Determining if you need to comply with PCI DSS is relatively simple. If you are a merchant or service provider that processes card transactions and handles cardholder data, PCI DSS likely applies to you. However, understanding the specific steps to achieve compliance is more complex.
PCI DSS includes 12 requirements for securely handling cardholder data, grouped into six objectives. You must fulfill all these requirements to attain compliance.
These 12 PCI DSS requirements map to six major principles of PCI compliance, which are:
If all of these conditions are met, then the cardholder data environment and services included in-scope are consideredPCI compliant.
Meet with Matt and book a free 15-min call below to
better understand how to implement PCI DSS compliance in your company
Install and maintain network security controls
Apply secure configurations to all system components
Protect stored account data
Protect cardholder data with strong cryptography during transmission over open, public networks
Protect all systems and networks from malicious software
Develop and maintain secure systems and software
Restrict access to system components and cardholder data by business need-to-know
Identify users and authenticate access to system components
Restrict physical access to cardholder data
Support information security with organizational policies and programs
A credit card data breach can lead to significant financial losses for your company, with expenses piling up from incident response and remediation efforts, such as forensic investigations, legal fees, FTC audit costs, cardholder notifications, and customer compensation. Additionally, you may face increased rates from banks and payment processors.
These costs donโt account for the damage to customer loyalty and your brandโs reputation.
Moreover, any breach involving cardholder data automatically escalates your company to PCI compliance level 1, regardless of the number of transactions processed. Achieving level 1 compliance necessitates a comprehensive assessment conducted by a Qualified Security Assessor (QSA).
Network devices and equipment often come with default passwords and settings, which are commonly known and can be easily exploited by hackers.
To prevent unauthorized access, PCI DSS requires businesses to change these default passwords before installing any system on their network. This ensures that default credentials arenโt left in place, reducing the risk of a security breach.
This requirement outlines specific steps businesses must take to protect stored cardholder data โ whether itโs printed, stored locally, or in a database.
Cardholder data could refer to any information contained on a payment card, such as PINs, PAN data, and sensitive authentication data.
PCI DSS outlines what you can and cannot store after authorization when it comes to cardholder data.
Can store:
Cannot store:
The requirement also specifies that businesses should only store card data that is necessary to meet business needs. Any data that you do store should be encrypted using industry-accepted encryption practices like AES-256 bit encryption.
This requirement focuses on safeguarding cardholder data when itโs transmitted over open, public networks like the internet.
When sharing cardholder data across these networks, businesses must use strong encryption to protect it from unauthorized access.
PCI DSS also mandates that businesses never send unprotected Primary Account Numbers (PAN) through end-user messaging platforms such as email, instant messaging, SMS, or chat.
Malicious software, or malware, can infiltrate a network through various channels such as email, social engineering, or installing harmful files. To safeguard cardholder data from these threats, businesses must install and regularly update anti-virus software.
Requirement 5 details the steps to protect against malware, including:
โข Installing anti-virus software on all systems vulnerable to malware
โข Ensuring the software performs regular scans and generates audit logs
โข Preventing users from altering or disabling the anti-virus software
Requirement 6 ensures that businesses have a process to manage the software within their Cardholder Data Environment (CDE). This applies to all in-scope applications in your system.
PCI DSS also mandates timely installation of security patches to safeguard cardholder data. Additionally, it includes controls for following software development best practices to prevent potential vulnerabilities.
Access controls allow a business to determine which users are authorized to access cardholder data or systems that can impact cardholder data. As a general rule of thumb, PCI DSS prescribes that authorization should be granted on a need-to-know basis.ย
Requirement 7 states that a business should restrict access to cardholder data only to employees who need the information to perform their job.ย
PCI DSS requires businesses to assign a unique ID to each employee with access to system components. This helps track user activity and identify who accessed cardholder data or related systems in the event of a breach.
Additionally, Requirement 8 mandates the use of multi-factor authentication and password encryption to enhance the security of user accounts.
This requirement aims to restrict physical access to cardholder data and related systems to only those employees who need it for their job duties. PCI DSS also mandates businesses to clearly differentiate between on-site personnel and visitors, such as using ID badges.
Requirement 9 further details the steps for securing both paper and electronic media containing cardholder data. It includes storing media backups in a secure, off-site location and properly destroying media when itโs no longer needed.
Requirement 10 emphasizes the importance of generating logs to track actions back to individual accounts, enabling businesses to quickly pinpoint the source of any malicious requests or attacks.
Organizations must implement automated audit trails that monitor specific events and notify personnel for daily reviews. Additionally, these audit trails must be secured to prevent any alterations.
The purpose of Requirement 11 is to maintain the ongoing security of internal and external systems through regular testing.
These tests include quarterly network vulnerability scans and annual penetration testing. Network intrusion detection or intrusion prevention techniques must also be deployed to detect or prevent network intrusions.
The last requirement of PCI DSS mandates that businesses develop and uphold an information security policy that shapes security practices throughout the organization.
This requirement also entails that businesses:
โข Establish a security awareness program
โข Perform background checks on potential hires
โข Implement an incident response plan
โข Conduct an annual risk assessment
โข Create a technology usage policy
โข Define employeesโ information security responsibilities
โข Assign specific roles for safeguarding cardholder data
Embarking on the PCI compliance journey requires a structured approach. Here are five essential steps to guide your business to successful adherence.
Determine if PCI DSS applies to your business by assessing how you handle cardholder data and transactions.
Educate your team on the importance of PCI compliance and cybersecurity best practices to ensure secure cardholder data handling.
Implement necessary technical and operational safeguards, such as firewalls, encryption, and access controls, to meet PCI DSS standards.
Assign dedicated personnel, tools, and budget to manage PCI compliance, ensuring all requirements are met efficiently.
Regularly audit and test your systems to maintain compliance, addressing any vulnerabilities and staying updated with PCI requirements.
Meet with Matt and book a free 15-min call below to better understand how to implement PCI DSS compliance in your company
Curated by PCIcompliant.org, this page provides publicly-sourced information on everything related to the PCI DSS Directive. Presented in a clear and concise manner for easy consumption.
Disclaimer
The information provided on this website is intended for educational and informational purposes only. The content is not intended to be a substitute for professional advice or any other legal advisory, service, etc. The site’s administrators and contributors make no representations or warranties of the information on the site. Any reliance you place on such information is therefore strictly at your own risk.
Copyright By PCIcompliant.org
