IoT Blog

Payment Card Industry Data Security Standard (PCI DSS): What You Need to Know for Secure Payments

Connectivity, Security, Payment

Chris Barker

Chris Barker

Senior Director, Product Security, Semtech

The electronic payments industry has undergone a radical change over the past several years with the proliferation of convenient digital payment options such as contactless cards and smartphones/smart watches with mobile payment capabilities and apps. These contactless payment options are increasingly supported at payment terminals, vending machines, EV chargers and kiosks as well as for peer-to-peer mobile payments. These new methods bring speed and convenience to transactions and are rapidly replacing the use of cash or the swipe of a credit card in many countries. These emerging capabilities require reliable connectivity to communicate with the processors and payments networks that approve and complete transactions. And as these transactions include a wealth of sensitive data, such as customer details and financial information, security is paramount.

Cellular Connectivity is a Must for Payments

Increasingly, many across the payments value chain are opting for cellular IoT connectivity, which provides robust, reliable and secure coverage for attended or unattended connected vending “things” with embedded IoT SIMs. Cellular data is encrypted, by default, and mobile network operators are constantly investing resources to identify and resolve any security gaps that might be exploited. Sierra Wireless’ Smart Connectivity provides further enhancements including the latest encryption technologies and best practices for physical security, data network security and information security, making the payments process as secure as possible.

Payment Card Industry Data Security Standard (PCI DSS)

The PCI Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to enhance global payment account data security by developing and driving adoption of data security standards and resources for safe payments worldwide. To protect the sensitive information associated with credit and debit cards, the major payment card brands have established a standard set of security requirements called the Payment Card Industry Data Security Standard (PCI DSS). All organizations that handle cardholder information, or that could impact the security of cardholder information are required to maintain these standards for all processes and systems that can impact the security of cardholder data.

PCI Compliance Explained

There are various levels of PCI compliance which depend on the number of payments your business processes each year.
  • Merchant Level 1: Processes over 6 million transactions every year
  • Merchant Level 2: Processes between 1-6 million transactions every year
  • Merchant Level 3: Processes between 20,000-1 million transactions every year
  • Merchant Level 4: Processes less than 20,000 transactions every year

PCI requirements depend on which level is applicable to your business and requires merchants to complete the relevant PCI DSS Self-Assessment Questionnaire (SAQ). 12 Key Requirements for PCI Compliance:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need to know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for all personnel.

Being PCI compliant is not a requirement by law. However, it is highly advisable that merchants who accept card payments follow the regulations set by the PCI SSC to avoid any potential data infringement and to avoid hefty non-compliance fees. PCI compliance isn’t a one-time exercise – it’s a task that must be completed each year.

Sierra Wireless’ Smart Connectivity and PCI

Sierra Wireless Smart Connectivity provides continuous cellular network availability and secure access for payment solutions, while monitoring the core networks to prevent disruptions and enable 99.9% uptime. Furthermore, Sierra Wireless’ Smart Connectivity service has implemented key PCI security requirements:

  • All data is fully encrypted whether in-transit or at rest.
  • Access to the infrastructure and data is restricted, logged and audited regularly.
  • Servers and network infrastructure are maintained with the latest security patches.
  • Regular internal security audits, 3rd party audits, and telecommunication specific security audits.

As part of the commitment to security and PCI compliance we have a Security Operations Center that provides 24x7 monitoring and response to any detected threats or vulnerabilities discovered to ensure that data is protected at all times. For reliability, the data centers and public cloud environments are tier III and tier IV data center compliant 1. The Center for Internet Security (CIS) v8 security control framework is used to assess our compliance to the latest security best practices. The CIS is a trusted resource for cyber threat prevention, protection and globally recognized best practices for securing IT systems and data.

Semtech and PCI DSS

Sierra Wireless is a Semtech company and, like many businesses, Semtech also accepts credit card payments for several different product offerings and has conducted an in-depth review of respective PCI obligations.  Below is how Semtech manages our PCI Compliance Program:

  • Our Product Security team partners with Product Development and Service Delivery teams who propose new products and services or changes to existing products and services that require payments via a credit card or other electronic means not managed through bank transfer.
  • The Product Security team will evaluate the product, create detailed data flow diagrams/payment flow diagrams and provide guidance on the optimal path ahead to minimize PCI exposure.
  • The Product Security team follows the product development lifecycle and ensures the payment process is being development and implemented as planned.
  • If necessary, the Product Security team will facilitate the necessary SAQ, conduct a GAP analysis, ensure compliance with the key security requirements and bring in a third-party Qualified Security Assessor (QSA) to support the certification process.
 

Find out more

A recent Sierra Wireless paper How cellular connectivity can support your payments journey explores in more detail how Sierra Wireless Smart Connectivity provides payment solutions with continuous availability and secure access.  

Notes:

  1. Uptime Institute’s Tier Standards
  2. In March 2022, the PCI SSC released PCI DSS version 4.0. This release comes with some major changes to compliance requirements, as well as some additional flexibility in options for performing assessments. The primary concern for most organizations will be understanding the new and evolving requirements associated with version 4.0 and ensuring there are no gaps in compliance when switching over from v3.2.1 by the required date (for your first assessment after March 31, 2024).

Sierra Wireless and Semtech are registered trademarks or service marks of Semtech Corporation or its subsidiaries.

Related Blogs: