Article
PodcastDoes PCI Apply to Us? Regulated Financial Institutions Want to Know
The following article has been revised on April 12, 2022 to reflect updates to PCI DSS 4.0.
There is some uncertainty in the banking world about Payment Card Industry (PCI) Data Security Standard (DSS) and whether it applies to regulated financial institutions. This may be largely due to the card brand’s (i.e. Visa, MasterCard, American Express, Discover, JCB) compliance programs, which primarily focus on merchants (entities that receive card payments from one of the five card brands). But in reality PCI compliance applies to issuers, processors and acquirers just as much as it would for a merchant. If an entity stores, processes or transmits cardholder data, it is subject to PCI DSS compliance. And that includes financial institutions.
Cardholder data could be:
- Full 16 digit Payment Account Number (PAN),
- Full 16 digit PAN plus expiration, name and/or service code, or
- Sensitive authentication data such as card validation codes/values, full track data (data from magnetic stripe or chip), pin, and pin block.
If your institution stores, processes or transmits cardholder data or is otherwise involved in payment card issuing, processing or acquiring services, you may be on hook for PCI compliance. Your compliance responsibilities could include:
- Completing an annual Self-Assessment Questionnaire (SAQ)
- Undergoing a PCI DSS assessment by a Qualified Security Assessor (QSA)
- Verifying your service providers are maintaining PCI DSS compliance
The card brands and contractual requirements with customers and organizations can dictate the PCI compliance requirements for your institution. A good starting point to understand your responsibilities involve looking at your agreements with the card brands and their networks, customers, and service providers.
The PCI DSS includes six objectives and twelve top-level requirements that are made up of more than 250 sub-requirements. However, you may be relieved to know that all sub-requirements may not apply to your institution, and it largely depends on your role in the storing, processing, or transmitting of cardholder data.
The PCI objectives are described in this chart by PCI Security Standards Council as follows:
| Objectives | Top Level Requirements |
|---|---|
| Build and maintain a secure network and systems | 1. Install and maintain network security controls
2. Apply secure configurations to all system components |
| Protect account data | 3. Protect stored account data
4. Protect cardholder data with strong cryptography over open, public networks |
| Maintain a vulnerability management program | 5. Protect all systems and networks from malicious software
6. Develop and maintain secure systems and software |
| Implement strong access control measures | 7. Restrict access to system components and cardholder data by business need to know
8. Identify users and authenticate access to system components 9. Restrict physical access to cardholder data |
| Regularly monitor and test networks | 10. Log and monitor all access to system components and cardholder data
11. Test security of systems and networks regularly |
| Maintain an information security policy | 12. Support information security with organizational policies and programs |
Weaver has broad experience with helping financial institutions navigate the ever growing world of compliance and regulations. Our experience as a QSA Company and CPA firm gives us a unique ability to give you a more holistic approach both on the business and the technical IT side. To find out how Weaver can help your institution achieve and maintain PCI DSS compliance, or strengthen your compliance programs in general, we welcome you to contact us. We are here to help.
© 2021