Skip to main content

PCI DSS compliance is often overlooked when it comes to your Salesforce org. Why? Because you rely on tools like Salesforce Shield and Commerce Cloud. But just because you have these in place, doesn’t mean all your boxes are checked in terms of compliance. 

While Salesforce itself is PCI compliant, it doesn’t cover your customizations or third party integrations– and the more of these you have, the more vulnerabilities your Org poses. 

For InfoSec, IT and Business Security leaders to ensure the integrity of their Org’s compliance, they must confidently identify what’s being done with your data, where it’s being transferred and stored, who has access to it and more.

Not sure if your Org is completely PCI DSS compliant? We’ve got you covered. Read on to learn everything you need to know in terms of keeping the payment information within your Salesforce Org secure.

What is PCI DSS Compliance? 

Let’s start with the basics. PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. The PCI DSS was created to protect cardholder data and reduce credit card fraud.

The PCI DSS is not a law, but rather a set of requirements established by major credit card companies such as Visa, Mastercard, American Express, Discover, and JCB. Compliance with PCI DSS is mandatory for any organization that handles credit card data, regardless of its size or the number of transactions it processes.

Entities That Must Comply With PCI DSS

Essentially, any entity that handles payment card data in any capacity is subject to PCI DSS compliance requirements. This includes both large multinational corporations and small businesses, as well as any third-party entities involved in the payment card ecosystem. This includes:

  • Merchants: Any business that accepts credit or debit card payments, whether it’s through e-commerce platforms, point-of-sale (POS) systems, or any other payment processing method.
  • Service providers: Third-party entities that handle payment card data on behalf of merchants or other service providers. This includes payment gateways, hosting providers, managed security service providers (MSSPs), and others.
  • Payment processors: Entities involved in the processing, authorization, clearing, or settlement of payment card transactions.
  • Issuing banks: Financial institutions that issue payment cards (credit or debit cards) to consumers.
  • Acquiring banks: Financial institutions that establish and maintain merchant accounts, allowing businesses to accept payment card transactions.
  • Independent sales organizations (ISOs) and payment facilitators: Organizations that facilitate payment card transactions on behalf of merchants, often acting as intermediaries between merchants and acquiring banks.
  • E-commerce platforms: Online retailers and e-commerce platforms that accept payment card payments through their websites or mobile applications.
  • Call centers: Organizations that accept payment card information over the phone for transactions.

Compliance is mandated by the major payment card brands (Visa, Mastercard, American Express, Discover, and JCB) and is enforced through contracts and agreements between these brands, acquiring banks, and merchants or service providers. However, depending on your volume of transactions, you may fall under a different compliance level, which will require different measures.

Verifying Your PCI Compliance Level

PCI DSS compliance levels are determined based on the volume of transactions processed by an organization annually. The compliance levels are categorized into four levels, with Level 1 being the highest and Level 4 being the lowest. The transaction volume thresholds for each level may vary slightly depending on the specific payment card brands (Visa, Mastercard, etc.), but generally, they are as follows:

1. Level 1 

Applies to merchants that process over 6 million Visa or Mastercard transactions annually across all channels or any merchant that has suffered a data breach involving cardholder data.

Level 1 merchants are subject to the most stringent requirements and are typically required to undergo an annual on-site assessment conducted by a Qualified Security Assessor (QSA).

2. Level 2

Applies to merchants that process between 1 million and 6 million Visa or Mastercard transactions annually across all channels.

Level 2 merchants are required to submit an annual self-assessment questionnaire (SAQ) and may also need to undergo periodic vulnerability scans conducted by an Approved Scanning Vendor (ASV).

3. Level 3

Applies to merchants that process between 20,000 and 1 million Visa or Mastercard e-commerce transactions annually.

Level 3 merchants are required to submit an annual self-assessment questionnaire (SAQ) and may also need to undergo periodic vulnerability scans conducted by an Approved Scanning Vendor (ASV).

4. Level 4

Applies to merchants that process fewer than 20,000 Visa or Mastercard e-commerce transactions annually or up to 1 million transactions annually across all channels.

Level 4 merchants are also required to submit an annual self-assessment questionnaire (SAQ) and may need to undergo periodic vulnerability scans conducted by an Approved Scanning Vendor (ASV).

It’s important to note that compliance validation requirements may vary based on factors such as the payment channels used (e-commerce, point-of-sale, etc.) and the specific card brands being processed. Additionally, merchants may be required to comply with additional security standards or regulations beyond PCI DSS, depending on their industry or geographic location.

Overall, the compliance levels help tailor the requirements and validation processes to the size and complexity of the organization’s cardholder data environment, ensuring that adequate security measures are in place while minimizing unnecessary burden on smaller merchants.

Key Requirements of PCI DSS Compliance

The standard consists of twelve requirements grouped into six control objectives. These requirements encompass various security measures such as implementing firewalls, encrypting data transmissions, restricting access to cardholder data, conducting regular security assessments, and maintaining security policies and procedures.

  1. Build and maintain a secure network and systems.
  2. Protect cardholder data.
  3. Maintain a vulnerability management program.
  4. Implement strong access control measures.
  5. Regularly monitor and test networks.
  6. Maintain an information security policy.

Let’s expand on the requirements under each objective each.

1. Build and maintain a secure network and systems

  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.

These requirements fall under the first control objective, emphasizing the importance of establishing and maintaining a secure foundation for network infrastructure and systems. Firewalls help control access to cardholder data, while avoiding default passwords ensures that systems are not vulnerable to common attacks.

2. Protect cardholder data

  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.

This control objective focuses on safeguarding cardholder data wherever it is stored or transmitted. Encryption plays a crucial role in protecting sensitive information, both in storage and during transmission over public networks.

3. Maintain a vulnerability management program

  • Protect all systems against malware and regularly update antivirus software or programs.
  • Develop and maintain secure systems and applications.

These requirements address the need for organizations to proactively manage vulnerabilities in their systems and applications. Implementing robust antivirus measures and keeping systems up-to-date with security patches help mitigate the risk of exploitation by malicious actors.

4. Implement strong access control measures

  • Restrict access to cardholder data by business need-to-know.
  • Identify and authenticate access to system components.
  • Restrict physical access to cardholder data.

Access control is fundamental to ensuring that only authorized individuals have access to cardholder data. These requirements emphasize the importance of implementing strong authentication mechanisms, limiting access based on job roles, and controlling physical access to sensitive areas where cardholder data is stored or processed.

5. Regularly monitor and test networks

  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.

Monitoring and testing are essential components of a robust security program. By continuously monitoring access and activity within the network and regularly testing security controls, organizations can identify and address potential security weaknesses or breaches promptly.

6. Maintain an information security policy

  • Maintain a policy that addresses information security for all personnel.
  • Ensure the security policy is maintained and updated regularly.

A comprehensive information security policy provides guidelines and procedures for employees to follow in safeguarding cardholder data and maintaining a secure environment. Regular updates to the security policy help ensure that it remains relevant and effective in addressing evolving security threats and compliance requirements.

Consequences of Violating PCI DSS

Organizations that fail to comply with PCI DSS may face fines, penalties, and potential loss of the ability to process credit card transactions. The penalties for not being PCI compliant can vary depending on the severity of the non-compliance and the circumstances surrounding the violation. Some potential penalties include:

1. Fines

The major credit card companies, such as Visa, Mastercard, American Express, Discover, and JCB, have the authority to impose fines on organizations that fail to comply with PCI DSS requirements. Fines can range from thousands to millions of dollars, depending on the number of violations and the volume of transactions processed by the organization.

2. Suspension of payment processing privileges

Non-compliant organizations may face suspension or termination of their ability to process credit card transactions. This can severely impact the organization’s ability to conduct business, resulting in revenue loss and damage to its reputation.

3. Legal action

In some cases, non-compliance with PCI DSS may lead to legal action, including lawsuits from affected customers or regulatory agencies. Organizations may be held liable for damages resulting from data breaches or other security incidents related to non-compliance.

4. Increased compliance costs

Remediation efforts to address non-compliance issues can be costly, including investments in security technologies, hiring consultants or auditors, and implementing new policies and procedures. Failure to address compliance issues promptly can result in ongoing financial burdens for the organization.

5. Reputational damage

A data breach or security incident resulting from non-compliance can have significant reputational consequences for the organization. Loss of customer trust and negative publicity can impact customer loyalty, brand reputation, and long-term business success.

6. Loss of business opportunities

Non-compliance with PCI DSS may lead to lost business opportunities, as potential partners, vendors, or customers may choose to work with compliant organizations to mitigate their own risk exposure.

Besides the risk of facing these consequences, ensuring PCI DSS compliance is crucial for protecting both customer data and the organization’s reputation. In the context of Salesforce, ensuring PCI DSS compliance involves implementing appropriate security controls and configurations to safeguard credit card information stored within the Salesforce platform.

How Salesforce Fits Into Your Compliance Program

Being one of your most business critical systems, Salesforce plays a pivotal role in achieving PCI compliance. Organizations can leverage Salesforce’s vast out-of-the-box features to help with compliance, including encryption capabilities, access control measures, and event monitoring functionalities to ensure that sensitive information is protected both at rest and in transit. However, relying on these features alone may not be enough to mitigate all risks. Let’s explore how Salesforce, coupled with third-party tools, can help ensure your Org remains PCI compliant. 

1. Data storage and protection requirements

Salesforce provides encryption capabilities for sensitive information stored within the platform, both at rest and in transit. Organizations must ensure that any payment card data stored in Salesforce is appropriately encrypted to meet PCI DSS standards. This includes utilizing Salesforce Shield, which offers features like Platform Encryption for encrypting data at rest and Event Monitoring for tracking user activity, enhancing data security.

2. Access control measures:

Access control measures within Salesforce are paramount for maintaining PCI compliance. Organizations need to implement strict access controls to limit access to payment card data to only authorized personnel with legitimate business needs. Salesforce’s role-based access control (RBAC) features enable organizations to define granular access permissions, ensuring that users can only access the data necessary for their specific job roles. Additionally, implementing multi-factor authentication (MFA) further enhances user authentication security, reducing the risk of unauthorized access to sensitive data.

3. Documentation and data management policies

Documentation and data management policies are essential components of PCI compliance within Salesforce. Organizations must maintain comprehensive documentation outlining policies and procedures for handling payment card data within the platform. This includes data retention and disposal policies to securely manage cardholder data throughout its lifecycle. Proper documentation ensures that processes align with PCI DSS requirements and provides a framework for compliance audits and assessments.

4. Integration requirements

When integrating Salesforce with other systems or third-party applications that handle payment card data, organizations must ensure that data transmission is encrypted and that proper authentication mechanisms are in place. Conducting thorough security reviews and assessments of any integrations is crucial to ensure they comply with PCI DSS requirements. Integrations should adhere to best practices for secure data exchange and authentication to minimize the risk of unauthorized access or data breaches.

Pro Tip: Implement integration monitoring 

With Sonar’s event monitoring, you can proactively identify potential risks of data leakage, particularly regarding payment card data, in real-time. By implementing this tool, you can stay ahead of security threats and maintain compliance with PCI DSS requirements, moving away from the traditional reactive model towards a more proactive stance in safeguarding cardholder data.

5. Incident management and monitoring

Implementing robust monitoring and logging capabilities within Salesforce is essential to detect and respond to security incidents promptly. Establishing incident response procedures to address and mitigate any security breaches or unauthorized access to payment card data stored within Salesforce is vital. Regularly reviewing and analyzing security logs and audit trails can help identify potential security issues or policy violations, enabling proactive measures to strengthen security controls and prevent future incidents.

Pro tip: Always have your finger on the pulse of your Org

Utilize Sonar’s incident management capabilities to promptly address any security incidents or outages within your Salesforce org. Sonar provides instant alerts and comprehensive insights, including performance metrics, SLAs, related automations, and system stakeholders. This information equips your IT and InfoSec teams with the necessary details to resolve issues quickly and minimize disruptions to PCI-compliant operations. 

Conclusion: Have Full Visibility of Payment Data Across Your Tech Stack 

Knowing where your payment data is being accessed, stored and from who is critical to remaining compliant under PCI. With many team members having their hands in your Org, ensuring compliance must be a collaborative effort across departments from RevOps, GTM teams, and InfoSec. 

Sonar makes overseeing payment data simple. Our all-in-one Salesforce solution provides InfoSec teams:

  • Event monitoring across your GTM tech stack 
  • Simplified salesforce data classification 
  • Change logs for Salesforce audits 
  • Mitigated risk and ensured system uptime 

And more. Implement Sonar for strengthened PCI DSS compliance today. Click here to get started for free