Subscribe
< Back to Blog
What is PCI-DSS Compliance and How Does It Affect Your Third-Party Vendors?
Glossary

What is PCI-DSS Compliance and How Does It Affect Your Third-Party Vendors?

By Editorial Team Dec 13, 20205 min read

PCI-DSS regulations aren’t law; they are a set of security regulations credit card companies voluntarily agree to uphold. As a result, any merchant that stores, processes, and/or transmits cardholder data  through the major credit card networks must also agree to uphold these security standards. Third-party vendors may or may not be required to comply, depending on the function they provide for your organization.

The Payment Card Industry Security Standards Council (PCI SSC) created the PCI-DSS regulations as a set of security standards for the major credit cards: American Express, Visa, Mastercard, Discover, and JCB International. These standards are designed to keep payment accounts secure while reducing fraud.

All five major credit card companies have agreed to comply with the PCI-DSS standards and bear the responsibility of enforcing compliance with every payment transaction. This means that all merchants must agree to comply with  PCI-DSS regulations in order to be approved for payment processing. For example, when a grocery store wants to accept Visa card payments, that merchant must sign a contractual agreement with Visa binding them to PCI-DSS compliance.

When a merchant is found to be non-compliant, a card network such as Visa has the right to ban that merchant from accepting payments through their network.

What does PCI-DSS require?

PCI-DSS regulations differ based on the volume of payments processed by any given merchant as well as how much access an organization has to credit card information. 

At a basic level, PCI-DSS regulations prohibit the storing, processing and/or transmission of certain aspects of cardholder data and require strict protection for account numbers.

Specifically, PCI-DSS has six main objectives that are to be achieved under 12 requirements. These goals include:

  1. Build and maintain a secure network and systems.
  2. Protect cardholder data.
  3. Maintain a vulnerability management program.
  4. Implement strong access control measures.
  5. Regularly monitor and test networks. 
  6. Maintain an information security policy.

These six goals are achieved in specific ways, as outlined in the PCI security standards documents:

  1. Build and maintain a secure network and systems.

    Under this section, an entity must install and maintain a firewall that protects all cardholder data. Entities are not allowed to use default or vendor-supplied system passwords or other security settings. In other words, every entity must change all default security settings for software used to process payments. Default passwords are one of the easiest ways hackers gain unauthorized access to a network.
  1. Protect cardholder data.

    Cardholder data must be encrypted in transit across all unsecured, public networks. Open networks are common since many businesses offer free Wi-Fi to guests. However, entities processing card payments should have a separate, secured and encrypted network for payments.
  1. Maintain a vulnerability management program.

    Having a vulnerability management program protects against malware and other viruses. This also includes regularly scanning for viruses with anti-virus software and ensuring all systems and applications are secured.
  1. Implement strong access control measures.

    An entity is required to permit access to cardholder data on an as-needed basis. This means implementing a tight security system that grants levels of access to network users based on their credentials and need for the information. For example, customer service agents may only need access to the last four digits of a cardholder’s card number to verify a caller’s identity.

    Physical access to cardholder data also needs to be restricted. This can include locking rooms with stored paperwork and securing on-premises server rooms.
  1. Regularly monitor and test networks.

    Under this requirement, entities must track and monitor every instance when either network resources or cardholder data is accessed. Testing to ensure security is required on an ongoing basis. Most of this testing is performed automatically.
  1. Maintain an information security policy.

    Organizations that are PCI-DSS compliant must maintain an information security policy. The policy addresses organizational policies, procedures and other relevant information for all personnel who have access to a network containing cardholder data.

Who is regulated by PCI-DSS?

Generally speaking, any entity that enters into a contract agreeing to comply with PCI-DSS is bound by PCI-DSS regulations. This can include issuers, acquirers, processors, merchants and banks.

Third-party service providers

If your third party service providers store, process and/or transmit cardholder data, they would need to comply with PCI-DSS regulations and provide an AOC (Attestation of Compliance) to prove compliance . 

Even if they are not involved in any of these data processes above, the services they provided must be in accordance with the terms delineated in the vendor agreement throughout the vendor’s business relationship with your organization.

What are the penalties for PCI-DSS violations?

PCI-DSS is not a law, but there are consequences for non-compliance. The consequences will vary depending on the PCI DSS compliance level. However, in general, the consequences of non-compliance include:

  • Fines that range from thousands to hundreds of thousands of dollars.
  • Recurring charges that can cost an entity up to hundreds of dollars each month.
  • A higher fee for certain types of business insurance because non-compliance puts cardholder data at risk in case of a data breach. In some instances, non-compliance with PCI-DSS regulations can prevent a business from cashing in on a claim.
  • Lawsuits are always a potential consequence. 

How Panorays can help you comply with PCI-DSS 

When you’re bound by PCI-DSS or any regulation, you can’t make assumptions about your vendors’ compliance. However, Panorays can help you quickly and efficiently understand who is compliant, who is not but needs to be and how to streamline the process of ensuring vendor compliance. With customizable security questionnaires, your vendors can meet the expectations of regulatory measures as well as your own internal company policies. In addition, Panorays continuously monitors and evaluates the vendor, and sends live alerts about any security changes that may affect your vendors’ regulatory compliance. 

Want to learn more about how Panorays can help you keep your third-party vendors PCI-DSS compliant? Sign up for a free Panorays demo to learn how we can help.

humbnail
Editorial Team

You may also like...
What is a Third-Party Vendor and Why is Third-Party Security Important?
Oct 21, 2021 What is a Third-Party Vendor and Why is Third-Party Security… Editorial Team
What is MAS-TRM?
Jun 28, 2021 What is MAS-TRM? Editorial Team
What Is CRISC Certification and How Can It Improve Third-Party Security?
Jun 09, 2021 What Is CRISC Certification and How Can It Improve Third-Party… Editorial Team

Popular Posts

Nov 14, 2018 7 min read

10 Tips for Secure Online Shopping on Cyber Monday

Cyber Monday is just around the corner, but—let’s face it—shopping online is a lot riskier than it used to be. (more…)
By Elad Shapira
Security Best Practices & Advice
Nov 26, 2019 3 min read

3 Key Points About CCPA

What is CCPA?   The California Consumer Privacy Act (AB 375), which will go into effect on January 1, 2020, is expected to significantly strengthen data collection and privacy in the USA. Similar to the way the General Data Protection Regulation (GDPR) defined data privacy in Europe, the CCPA regulation is expected to set the standard for data privacy in...
By Dov Goldman
Standards & Regulations
May 08, 2019 3 min read

3 Reasons Why Enterprises Hate Security Questionnaires

It’s not hard to understand why security questionnaires are necessary. Because regulations like GDPR and NYDFS are holding businesses accountable for their third parties’ cybersecurity, it’s important for enterprises to assess and continuously monitor all vendors, suppliers and business partners. And the initial vetting of any third parties typically begins with a comprehensive security questionnaire to evaluate cyber posture. (more…)
By Noam Maman
Security Best Practices & Advice

Building Trust Between Companies Worldwide

Get Started

Featured Authors

humbnail
Yaffa Klugerman Director of Content Marketing at Panorays
humbnail
Elad Shapira Head of Research at Panorays.
humbnail
Moshe Ferber Cyber and Cloud Computing, entrepreneur, investor, board member and lecturer.

We use cookies to ensure you get the best experience on our website. Visit our Cookie Policy for more information.

Get our latest posts straight to your inbox Subscribe