principles or even use a PCI DSS-compliant ecommerce platform.

PCI DSS In E-commerce: Own Website vs. Website Platforms

Source: Freepik

Compliance is often a little tricky when you’re running an ecommerce business. Mostly, what you need to do boils down to whether or not you’re on a website platform.

If you’re creating an e-commerce website from scratch, you’ll need to find a payment processing service that is PCI DSS compliant. More than that, your shared responsibility means you should at least have up-to-par security for your website. You’ll have to install and maintain a firewall, encrypt sensitive data, etc.

As you can imagine, this can quickly get complicated, especially if you’re a small to medium-sized business without dedicated IT or legal compliance departments.

On the other hand, using website platforms can be very convenient. For example, when you create your website in Next Basket, we ensure it is fully PCI DSS compliant. This takes a lot of the time, effort, and resource cost of compliance off your back while ensuring the highest protection standards possible for your customers.

Final Thoughts

Source: Freepik

PCI compliance is one of the best things you can do as a business, but it’s not easy to implement. Before undertaking this significant project to protect yourself and your customers, review this article and ensure you understand everything you must do.

Once you’ve mastered everything, you can start your journey toward better cardholder data security.