In the face of current cybersecurity challenges, PCI DSS compliance is more important for merchants than ever. The Payment Card Industry Data Security Standard was established in 2006 to help merchants protect payment data. Compliance with the PCI DSS is an industry requirement for any company that accepts major credit cards and can help them develop their own robust security program.
Have an Upcoming PCI Audit Deadline?Request a Quote Here
Some organizations may feel overwhelmed by or frustrated with PCI compliance. It can be helpful to remember that the Payment Card Industry Data Security Standard was created to help businesses. The majority of SMBs that experience a data breach will go out of business and even large corporations struggle to stay open after the financial and social impact of a data breach.
After experiencing a security breach in his first business, Brad Caldwell (CEO) founded SecurityMetrics in 2000. We understand the challenges that SMBs face when trying to stay PCI compliant and the importance of PCI compliance in keeping organizations safe. One of Brad’s core objectives when founding SecurityMetrics was to provide tools and services that are accessible to small-to-medium businesses (SMBs).
That’s why we created the seventh edition of our free PCI guide. Every year, SecurityMetrics’ teams collaborate to update and release the Guide to PCI DSS Compliance in accordance with this goal.
The SecurityMetrics Guide to PCI DSS Compliance
The PCI Guide includes interactive and printable IT checklists for every requirement, stories and tips from our security analysts (QSAs), and forensic data breach research data, as well as the latest updates on PCI DSS compliance. It is meant to be a tool in the arsenal of a CISO, IT manager, security officer, or anyone involved in security and compliance.
Audit Director, Matt Halbleib (CISSP, CISA, QSA), said "We publish our guide to give businesses of all sizes a tool to understand and organize their PCI compliance efforts. Maintaining PCI compliance in an environment-specific way helps businesses protect their data, detect breaches, and keep cybercriminals off their network."
The 2022 PCI DSS Guide has been updated to include:
Insight into what to expect for PCI DSS 4.0
2022 forensic data breach predictions
Tips for applying the PCI DSS in a cloud environment
Information on e-commerce attacks including iFrame hacks
How to set up a PCI-compliant remote workforce setup
Interactive IT checklists for each requirement
Brand new PCI compliance trends and customer data
Tips and experiences from PCI Auditors (QSAs)
"Businesses who utilize the Guide to PCI DSS Compliance can better organize their compliance efforts and understand the way PCI compliance requirements affect cybersecurity. On top of that, the PCI Guide is a great training tool when assigning new resources to your PCI compliance effort,” said SecurityMetrics VP of Assessments Gary Glover (CISSP, CISA, QSA).
Since 2010, SecurityMetrics PANscan® has discovered over 3 billion unencrypted primary account numbers (PAN) on business networks. Storage of unencrypted payment card data increases your organization's risk and liability in the event of a data breach. This infographic examines user results of PANscan from 2021 and compares it to previous years.
208,444 GBs scanned
77% store unencrypted PAN data
5% store track data (data inside magnetic stripe)
Over 105 thousand cards found
Shopping Cart Inspect Data:
88.89% of Shopping Cart Inspect reviews identified malicious, suspicious, and/or concerning issues on researched ecommerce sites.
25.3% of inspected ecommerce sites had malicious issues.
63.86% of inspected ecommerce sites had suspicious issues.
33.73% of inspected ecommerce sites had concerning issues.
1.88 issues: Average number of issues identified in a Shopping Cart Inspect review.
18.42% of issues discovered were malicious; 61.19% of issues discovered were suspicious; 20.39% of issues discovered were concerning.
PCI Compliance Data:
2021 SECURITYMETRICS CUSTOMER TRENDS
93.6% of SecurityMetrics customers that started their SAQ have achieved a passing status
20.33 days: Average time to reach PCI DSS compliance
0.98 times: Average number of support incidents before customers became compliant
77.67% percent of SecurityMetrics customers that passed their first scan
8.5 days: Average time from finished first scan to first passing scan
1.57 scans: Average number of times scanned until merchants pass their PCI scan
Top10 Failing SAQ Sections
We reviewed our merchant database in search of the top 10 areas where organizations struggle to become compliant. Starting with the least adopted requirement, these are the results:
Requirement 12.1: Establish, publish, maintain, and disseminate a security policy.
Requirement 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
Requirement 12.6.a: Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
Requirement 12.1.1: Review the security policy at least annually and update the policy when the environment changes.
Requirement 12.4: Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
Requirement 12.10.1: Create an incident response plan to be implemented in the event of system breach.
Requirement 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
Requirement 9.9.2: Periodically inspect device surfaces to detect tampering (e.g., addition of card skimmers to devices), or substitution (e.g., by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
Requirement 12.3.1: Verify that the usage policies include processes for explicit approval from authorized parties to use the technologies.
Requirement 12.3.3: Verify that the usage policies define all critical devices and personnel authorized to use the devices.
Top 5 Failed Vulnerabilities
1. TLS VERSION 1.0 PROTOCOL DETECTION
Exists if the remote service accepts connections using TLS 1.0 encryption
2. SSL SELF-SIGNED CERTIFICATE
Occurs when organizations use an identity certificate that they create, sign, and certify rather than a trusted certificate authority (CA)
3. SSL CERTIFICATE WITH WRONG HOSTNAME
Happens when an SSL certificate for the tested service is for a different host
4. SSL 64-BIT BLOCK SIZE CIPHER SUITES SUPPORTED (SWEET32)
Exists if a remote host supports the use of a block cipher with 64-bit blocks in one or more cipher suites
5. SSL MEDIUM STRENGTH CIPHER SUITES SUPPORTED (SWEET32)
Occurs when a remote host supports the use of SSL ciphers that offer medium strength encryption
PCI DSS Compliance as a framework for organizational security
The PCI DSS is a security standard that can provide an organized and comprehensive framework for any environment. It includes specific SAQs, based on variables like the way companies take payment information. These SAQs cover which specific places businesses need to look to start their data security programs and can save companies time and money.
Download a copy of the SecurityMetrics Guide to PCI DSS Compliance here to get started.
See what PCI Guide users have to say
“I needed quick and straightforward guidance on how the PCI DSS requirements apply to software development. I was able to quickly find what I needed written in a way that was both quickly digestible and highly understandable. This resolved the concerns we had and reinforced the importance of the standardization of process controls we are putting in place.”
“This is a fantastic guide for merchants on any level to work towards becoming PCI compliant, it also serves as a great resource to train future hires!”
“Excellent guide to PCI compliance which provides a manageable template to develop internal policies and procedures.”
“The Security Metrics Guide was very comprehensive and definitely extremely useful. I especially benefited from the IT checklist guide.”
“...SecurityMetrics Guide to PCI DSS Compliance is a one-stop guide to ensuring your organization is PCI DSS compliant. This is the best comprehensive guide I've found.”
“Made us aware of a lot of details concerning our security... also our service provider responsibilities, which we were not aware of. Provided us with valuable tips for firewalls and explained a lot of terminology that was unknown before PCI DSS.”