How to Be PCI DSS Compliant: An Information Guide for Your Salesforce Org

With great power comes great responsibility — as you can imagine, this is especially true for companies that handle payment card information. Given its sensitivity, it is no surprise that there are strict rules governing how cardholder information should be used. 

The Payment Card Industry Data Security Standards (PCI DSS) is the official set of rules that govern the security of payment information. Created by American Express, Visa, Mastercard, JCB, and Discover, PCI DSS was developed to address fraud and security issues related to digital payments. 

What is PCI DSS?

PCI DSS includes 12 requirements, divided into four categories: policies and procedures, vulnerability management systems, access control systems, and technology security systems. PCI DSS applies to any company that accepts, stores, processes or transmits payment card information — regardless of size. 

Why do organizations need to be compliant with PCI DSS?

The primary focus of PCI DSS is to improve the safety of consumer information — but there are benefits for organizations, too. Keeping compliant with PCI DSS protects organizations from reputational damage and heavy regulatory fines that data breaches commonly result in. There has been no shortage of high-profile examples of this in recent years; according to an IBM Security report, the average cost of a data breach in 2020 was $8.64 million. 

What’s more, Visa and Mastercard can actually impose additional fines to companies that don’t comply with PCI DSS.

What are the PCI DSS requirements?

The PCI DSS standards are robust, to say the least; the official documentation is over 1,800 pages long — and it outlines 300+ security controls. To make things a little easier, here are the 12 main requirements that act as a best practice guide:

Build and Maintain a Secure Network and Systems

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open or public networks

Maintain a Vulnerability Management Program

  • Protect all systems against malware and regularly update anti-virus software
  • Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Restrict access to cardholder data by business need-to-know
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes

Maintain an Information Security Policy

  • Maintain a policy that addresses information security for all personnel

Is Salesforce PCI compliant?

As of January 2021, Salesforce is PCI certified. The company keeps a list of certifications for each of their Clouds on their Trust site. 

How does my organization become PCI DSS certified?

Although Salesforce is PCI DSS certified, any organization that accepts credit cards will still own some level of PCI compliance responsibility. To make it easier for businesses to validate whether they’ve met the requirements, the PCI Council created nine Self-Assessment Questionnaires (SAQs) that can be used to evaluate PCI compliance. Organizations will need to complete the assessment and submit it to the Council, which will then be reviewed and either approved or denied.

To make things trickier, however, the PCI Council revises their rules every three years. While some organizations can get a handle on PCI compliance themselves, it is of use to others to hire a PCI Council-approved auditor to verify that each requirement has been met. 

The level of compliance required from each merchant is determined by how many transactions they process each year; the theory goes that the more transactions you process, the more your information is at risk. Although Visa, MasterCard, JCB, American Express and Discover each have their own defined levels, in general, they look like this:

  • Level 1: Over 6 million card transactions annually
  • Level 2: 1 to 6 million transactions annually
  • Level 3: 20,000 to 1 million transactions annually
  • Level 4: Fewer than 20,000 transactions annually

PCI DSS: How to keep up with the standards

As we mentioned, PCI DSS can get pretty complex — and it is a joint responsibility between Salesforce and businesses to ensure that their processes and systems are compliant. To get started today, we’ve outlined a few best practices that might help ensure you’re doing your part.

  1. Do not store any sensitive cardholder data in Salesforce.
  2. Install and maintain a firewall.
  3. Use data classification to ensure sensitive information can be easily identified and secured.
  4. Encrypt the transmission of cardholder data and other sensitive information.
  5. Implement strong access control standards. Learn more about access management in Salesforce here
  6. Utilize Salesforce’s password settings and ensure that users passwords expire at set intervals.

Check out the official PCI DSS Council website for more information.