SOLUTIONS

For IT & Collaboration Owners
Deliver safe, secure collaboration while satisfying the needs of stakeholders across the business

For Security
Improve your risk posture with a purpose-built solution for collaboration

For Legal
Scale, orchestrate and streamline your eDiscovery process for employee collaboration
For Compliance
Establish a proactive approach to collaboration compliance and information governance


For Employee Experience
Harness insights from surveys and collaboration data to transform the employee experience

AWR-2023_human-behavior-risk-analysis-report_cover art_small
Download the Resource

The Human Behavior Risk Analysis

Learn More →

Integrations

Connect Aware to the tools you already use to have all your company messaging in one place.

LEARN MORE →
Our Platform

Contextual Intelligence Platform

Aware is a contextual intelligence platform that identifies and reduces risk, strengthens security and compliance, and uncovers real-time business insights from digital conversations at scale.

LEARN MORE → Learn About our AI →
Our Applications
Flashlight

Signal

Protect your data and your people with complete, real-time visibility and centralized control of collaboration.

Learn More →
Chat_Search

Data Management

Take centralized control and make smarter decisions about what to keep and what to purge.

Learn More →
file_lock

Search & Discover

AI-powered universal search purpose-built for collaboration. Find information and surfaces the full story—faster.

Learn More →
Growth

Spotlight

Automatically capture authentic human signals from modern collaboration to support your most valuable asset.

Learn More →
AWR-2022-HBRA-LandingPage-Visual

What's in your data?

Calculate my results →

Company

About Aware

Our leadership, our company

Careers

Explore open roles with our remote-friendly, global team

Partners

Driving customer value, together

Press Releases

Digital workplace news and insights

Customers

How Aware customers streamline operations, reduce risk, and boost productivity

Security

Data security partners & certifications

Contact

Get in touch with us

Aware-BPW-Company-Nav

10 Reasons Why Aware is a Top Place to Work

Learn more →

Resources

Access reports, webinars, checklists and more.

Explore →

Blog

Explore articles devoted to enterprise collaboration, employee engagement, research & more

Explore →
Case Study Promo_2023

How Aware customers streamline operations, reduce risk, and boost productivity

Read More →
Menu

PCI Compliance: A Complete Guide

by Aware

Payment card industry compliance governs the way that businesses accept, process, transmit, and store credit card payment data. The PCI data security standard (PCI DSS) is governed by the PCI Security Standards Council, and compliance is essential to mitigate the risk of data leaks and theft. No matter your business size, if you handle PCI data, you must take steps to ensure PCI compliance. This post outlines PCI DSS requirements, costs, and more so you can develop robust measures to protect payment card industry data in your organizations.

Contents

Who does PCI DSS apply to?

PCI DSS applies to any business that ores, processes, transmits, or impacts the security of cardholder data. This includes merchants who accept credit or debit card payments, payment processors, service providers who store or transmit PCI data, and any other vendor who handles payment card industry information. The size of the business and number or value of transactions processed are irrelevant to the requirement to be PCI compliant.

Other key points about PCI DSS applicability:

  • It applies globally to all organizations handling payment card information.
  • Even if a company outsources payment processing to third parties, they are still responsible for ensuring PCI DSS compliance.
  • The level of compliance requirements may vary based on the annual transaction volume, with four compliance levels (1-4) defined by the standard.
  • Organizations that only receive or store encrypted cardholder data without the ability to decrypt it may have reduced scope, but PCI DSS may still apply to some extent.
  • Small merchants often have simpler environments, which can reduce their compliance effort, but they are still subject to PCI DSS.

It's important to note that while PCI DSS is not legally binding, it is widely adopted by financial institutions and payment card brands worldwide as a security standard. 

How is PCI compliance enforced?

While PCI standards are set by the PCI Security Standards Council, they do not typically enforce compliance. Instead, PCI compliance is primarily enforced by the major credit card companies (Visa, MasterCard, American Express, Discover, and JCB). Compliance is part of the contractual agreement that vendors hold with these institutions. Failure to comply can result in penalties such as fines, increased transaction fees, and in serious cases, the termination of the vendor's ability to process credit card transactions.

Depending on the size of the merchant and the number of payments it processes, PCI compliance validation can be a simple self-assessment, or it may require an independent audit.

blog 130

Think your employees know better than to share PCI in chat messages? So did this major telecom provider.

They were wrong.

What are the 6 principles of PCI DSS?

The goal of payment card industry compliance is to protect sensitive data that, if breached, could cause significant financial loss and disruption to consumers, vendors, and processors. To achieve the goal of protecting this data, the PCI DSS follows six guiding principes that underpin the 12 requirements businesses must meet. These are:

  1. To build and maintain a secure network
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy

What are the 12 PCI DSS requirements?

The PCI SSC outlines 12 requirements for payment processors, merchants, and other covered businesses who handle PCI data. Compliance with these requirements is essential for the safe handling and management of payment data.

  1. Install and maintain a firewall. All networks used to process credit card payments must be secured against unauthorized traffic. The firewall should be regularly tested and monitored to ensure continuous network protection.
  2. Change vendor-supplied default passwords and security settings. Only necessary services and functionality should be employed, and businesses must customize passwords and security settings to reduce the risk of a breach.
  3. Protect stored cardholder data. Businesses should carefully consider what data they keep and how they store it to ensure its security.
  4. Encrypt cardholder data when transmitting it across open, public networks. Ensure all employees are trained in the proper policies and channels to transmit PCI data securely.
  5. Use and regularly update antivirus software. Businesses should conduct network scans on a routine basis and document the results to demonstrate ongoing compliance.
  6. Develop security systems and processes. Vendors shouldn’t passively wait to detect breaches, but proactively hunt for system vulnerabilities and close gaps before an incident occurs.
  7. Restrict access to cardholder data to a need-to-know basis. Role-based access controls (RBAC) are essential for ensuring that PCI data access is strictly limited.
  8. Assign user IDs to everybody with computer access. There should also be controls in place to verify users and track activity to support audits and investigations.
  9. Restrict physical access to cardholder data. When stored in physical locations, PCI data should be held securely and monitored for unauthorized access.
  10. Track and monitor who accesses networks and cardholder data. Businesses should use audit trails and time-stamped tracking tools to ensure PCI data is not improperly accessed.
  11. Regularly test systems and processes. Routine vulnerability scans, activity reviews, and access point checks ensure that all controls are in place and working as expected.
  12. Have a policy on information security. Employees must understand their obligations to protect PCI. Training should be offered routinely, and policy documentation always made available.

Following these 12 requirements ensures that businesses think strategically about the PCI data they collect, and how they securely store the data they hold.

blog illustration 51

Is Slack secure? Learn more about protecting PII and PCI in your Slack instance now.

Self-assessment for PCI compliance

To be certified PCI compliant, merchants either have to complete a PCI DSS Self-Assessment Questionnaire (SAQ), or a more comprehensive Report on Compliance (ROC). Typically, smaller merchants with low transaction volume and straightforward data environments are required to complete an SAQ annually, which larger and more complex organizations must undergo more robust compliance vetting, typically conducted by third-party auditors.

Merchants typically fall into one of four categories, depending on the size of their business. For example, Visa’s compliance levels are:

  • Level 1: Merchants processing over 6 million Visa transactions annually across all channels.
  • Level 2: Merchants processing 1-6 million Visa transactions annually across all channels.
  • Level 3: Merchants processing 20,000-1 million e-commerce Visa transactions annually.
  • Level 4: Merchants processing under 20,000 e-commerce Visa transactions, or up to 1 million total Visa transactions annually.

Organizations should always confirm if they are eligible for self-assessment to avoid falling out of compliance. Even when self-assessing, organizations must still declare full PCI DSS compliance and have ongoing compliance responsibilities. A Qualified Security Assessor (QSA) or consultant can help validate a self-assessment to ensure that no steps have been overlooked or misinterpreted.

How Aware supports real-time PCI compliance

Aware’s real-time compliance monitoring uses industry-leading NLP technology to analyze messages from collaboration tools like Slack and Teams in real time. Using Aware, organizations can detect the unauthorized sharing of PCI and personally identifying information (PII) as it happens for faster mitigation and enhanced security in digital workplace tools.

  • AI-powered workflows detect violations even when employees avoid keywords or obfuscate regular expressions
  • Centralized PCI compliance for your entire collaboration stack from a single secure platform
  • Computer vision models detect PCI and PII sharing even in images
  • RBAC, audit logs and detailed analytics ensure you’re always audit-ready

The Aware platform connects seamlessly to your existing workflows with zero impact on end users for enhanced security that doesn’t drive employees to shadow IT. Request a demo to learn more about how Aware can help keep you PCI compliant in collaboration today.

blog illustration 15

Protect PCI data and enforce compliance in collaboration tools with Aware. Request a demo to learn more now.

Topics:Compliance Adherence