They can be grouped into six groups. Companies implementing the standard are required to:
Protect corporate networks. Set up firewalls and replace all passwords set by the network equipment manufacturer.
Protect card data. Implement encryption and network transmission of card data via TLS 1.1 protocol (or higher).
Close vulnerabilities promptly. Install software and corporate antivirus updates to the software you use
Control access to the repository. Limit the employees with access to the physical storage location.
Establish information security policies. Test for compliance and think through your hacking algorithm.
Monitor the infrastructure. Plus, conduct regular testing of all systems responsible for information security.
Responsibility for breach
Payment systems impose fines for non-compliance with PCI DSS requirements. The amount depends on the type of company (merchant or service provider), the volume of transactions, and the frequency of breaches. Visa will charge a $50,000 fine for the first offense and a $200,000 fine for the third one. The penalties are imposed monthly until the violation is corrected.
Failure to comply with PCI DSS requirements can also be considered a violation of personal data protection laws. They depend on the company's jurisdiction: in Europe, the GDPR applies, while in Russia, the 152-FZ "On Personal Data.
Therefore, it is very important for medium and small businesses to comply with all these quality and security standards. After all, everyone cares about their customer and overall security. In addition small business pci compliance https://www.verygoodsecurity.com/blog/posts/pci-compliance-for-small-businesses creates a reputation for the business and continues to promote and advertise it.
Certification Process
The certification process depends on the volume of processed transactions. If it is at most 20 thousand payments per year, an audit can be performed by filling out the self-assessment questionnaire. If the number of transactions is higher, you need to contact a certified organization. The certified organization will conduct the audit in three stages:
Theoretical Part. Auditors will assess the quality and relevance of information security policies and their applicability in practice.
IT infrastructure assessment. Specialists will conduct a series of pentests, simulating attacks on the corporate network. It includes a check of the functioning of firewalls, antiviruses, and other company software.
Reporting. A company will get a PCI DSS compliance certificate if it successfully passes all the tests. Otherwise, auditors will provide a report of violations that need to be corrected. If they find serious deviations from the standard's requirements, the entire audit process will need to be repeated even after the situation has been updated.
Alternative Approach
PCI DSS certification may be waived if working with a payment service provider. This company acts as an intermediary between a merchant (online store or individual entrepreneur) and a bank. It is responsible for conducting non-cash payments via the Internet.
Providers of payment services assume the issues associated with processing bank card data and thus the PCI DSS certification. Therefore, their clients can be audited without being audited. They must ensure that their PCI DSS compliance certificate is regularly updated.
