Guide to PCI DSS Compliance In Canada
by TUCU Managed IT Services in Toronto
The Allianz Risk Barometer report for 2020 found that cyber incidents posed the biggest risk to businesses in 2020. The risk is only compounded for small businesses, most of whom do not have the required IT security expertise to fight a cyber attack once it has already begun. And one business area is especially prone to cyberattacks - payments. Hence the reason for risk reduction and compliance for payment processing.
A wide variety of businesses store sensitive consumer information such as credit card details, addresses, KYC data, and more in order to make payments easier and faster. Unfortunately, this type of sensitive information is often targeted by bad actors due to its value. Thankfully, there are several sets of standards, known as IT Security Frameworks, including PCI DSS - the global payments compliance framework developed to help businesses protect their data, employees, and customers.
In this article, we’ll take a comprehensive look at the IT Security Framework for online payments - PCI DSS and everything that small and medium businesses need to know about PCI DSS to effectively implement it.
What is PCI DSS?
PCI DSS, short for Payment Card Industry Data Security Standard (PCI DSS) is one of many security standards created to protect cardholder data after a joint effort by Visa, MasterCard, American Express, Discover Financial Services, and JCB International. Today, PCI DSS is used by thousands of companies that incorporate payment processing into their business.
The framework’s main aim is to ensure a secure transaction between the customer and the business and prevent data theft and breaches by bad actors. PCI DSS is not a regulation, consequently, businesses aren’t required by law to comply. That said, businesses must comply with PCI DSS if they are to use any major payment processor.
There are four compliance levels in PCI DSS, based on the number of transactions completed annually:
- PCI DSS Compliance Level 1: Over 6 million in total
- Level 2: Between 1 million and 6 million in total
- Level 3: Less than 1 million total or more than 20,000 online transactions
- Level 4: Less than 20,000 online transactions and up to 1 million in total
How to become PCI DSS compliant?
To become a PCI DSS Compliant company, PSI Security Standards Council (PSI SSC) has outlined 12 requirements. These requirements are further allocated to 6 objectives. Some changes to requirements might apply based on the merchant level, however, since this article is for small businesses, we will assume that the readers are level 4 merchants.
Requirements to become compliant with PCI DSS version 3.2.1 are:
- Building and maintaining a secure network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protecting cardholder data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Maintaining a vulnerability management program
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Implementing strong access control measures
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
Restrict physical access to cardholder data
- Regularly monitoring and testing networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintaining an Information Security Policy
- Maintain a policy that addresses information security for all personnel
This might seem like an exhaustive list of requirements but considering what’s at stake here, this is the bare minimum. Fortunately, there are different tools and solutions available to help Canadian businesses comply with PCI DSS requirements.
Tools For Assessing Compliance With PCI DSS
If you already follow information security best practices, some of PCI DSS requirements may sound familiar and chances are, you may already meet certain requirements. Even if you’re unsure, there are two ways to assess your compliance with PCI DSS:
#1 - Qualified Assessors: The PCI Security Standards Council has created two programs for assessing compliance:
- Qualified Security Assessor (QSAs)
- Approved Scanning Vendor (ASVs)
Both of these programs are approved to assess your PCI DSS compliance by the latter (ASVs) also perform vulnerability scans of internet-connected assets of the company.
#2 - The Self-Assessment Questionnaire: The SAQ is a useful tool for businesses that want to self-assess their PCI DSS compliance. It’s important to note that not every business is eligible to self-certify and there are different types of SAQs available based on your compliance level and payment method.
Three ways to become PCI DSS compliant
The aforementioned tools will help you understand which requirements you currently meet and where you are lacking. Both of those tools have various nuances. But depending on your familiarity with security frameworks, time restraints, and budget, you may choose one of three different ways to become PCI DSS compliant.
Do It Yourself
Becoming compliant using only in-house manpower will be, for most businesses, the most difficult and time-consuming approach. Implementing the IT security best practices and systems to secure transactions will require in-depth technical expertise and time for testing. That said, it is doable for technically-inclined individuals with an IT security team.
Outsource Some Work
The second option takes some burden off of the small businesses’ shoulders. While the company takes some responsibility for setting the PCI DSS up, they also contact another company to help them with setting up and testing. For instance, small businesses can receive use resources from the PCI Council, and once informed about the changes they need to make, they can hire an outside team of IT security experts.
Hire a Dedicated Agency
The final and most popular option is to simply find a dedicated IT security agency, preferably local to ensure they are aware of your local laws and payment card brands. Although the scope of the project may vary, this is generally known as an end-to-end managed service. The higher upfront cost of this approach is almost always offset by saving time and manpower, having a safer infrastructure, and long-term peace of mind.
Cost of becoming PCI DSS compliant
The cost for a Canadian small business to be PCI DSS compliant will vary based on a number of factors including compliance level, payment card brand, compliance assessment method, etc. Therefore, the numbers stated are approximations.
For small businesses, PCI DSS compliance costs will generally start around $300 CAD and increase based on your business requirements. At the lower end, businesses that are eligible for Self Assessment Questionnaire (SAQs) only need $200 to $400 CAD. For Approved Scanning Vendor or ASV, the cost will increase by around $380 CAD for every asset you own (IP address).
If you do not meet PCI DSS requirements, remediation efforts can cost anywhere between $500 CAD to over $15,000 CAD, depending on how many of the 300 sub-requirements you do not meet. And finally, training and policy development may cost an additional $100-$150 CAD per employee.
In total, the yearly cost of a PCI DSS compliance, for a small business and a level four merchant can vary from $1000 to $10,000 CAD.
Benefits PCI DSS compliance
It’s also important to understand the cost of non-compliance. Falling prey to a cyber attack that compromises your customer’s payment details will not only attract government litigation but also result in serious damage to your reputation. In fact, 66 percent of customers said they would not do business with a company where sensitive/financial information was leaked.
On the other hand, PCI DSS compliant businesses have an easier time meeting customer expectations and passing vendor screenings. Additionally, PCI DSS compliance also comes up with powerful benefits such as:
- A competitive advantage
- Following international security regulations is a great way to build your reputation, especially as a small business. If you have any competition that doesn’t follow these regulations, you are automatically ahead of them.
- A deterrent to a data breach
- Bad actors do their research and knowing you have a secure IT infrastructure makes you less appealing as a target. PCI DSS is one of the best ways to avoid a cyber attack, especially if you cannot hire full-time cybersecurity professionals.
- And if a breach does happen, sensitive information will be worthless to the attacker due to the encryption.
- Helps comply with other security standards
- PCI DSS compliance requirements might indeed seem tedious and extensive. However, being PCI DSS Compliant will help you follow other security standards, such as SOC2 and ISO 27001, more easily since many of the requirements are similar. Furthermore, the cost of following other standards becomes considerably lower.
Wrapping up...
If you’re a small business in Canada, you need to act now. Don’t wait. Invest in your PCI DSS compliance and certification today. With cyber-attacks getting stronger and more common, it is every businesses’ responsibility to do all they can to protect their customers’ data.
PCI DSS might at first seem intimidating but it is necessary if online transactions are part of your business model.
Remember, any challenges that you may come across can be easily tackled with the right IT compliance support partner - like TUCU Managed IT Services in Toronto.
