PCI DSS Compliance Blog

2010 marks an important year for PA-DSS compliance.  On July 1 Visa’s fifth PA-DSS security mandate takes effect.  While the first four Visa mandates allowed various PA-DSS workarounds, the Visa Phase 5 Security Mandate clearly will not.  Up until this mandate, merchants using payment applications before the adoption of PA-DSS and who have not switched processors since its adoption were grandfathered in and not required to update to a PA-DSS compliant application.  This is no longer the case as of July 1: all merchants will be required to use only PA-DSS compliant applications.

With these fast approaching deadlines and the effort required to achieve compliance, Independent Software Vendors (ISVs) are finding themselves faced with major resource constraints.  It’s tough enough for ISVs to keep up with the competition and customer demand to build feature rich functions much less plan for compliance mandates requiring significant development time and effort.  However, ISVs that don’t take these deadlines seriously or remove their applications from the scope of compliance will lose customers that they worked hard to get and will ultimately be forced out of business. 

Most ISVs should have a PA-DSS compliance plan in place by now.  If you don’t, start by reading our post on PA-DSS implementation and get moving fast.  For those with PA-DSS plans in place, be sure that you are reaching out to merchants using your software and informing them of the upcoming July 1 deadline.  If they haven’t upgraded to a PA-DSS compliant version of your application by this date, they risk losing the ability to process credit and debit card transactions. 

In an article on Storefront Backtalk last month franchisee columnist Todd Michaud wrote that when it comes to PCI compliance, franchise-based retailers “are screwed.”  We agree that franchise parent companies have a lot to weigh out when it comes to a PCI compliance strategy.  And for the three options Michaud outlines for handling PCI compliance with their franchisees – a completely hands off approach, requiring proof of an audit, and rolling out a comprehensive PCI compliance program – we’d lean towards the last.

PCI DSS compliance can be a confusing process, particularly for smaller franchisees that may lack IT personnel.  Franchisors should become a beacon of light to ease this process: it is part of their duty of service.  Part of the PCI compliance program should be a strategic partnership with a payment processing provider who is knowledgeable in the PCI compliance space and who can play the role of trusted advisor to franchisees.  Ideally, that merchant services partner will have a PCI DSS compliance program established themselves, relieving much of the heavy lifting for the franchisor.

The franchisor will have the opportunity to negotiate better rates this way, which both franchisor and franchisee will ultimately benefit from.  Look for a payment processor that offers the most security through technology like end-to-end encryption and tokenization, something Michaud describes as “daydream adventures,” but we know of a payment processor that offers it already (wink, wink). Franchisors leveraging their size will help make these cutting-edge technologies cost-effective for their franchisees, while reducing the risk of a data security breach. 

From a branding standpoint, franchisors have a lot to lose if one of their franchisees falls victim to a breach.  Depending on the level of media attention the breach garners, one for a store in downtown Philadelphia has the potential to negatively affect the brand – and, arguably, sales— across the state, regionally or even nationally. 

A PCI compliance program for franchisees could also help make the Self-Assessment Questionnaire (PCI SAQ) process easier.  While this might not be the case for every franchise, some franchisors can elect to answer the SAQ on behalf of all of their franchisees.  This would only be the option if every franchisee used the same software, card swiper and payment processor and comes with the possible drawback that if one franchise location suffers a data breach, then every location might be impacted negatively.  

Stakeholders in franchisors will ultimately need to weigh out their options when it comes to PCI compliance, of course.  But one thing is for sure: in today’s climate where high profile breaches are making national headlines, a well-thought out strategy is a must. 

In recent years, merchants have become displeased with what they see as rising credit card processing fees (commonly referred to as credit card interchange fees).  In turn, merchants have leaned on industry lobbyists, acquirers, and credit card companies in an effort to find relief.   The result of this pressure is three separate proposed Congressional bills, most notable among them the Credit Card Interchange Fees Act of 2009. 

Though there is still no word on whether these proposed bills will proceed through Congress, that hasn’t kept merchants, processors, credit card issuers, and even some consumers from debating their merit. 

The release last month of a report on credit card interchange fees from the General Accountability Office has only added to the confusion, essentially reporting that regulating and/or limiting interchange fees would result in a sequence of nearly indeterminable feedbacks, with no clear definition of who might be the beneficiary. 

While the complaints of merchants over credit card interchange fees have been the primary driver of action on this matter, an important secondary consideration is at play as well.  Consumers, for whom the recent C.A.R.D. act was passed in Congress, are assumed to be paying higher prices for goods and services as a result of merchants raising prices to absorb what they view to be increasing interchange fees.

Essentially, then, the three proposed bills are aimed at protecting merchants and consumers, with the assumption being that merchants would lower prices for goods and services if interchange fees were lowered or eliminated.

At the heart of this growing debate, for some, is whether a lowering of interchange fees would actually result in lower prices.  Would merchants lower prices or simply grow margins?

What do you think will happen? Let us know in the comments below.  

We’ve blogged recently about the evolutionary component of PCI compliance, of how PCI compliance is an ongoing, adaptive, process rather than a simple checklist.

For more proof of this, we present MasterCard’s most recent changes to its PCI DSS requirements.  As changes are made by credit card companies, we are reminded that adaptations by card issuers, processors, and merchants are necessary. 

The first change MasterCard announced was a change to the December 31, 2010 deadline for Level 2 merchants to have an onsite QSA assessment to six months later, June 30, 2011.

Effective June 30, 2011 MasterCard PCI compliance will also subject merchants to new PCI DSS requirements.  Those changes break down, depending on merchant level, as follows:

Level 1 merchants will no longer be required to contract a Qualified Security Assessor (QSA) to submit their Reports on Compliance (ROC).  Instead, level 1 merchants, provided that their internal auditor is certified effective June 30, 2011, will be permitted to submit their own ROC.  Certification for internal auditors will be overseen by the PCI Security Standards Council (PCI SSC), with PCI SSC training for certification beginning sometime after January 15, 2010.

Similarly, level 2 merchants will no longer be required to complete an annual onsite assessment.  Instead, level 2 merchants may rely on internal resources to submit a Self Assessment Questionaire (SAQ), provided that their internal auditor is certified as of June 30, 2011.  As an alternative to submitting the SAQ, level 2 merchants may also opt to utilize a QSA for assessment purposes.  As with level 1 merchants, certification training dates will begin sometime after January 15, 2010.

In addition to the above MasterCard PCI DSS requirements changes, MasterCard PCI compliance will require that third-party payment applications be validated, by July 12, 2012, as fully compliant with the Payment Application Data Security Standards.  PA-DSS compliant payment applications will be comprehensively listed on the PCI SSC website. Visa’s PA-DSS deadline, however, is July 1, 2010 so software providers still need to be cognizant of this looming compliance deadline. 

We have integrated the above changes into our past post regarding PCI Compliance Deadlines.

Related Blog Posts:

MasterCard Toughens Stance on PCI Compliance

PCI Compliance Thought Leader Q&A
Interview with Rick Dakin, President of Coalfire

PCI DSS Compliance Blog: Tell us about Coalfire.
Rick Dakin: Coalfire is an IT audit and compliance firm.  We spun out of an application hosting company in 2001 and have remained focused on a single mission since that time - to provide cost-effective IT audits and compliance advisory services.  This focus allows us to provide an independent view of compliance to stakeholders subject to Payment Card Industry (PCI), banking, healthcare and privacy regulations and laws.

The company provides a wide range of security and IT audit and advisory services through a team of 50 professionals from offices in Colorado, Washington and New York.

What work does Coalfire do in the area of PCI compliance?
Coalfire provides a full range of PCI assessment and compliance advisory services that includes certification to perform the following activities:
•    Qualified Security Assessor (QSA) – provide level 1 Report on Compliance (ROC) reports after on-site testing, and facilitation for completion of a Self Assessment Questionnaire (SAQ).
•    Payment Application – Qualified Security Assessor (PA-QSA) – Perform application testing and validation to the Payment Application-Data Security Standard (PA-DSS).
•    Approved Scan Vendor (ASV) –perform internal and external network vulnerability scans.
•    Penetration testing services are provided to all PCI clients.

What does it take to become a certified QSA? 
A QSA must work for a QSA company.  The requirements for QSA companies include registration (with fees), $2 million of professional liability insurance, and compliance to the rules published by the PCI Security Standards Council (PCI SSC).  All QSA companies are subject to review by the council.

Once a QSA company is established, an individual QSA must first obtain a security industry certification like a CISSP or CISA certification, 3 or more years of industry experience and hands-on PCI experience supporting another certified QSA.  All QSA participants must then pass a background check and complete formal PCI training and certification testing. 

At Coalfire, we estimate that each individual QSA costs us $7,500 per year to maintain industry certification, registration fees and insurance in addition to 50+ hours per year in training or off-site testing.  In short, it is a significant commitment by both the QSA and the QSA company to provide certified services in the industry. 

Merchants and software developers are often confused by the various levels of advice available to them.  Some companies do not complete the rigorous QSA training, testing, certification or peer reviews that guide our processes and methods to determine compliance to PCI standards.  Accordingly, the advice provided by a certified QSA may differ from advice provided by an industry observer who is not subject to the QSA process.

How many assessments are you doing per year?
Coalfire will perform over 1,000 assessments this year for more than 600 clients.  Over 60% of those assessments will be performed for clients with PCI DSS or  PA-DSS requirements.  Our processes and methods to determine compliance have been developed and vetted through thousands of tests, council peer review and success in preventing compliance failure for any of our validated clients.

Are more of your customers concerned with PA-DSS (ISVs) or PCI DSS (merchants)?
Since merchants outnumber the payment application vendors in the market, we conduct more merchant and service provider level 1 and 2 ROC and SAQ testing.  However, we are seeing a dramatic increase in the amount of PA-DSS compliance validation work from payment application developers.  This trend clearly verifies that merchants are improving security infrastructure more quickly than payment applications are being updated to comply with the Payment Application Data Security Standard (PA-DSS).

As a result, processors and merchants are facing critical deadlines to verify that payment application vendors comply with PA-DSS or force merchants to switch applications to a version that is already compliant.  This change is disruptive to many merchants since the updated applications typically require changes to platforms or infrastructure.

The problem cascades through the payment ecosystem because payment application vendors are having trouble finding a PA-QSA with resource availability to complete pre-audit testing or final validation testing on a timetable that will enable merchants to fully deploy PA-DSS compliant applications prior to the July 2010 deadline.

Can you walk us through a brief step-by-step process that you go through with your clients in the area of PCI compliance?
Our process is consistent across all product areas to include ROC, SAQ and PA-DSS test and reporting.  The following example is provided to outline the payment application validation process.

1.    Prospects enroll in an online audit preparation and self assessment tool called Navis.  The Navis platform has RapidPA-DSS, RapidSAQ and RapidROC modules.
2.    Prospects enter evidence that they meet specific controls in a “Turbo Tax” styled online questionnaire and data collection portal.
3.    Once the prospect data is entered and indicates that the payment application is ready to test, Coalfire’s staff reviews the data entered into the online platform and advises the prospect on the process to complete PA-DSS validation testing.
4.    After a contract is signed, Coalfire performs PA-DSS validation testing and provides a final gap analysis report to the developer to complete program modifications required to comply with PA-DSS standards.
5.    Final testing is completed and a PA-DSS reporting is submitted to the PCI Council.
6.    To become registered on the PCI Council PA-DSS list, each payment application vendor must sign a compliance agreement and pay a registration fee to the PCI Council.

What’s the area of greatest confusion for your customers? (ISVs or merchants)
The biggest area of confusion that we typically see is the separation of compliance responsibility between the ISV and their merchant clients.  Many clients think that the payment application vendor is solely responsible for PCI compliance.

Another common misconception among some merchants is that if they use PA-DSS-compliant payment applications, the merchant itself has met its obligations for PCI validation.  Coalfire works with payment application developers to help them guide their customers through a process to meet the full PCI standard and reduce the merchants’ risk of fines and penalties for non-compliance.  At the same time, this helps mitigate the payment application developer’s risk from civil claims from merchants using their technologies. 

There is perhaps no greater concern for merchants and software vendors than the cost of PCI DSS and PA-DSS compliance. How do you see the costs of PCI compliance weighing out against the cost of non-compliance?
How does the old Carpenters’ song go? … “We’ve only just begun.”

While the amount of investment in data security is growing at a breath taking rate, so is the investment being made in the personal injury litigation market.  We are seeing a dramatic increase in the amount of litigation being pursued to recover costs associated with identity theft and data breach, including credit card compromise.

In the last 3 years, over 40 states have passed aggressive new data breach legislation that will enable even more litigation.  Most breached merchants contact us with fears that they will be fined by VISA.  This is the least of their concerns.  I see most of the losses associated with litigation, fraud recovery costs, breach notice and post-breach system remediation.

Coalfire is not a law firm, but we see the damage caused by data breach up close.  This has taught us that the cost of compliance is really the investment to defend your organization from growing claims of negligence.  In the retail sector, the PCI Data Security Standard is the reasonable standard being used to determine negligence.

The trade off that we have experienced from our support of compromised merchants is that a dollar of compliance investment will save $10 of potential breach costs. Accordingly, we see the card brands like VISA moving into a secondary role.  We see state data privacy laws and the liability attorneys driving the need to validate compliance in the future.

How aggressive do you foresee credit card companies like MasterCard and Visa being with the new fines for non-compliance? What about specifically for smaller businesses?
For level 1 and 2 merchants, fines for non-compliance have become commonplace.  For level 3 and 4 merchants, enforcement has been “spotty” due to the various levels of tracking performed by the merchant processor.  We expect this random review of merchant compliance to change in 2010 since every processor must understand the status of merchants using only validated payment applications. 

Processors are making significant investments in their ability to track compliance of their level 3 and 4 merchants as a part of the process to inventory all payment applications to the PA-DSS requirement.  Accordingly, we expect fines for level 3 and 4 merchants to grow starting later in 2010.

Again, the fines are secondary.  We see the bigger risk that software vendors are offering non-compliant payment applications to customers who use them after July 2010 as a reason for the liability attorneys to pursue claims of negligence in the case of a data breach.  The PCI Council set the standard for reasonableness and now the attorneys have a clear path to collect huge sums for negligence on the part of merchants, processors and software developers who continue to use non-validated payment applications.

With PCI standards evolving, how do you stay at the forefront of the industry?
Unfortunately, the demands for more secure payments are driving investment in evolving PCI requirements at a time when merchants want their software developers to help them provide higher quality and more focused service to consumers. 

It is clear that the PCI standards that are being used today are not yet adequate to mitigate all risks to the payment processes.  The PCI Security Standards Council is providing leadership for a number of “next-generation” controls that will likely be included in future PCI Data Security Standards at both the application and infrastructure levels.

Many larger payment application vendors are removing payment modules from other merchant application services in order to contain the cost of data security.  By removing payment modules from commerce platforms and installing a shared payment service (managed by the application or by a third party), payment application developers can release updates to other non-payment modules without the expense associated with PA-DSS testing.  For the payment modules, application developers can focus more effort on enhancing controls when the platform is shared.  As a result, we see the trend for payment application developers continuing to move towards shrinking the payment environment and continuing to remove payment modules from other commerce functions.  Over the next few years, we would expect that the number of payment modules to shrink by a significant percentage.

Where do you see this industry in five years?
The payment industry is maturing.  Merchants and payment application vendors are faced with the market demand to simplify the PCI-compliance process and to reduce the cost of compliance.

Over the next 5 years, I expect that this overwhelming market demand will be met with solutions like centralized management of payment data to dramatically reduce the amount of data that is placed at risk in a distributed commerce environment.  The industry will have to keep innovating to allow consumers to get in and out of a retail environment more quickly while receiving higher quality and inherently more secure service.

The sophistication of payment processes will also have to continue developing at a rapid pace to keep up with online, mobile, in-store and unattended commerce opportunities.  Accordingly, only a few players will be able to make the investment in these dramatically shifting payment solutions to embed more encryption and continuous monitoring.

Looking around the web this month, we see that yet another hacking operation has resulted in the arrest and indictment of four men on charges of computer fraud and aggravated identity theft.  The men are accused of stealing more than $9 Million from ATMs in a matter of only hours last November.  The breach involved more than 2,100 ATMs globally and ended when the four men were arrested overseas, where they remain detained.  The four have been indicted by a grand jury in the U.S. District Court for the Northern District of Georgia.

Of course, data breaches seem to make big news, but the reality is that there are far more data breaches than are widely reported.  Looking at A Chronology of Data Breaches (hat tip - Application Security, Inc.), we see that the number of data breaches is, in fact, staggering.  While not all of those data breaches are related to payment cards or financial information, it is still a frightening number.  Perhaps the Federal Data Breach Legislation currently making its way through Congress will help. 

As we’ve discussed here before, PCI compliance alone isn’t sufficient.  In order to do more than just raise the bar, PCI compliance, vigilance, and a willingness to adapt to new threats helps to ensure that merchants, software vendors, and payment processors are as secure as possible. Martin McKeay makes this point in his Willingness to Do Anything post (great analogy in there).

With potential payment innovations on the horizon, and others being unveiled, the future of the payment space clearly involves ongoing evolution. 

In recent months, as the PCI Security Standards Council has continued to weigh the merits of what they have deemed “emerging technologies,” two terms have been highlighted most frequently. 

The first is end to end encryption, which we’ve written at length about here and here.  The other is tokenization.  As we mentioned in a recent post, these two solutions have quickly become the favorites among all other emerging technologies.

Tokenization is an attempt to mitigate the risks inherent in storing credit card data.  In the same way that end to end encryption helps to protect data in transit, tokenization helps to protect data at rest.  With data in transit is increasingly targeted by nefarious hackers (and making big headlines), it is easy to overlook the fact that data at rest can be equally prone to theft.

As a process, tokenization replaces credit card data with a unique "token" that acts as a reference pointer to that credit card data.  Using this logic, a credit card transaction sends this reference pointer token along the payment chain.  At the processing end of the payment chain, the token is verified and the transaction processed, all without having exposed any sensitive cardholder data to the various networks along the payment chain.  And because tokens are produced for accounts, rather than for specific transactions, stored tokens can be effectively used for scheduled automatic payments as well.

Because the merchant uses a “token,” rather than real credit card data, and relies on the payment processor to assign that token (and to transmit and/or store card data), merchants relying on tokenization decrease their “scope” relative to PCI compliance, transferring the onus of the most critical aspects of PCI compliance to the payment processor.     

Tokenization eliminates the need for actual credit card data to be stored or transmitted by the merchant and, in many cases, allows for an easier PCI SAQ process.  And with some payment solutions offering both tokenization and end to end encryption, the result is an integrated solution that protects data both in transit and at rest.  

Related Posts and Pages:

End-to-End Encryrption Emerges a Winner from PCI SSC Meeting

Tokenization

Last week we wrote about how merchants become PCI compliant.  Today we want to outline the steps independent software vendors (ISVs) must take in order to become PA-DSS compliant.

Step 1 of PA-DSS implementation: Get familiar with the compliance standard that applies to you: the Payment Application Data Security Standard (or PA-DSS for short).  PA-DSS applies to software developers and integrators of applications that store, process or transmit payment cardholder data as part of authorization or settlement. It also applies to these applications that are sold, distributed or licensed to third parties.

PA-DSS requirements include:

1. Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CIV2, CW2) or PIN block data
2. Provide secure password features 
3. Protect stored cardholder data
4. Log application activity
5. Develop secure applications
6. Protect wireless transmissions
7. Test applications to address vulnerabilities
8. Facilitate secure network implementation
9. Do not store cardholder data on a server connected to the Internet
10. Facilitate secure remote software updates
11. Facilitate secure remote access to application
12. Encrypt sensitive traffic over public networks
13. Encrypt all non-console administrative access
14. Maintain instructional documentation and training programs for customers, resellers and integrators

Most ISVs then have two options from here: achieve PA-DSS compliance by undergoing an audit by a Qualified Security Assessor (QSA) or go out of scope of PA-DSS. 

To stay in scope of PA-DSS, software vendors must undergo the process of validating their application or applications.  This involves a security audit from a PA-DSS Qualified Security Assessor (QSA), as well as any development changes needed to bring the application into compliance.  ISVs are required to pay $1,250 annually (per software application) to have their solution listed as a validated PA-DSS-compliant solution.

Each payment card brand has their own terms for PA-DSS compliance.  We’ve written a comprehensive article on the different PCI compliance deadlines for each payment card brand, along with their different PCI compliance requirements.

To go out of scope of PA-DSS, ISVs need to transfer the responsibility of handling sensitive cardholder data to a third party.  Some payment processing companies offer hosted solutions where sensitive credit and debit card data bypasses your software all together and is transmitted directly to the payment processor.

Some resources to fulfill PA-DSS requirements:

PCI SSC’s page on PA-DSS compliance

Element’s comparison of PA-DSS certification and going out of scope of PA-DSS

Element’s solution for going out of scope for PA-DSS compliance

Related Blog Posts:

Visa PA-DSS

PA-DSS Case Study

By now you have heard about PCI compliance and are vaguely familiar with how it may apply to your business. So now what?

We’ve created this two-part article to clearly outline the steps merchants and independent software vendors must complete in order to become PCI compliant (PCI DSS and PA-DSS compliant, respectively).  We hope it guides you through this process clearly.  

This week, we’ll focus on how merchants become PCI compliant:

Merchants

For starters, get familiar with the compliance standard that applies to you: the Payment Card Industry Data Security Standard (PCI DSS).  The PCI DSS requirements are broken down into six different categories:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

The next step is to figure out your PCI compliance level.  Merchants fall under four categories of PCI compliance, depending on the number of transactions they process each year, and whether those transactions are performed from a brick and mortar location or over the Internet. Remember: all merchants that process credit cards—whether small or large—must be PCI compliant. 

Now here is where PCI compliance for merchants can get a bit tricky: each payment card brand (Visa, MasterCard, etc.) has their own requirements for PCI compliance.  We’ve written a comprehensive article on the different PCI compliance deadlines for each payment card brand, along with their different PCI compliance requirements.  To give you a general idea of what you need to do as a merchant, here are Visa’s PCI requirements for merchants:

Level 1 Merchants

- Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
- Quarterly network scan by Approved Scan Vendor (ASV)
- Attestation of Compliance Form

Level 2 and 3 Merchants

- Annual Self-Assessment Questionnaire (SAQ)
- Quarterly network scan by ASV
- Attestation of Compliance Form

Level 4 merchants

 - Annual SAQ recommended
- Quarterly network scan by ASV if applicable
- Compliance validation requirements set by acquirer

Some resources to help you complete these requirements:

•    List of approved QSAs
•    List of approved ASVs
•    Instructions on how to complete the SAQ
•    PCI Compliance Deadline List, including links to each payment brands’ PCI compliance sites
•    Article on how businesses that should complete the SAQ D can opt for a shortened SAQ

Depending on your compliance level, complete the appropriate requirements (above).  Then for each payment card brand you accept, check the site to see what kind of reporting you have to supply each brand. 

Next week we will post an article on how ISVs become PA-DSS compliant.  Sign up for our email updates in the top right corner or to the RSS feed to be sure you don't miss it!

Related Posts and Pages:

PCI Compliance Reflects a Moment in Time

PCI Compliance for Franchisors

Are you a PCI Compliance Guru?

PCI Compliance Deadline List

Remote Credit Card Storage Facilitates PCI Compliance

PCI Compliance Costs

PCI DSS Compliance for Merchants

When it comes to PCI compliance, merchants and software vendors alike often make the mistake of viewing their compliance as a “checklist” rather than an ongoing process.  Too many people assume that PCI compliance is achieved once.  In reality, however, it is maintained, through vigilant adaptation to both PCI requirements and evolving security threats. 

A closer look at PCI DSS requirements should make it quite clear that compliance is an ongoing exercise.  For example, requirement 1 reads, “Install and maintain a firewall configuration to protect cardholder data.”  Requirement 5 mandates that you “Use and regularly update anti-virus software.”  Requirement 6 states that you “Develop and maintain secure systems and applications.”  Requirement 11 implores that you “Regularly test security systems and processes.”  And, of course, Requirement 12 states that you must “Maintain a policy that addresses information security.”

Clearly, five of the twelve PCI requirements explicitly mention either maintaining or updating, which should make it clear to all paying attention that there is no finality to PCI compliance.  

In fact, any proclamation of “PCI compliance” is best viewed as a snapshot of compliance at a specific time.  While merchants and software vendors are able to use a variety of means to test compliance at any given date, the truth remains that ongoing compliance requires both vigilance and, often, quarterly and yearly compliance assessments.   

Merchants and software vendors must ensure that their processes, or their applications as the case may be, are PCI compliant.    But how does one know if they are PCI compliant?  What is PCI compliant?  Well, the answer to those questions is slightly more complicated that it might seem.

Assuming that you have a good understanding of PCI compliance basics, and that you’ve moved beyond the “checklist” mentality, verifying your compliance involves understanding the ongoing nature of PCI compliance.  At its root, PCI compliance is about securing data and, by that process, protecting cardholders/customers.  For PCI standards to be effective, periodic re-evaluation and adaptation is imperative.

People sometimes forget that PCI compliance requirements apply to all “system components,” and that ongoing assessments, on both a quarterly and yearly basis, are mandatory for most merchants.  This means, of course, that any change in hardware or software within your network must meet PCI requirements on an ongoing basis.

PCI compliance is dynamic, requiring ongoing adaptation.  PCI compliance starts with a set of 12 basic requirements, it continues with vigilance and adaptation, and it ends with….well, it doesn’t end. 

Related Posts and Pages:

How to Become PCI Compliant

PA-DSS Implementation

PCI DSS Compliance for Merchants