PCI Compliance
The Payment Card Industry Data Security Standard (PCI DSS), is a global security standard which applies to any organization which stores, processes or transmits cardholder data.
PCI DSS is a particularly thorough security standard which requires significant overhead to manage and demonstrate the security of card data, often costing companies $100k+ per year. That’s why organizations who handle cardholder data use Evervault to de-risk and de-scope their environments.
Becoming PCI Compliant
Evervault provides a hand held approach to help organizations de-risk their environments and minimize the effort required to become PCI DSS compliant. Once you begin the process of becoming PCI compliant, We will provide you with a PCI Policy Pack, which is a downloadable collection of documents and checklists to walk you through the process of becoming PCI compliant. The process can be broken down into the following core steps:
1. Understanding your requirements
The first step to becoming PCI compliant is understanding which requirements apply to your business. You do this by understanding how card data flows through your organization and mapping out the systems supporting those flows. This becomes the basis for PCI Scope (Cardholder Data Environment - CDE). There are four levels of PCI compliance, each with different requirements depending on various factors such as the number of transactions processed annually.
Level 1
Applies To
- Service Providers processing over 300,000 transactions annually
- Merchants processing over 6 million transactions annually
Requirements
- Annual Report on Compliance (RoC) by a Qualified Security Assessor (QSA)
- Quarterly network scans by an Approved Scanning Vendor (ASV)
- Internal and External Penetration testing at the Application and Network layers
- Completion of the Attestation of Compliance (AoC) form
Level 2
Applies To
- Service Providers processing less than 300,000 transactions annually
- Merchants processing between 1 million and 6 million transactions annually
Requirements
- Annual Self-Assessment Questionnaire (SAQ)
- Quarterly network scans by an Approved Scanning Vendor (ASV)
- Completion of the Attestation of Compliance (AoC) form
Level 3
Applies To
- Merchants processing between 20,000 and 1 million transactions annually
- Service Providers can not be categorized as Level 3
Requirements
- Annual Self-Assessment Questionnaire (SAQ)
- Quarterly network scans by an Approved Scanning Vendor (ASV)
- Completion of the Attestation of Compliance (AoC) form
Level 4
Applies To
- Merchants processing less than 20,000 transactions annually
- Service Providers can not be categorized as Level 4
Requirements
- Annual Self-Assessment Questionnaire (SAQ)
- Quarterly network scans by an Approved Scanning Vendor (ASV)
- Completion of the Attestation of Compliance (AoC) form
2. Reducing your scope
The Cardholder Data Environment (CDE) comprises people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data. PCI DSS requirements apply to all system components included in or connected to the CDE. In the simplified diagram below—which describes a system handling plaintext credit card data—all components are in scope for the 300+ PCI DSS Requirements, because they directly store, process or transmit card data (or connect to systems which store card data). For developers impacted by these requirements, it becomes critical that you secure the data, infrastructure and code in your CDE.
Minimizing scope is key to reducing the burden of PCI DSS compliance. By never handling plaintext card data, the number of controls that must be satisfied is significantly cut back, in many cases reduced by more than 90%. As a result, the attack surface for card breach is minimized and the effort to initially achieve and maintain compliance is simplified.
Reducing scope with UI Components
Evervault UI Components allow you to safely collect and display cardholder data in the browser, without ever handling it in plaintext. UI Components are served within an iFrame retrieved directly from Evervault’s PCI-compliant infrastructure. All operations on card data, such as validity checks, occur within the Evervault environment.
Adopting this approach for collecting or displaying cardholder data can reduce your PCI DSS compliance scope to the simplest form (SAQ A Control Set for Merchants), once integrated correctly.
Collect and Process Card Data
For products that need to collect and encrypt card data from their users on the client before sharing it with a Payment Processor.
Get StartedRetrieve and Display Card Data
For products that need to retrieve card data from a third-party service and display it to their users in a mobile or web app.
Get StartedPCI restricted apps
If your app needs to comply with PCI, it will be designated as a PCI restricted app. This automatically applies additional security measures and features to your app, minimizing your PCI scope as much as possible.
- The Evervault Decrypt API is unavailable for PCI restricted Apps.
- Functions in PCI Restricted Apps undergo regular vulnerability scans.
- Whitelists can be set up to manage the sources and destinations of traffic within your PCI Function.
- PCI Functions have fixed IP addresses, ensuring third parties that traffic originates solely from Evervault’s secure infrastructure.
- Function response payloads are checked for any potential exfiltration of sensitive PCI data.
- Multi-Factor Authentication (MFA) is enabled by default on the Evervault Dashboard.
Additional security measures
Although using Evervault massively reduces your PCI scope, there are still some additional security measures you will need to take to ensure you are fully compliant. These include:
- Payment page web server patching and vulnerability scanning
- Secure Authentication and MFA
- Script and Code Dependency Inventory Management
- Third-Party Risk Management
- Incident Response Management
3. Attestation of Compliance
Once you have implemented the necessary controls and reduced your scope, you will need to complete the Attestation of Compliance (AoC) form. This is a document that can be shared with others as an attestation of your compliance with the PCI DSS. Depending on your level of compliance, this may need to be completed by a Qualified Security Assessor (QSA) or can be self-assessed.
4. Ongoing Compliance
PCI DSS compliance is an ongoing process. You will need to regularly review and update your security controls, conduct regular vulnerability scans, and complete the Attestation of Compliance (AoC) form annually.
Automating ongoing compliance
Some of these ongoing processes can be automated with third-party or in-house tooling to reduce the burden on your team of remaining compliant.
Examples
- Using pre-built secure Terraform templates
- Automated patching
- Automated vulnerability scanning
- Automated exception remediation
- Integrated governance management systems like Vanta