Compliance with the Payment Card Industry Data Security Standard (PCI DSS) means meeting 12 specific compliance requirements. If your organization processes credit- or debit card payments, you must comply with them.
What are the 12 PCI DSS compliance requirements?
- Install and maintain a firewall to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update antivirus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access to prevent unauthorized access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
In detail below, we’ll explore these requirements and how to comply with each. But first, let’s determine whether your entity needs to comply with PCI DSS and to what extent. If you’re preparing for a PCI DSS compliance audit and want to ensure success, download our free audit guide.
What is PCI DSS?
Visa, MasterCard, Discover Financial Services, JCB International, and American Express came together to develop the Payment Card Industry Data Security Standard (PCI DSS), a set of security guidelines, in 2004.
The Payment Card Industry Security Standards Council (PCI SSC) oversees the compliance program, which protects credit and debit card transactions from fraud and data theft.
It is a requirement for every company that conducts credit or debit card transactions, even if the PCI SSC has the legal ability to enforce compliance. The finest method for protecting sensitive data and information is also seen to be PCI certification, which aids companies in establishing enduring and reliable partnerships with their clients.
PCI DSS: Who Needs to Comply?
You may wonder who needs PCI DSS? The Payment Card Industry Data Security Standard (PCI DSS) is an information security framework intended to help merchants and service providers protect credit and debit card transactions from data breaches.
PCI DSS is not a law or regulation but an industry mandate. Your enterprise must be PCI-compliant if it accepts credit card payments or handles payment card data.
PCI DSS Compliance: Where to Begin
Twelve requirements don’t seem like a lot. But each PCI DSS requirement has directives and sub-requirements for 281. Only some of these directives pertain to some organizations, however.
To save time, money, and hassle, you’ll want to begin your PCI DSS compliance journey with scoping, in which you determine which requirements and directives are relevant to your enterprise.
Scoping begins with understanding which PCI DSS level your organization belongs to. The higher the level, the more requirements you’ll need to follow.
The Four PCI DSS Compliance Levels
The PCI Security Standards Council (PCI SSC), comprising major credit-card companies and other financial organizations, has established four PCI compliance levels.
Your organization’s status depends on how many payment-card transactions you process yearly and which cards you accept. Generally, the stories are as follows:
- PCI Compliance Level 1: More than six million Visa, Mastercard, or Discover or more than 2.5 million American Express transactions per year
- PCI Compliance Level 2: More than 1 million to 6 million Visa or Mastercard or more than 50,000 American Express transactions per year
- PCI Compliance Level 3: 20,000 to 1 million Visa or Mastercard transactions, or fewer than 50,000 American Express transactions per year
- PCI Compliance Level 4: Fewer than 20,000 Visa or Mastercard eCommerce transactions per year and fewer than 1 million total Visa or Mastercard credit card transactions, and no data breach or attack that compromised card or cardholder data
Those falling in merchant levels 2, 3, or 4 must complete the PCI DSS Self-Assessment Questionnaire (SAQ) annually and assess their network security every quarter.
Level 1 merchants must do much more:
- File an Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or Internal Security Assessor
- Submit the results of quarterly network vulnerability scans by an Approved Scan Vendor (ASV)
- Complete the PCI SSC Attestation of Compliance (AOC) form
What are the Benefits of PCI DSS Compliance?
It is accurate to claim that eCommerce has remained the leading market during the past few years. However, growing worries regarding the security of client information regarding online financial transactions go hand in hand with this trend.
PCI Compliance becomes relevant at this point.
Being PCI compliant has various advantages for e-commerce businesses.
Cut down on data leaks. For example, we secure the data of our client’s credit cards from online attacks.
- You can avoid paying fines for security flaws or data breaches. You are securing client data as securely as possible if you are PCI compliant.
- Customers’ brand reputation and trust may be enhanced when they purchase on your website.
- Protect your clients and your company while advancing global payment card security solutions
- You will be better equipped to comply with other PCI DSS standards like SOX and HIPAA as you progress toward PCI Compliance.
PCI compliance is mandated by courts even if it is not required by legislation. You must safeguard clients’ private financial information when you take card payments.
PCI DSS Compliance Checklist
The PCI DSS requirements fall into six categories. Here we list the categories, followed by the requirements that fall under them, and a brief explanation of what compliance with each entails.
Finally, check out our ultimate guide, PCI DSS Compliance Explained, for detailed information on every aspect of PCI DSS, including compliance levels, scoping, and the 12 requirements.
Build and Maintain a Secure Network
- Install and maintain a firewall to protect cardholder data: Review firewall configurations every six months, at minimum. Your firewalls should:
- Test changes and identify system connections that might affect cardholder data
- Deny traffic from “untrusted” networks and hosts
- Block public access to the cardholder data environment
- Be installed on every mobile or employee-owned computer that connects to your network.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- When adding a system, change its defaults before installing it-including defaults on wireless devices.
- Ensure your software settings address known security vulnerabilities and meet industry requirements.
- Encrypt everything.
- Make sure that hosting providers are protecting your information and your cardholders’ sensitive data.
Protect Cardholder Data
Cardholder data includes credit card data and debit card data: any information printed, processed, transmitted, or stored in any form on a payment card.
- Protect Stored Cardholder Data
- Do not store authentication information, even if it is encrypted.
- Do not display the Primary Account Numbers (PAN).
- Mask PANs wherever they are held, and minimize the places where you store them.
- Protect cryptographic keys.
- Document all the ways you use encryption and protect cryptographic keys.
- Encrypt Transmission of Cardholder Data Across Open, Public Networks
- Use Secure Socket Layer/Transport Layer Security (SSL/TLS) encryption when transmitting data. Follow industry best practices, and don’t use outmoded Wired Equivalent Privacy (WEP) with your wireless system.
- Always encrypt PANs before transmission.
Maintain a Vulnerability Management Program
- Use and Regularly Update Antivirus Software
- Continually update antivirus software and install patches promptly.
- Install antivirus software and anti-malware on all systems, particularly personal ones, that could be attacked by malicious software.
- Ensure that antivirus software and programs are up-to-date, actively used, and generate logs for your auditors.
- Develop and Maintain Secure Systems and Applications
- Install vendor-supplied security updates within one month after their release.
- Use an alert system to identify new vulnerabilities.
- Use PCI DSS best practices end-to-end when developing a new system.
- Follow your policies and procedures when making a control change.
- Meet coding guidelines when developing web-based applications so that you can identify vulnerabilities.
- If you have a general, web-facing application, protect against known attacks by reviewing the code and installing the needed firewall.
Implement Strong Access Control Measures
- Restrict Access to Cardholder Data by Business Need-to-Know
- Limit access to system components to only those who need them.
- For systems components with multiple users, provide each person only with what they need to perform their job.
- Control user access to cardholder data.
- Assign a Unique ID to Each Person with Computer Access
- Limit access to systems and data based on the minimum information necessary for the job.
- Use at least one type of authentication, but preferably more.
- Provide remote workers with two-factor authentication or, even more preferable, multi-factor.
- Encrypt password information.
- Make sure that every non-consumer has proper authentication and password management.
- Restrict Physical Access to Cardholder Data
- Place appropriate controls and monitoring on access to physical information.
- Create procedures that clearly state who is allowed in each material area. This includes employees and visitors.
- Authorize visitors with a physical token that expires upon leaving the facility or on a specific date.
- Keep a visitor log.
- Make sure all media backups are off-site and protected.
- Lock up the paper and electronic media containing cardholder data.
- Control the use of media containing cardholder data.
- Provide management with information on and approval of the location and movement of data.
- Strictly control storage and access to media.
- Destroy data once you no longer need it using established protocols.
Regularly Monitor and Test Networks
- Track and Monitor All Access to Network Resources and Cardholder Data
- Provide users with individual access rights and document and monitor their access, especially users with administrative privileges.
- Develop automated audit trails to track entry to your information environment in case there’s a security breach.
- Synchronize all clocks.
- Lockdown audit trails to prevent tampering.
- Review logs daily.
- Retain audit documentation for at least one year and immediate history for at least three months.
- Regularly Test Security Systems and Processes
- Use wireless Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS) to identify wireless devices connected to your design at least every quarter so you know all wireless access points.
- Scan for internal and external vulnerabilities quarterly or after a significant network change.
- Perform external and internal penetration testing at least once a year or after considerable infrastructure or application upgrades.
- Monitor traffic into and out of your cardholder data environment. Keep IDS/IPS engines up to date.
- Deploy alerts to your Information Technology (IT) department about unauthorized modification of system files, configuration files, or content files.
Maintain an Information Security Policy
- Maintain a Policy that Addresses Information Security
- Create an information security policy and distribute it to all users of your system and network; verify that all have read it. Please review the policy annually to ensure it protects your current Cardholder Data Environment (CDE).
- Assign daily security duties that meet PCI requirements.
- Write procedures for employee and contractor access to company technology and information, and share the policies with affected users.
- Clearly define the rights and responsibilities of employees and contractors.
Let ZenGRC Help You Maintain PCI DSS Compliance.
The penalties for PCI DSS non-compliance can be severe and crippling to any organization. If you fail to meet the requirements, the PCI SSC council could revoke your rights to process payment cards. The commission is serious about protecting cardholder data and insists you be.
Following the rules is the best way to keep those card-processing rights intact. And the best way to follow the PCI DSS rules is to use software to automate your compliance, alert you when you stray, and document your efforts to help you pass those dreaded certification audits effortlessly.
ZenGRC all these tasks and more. Our software:
- Probes your system and networks to determine where you comply with more than a dozen regulatory and industry frameworks and where you fall short
- Displays findings on an easy-to-read dashboard with checklists telling you precisely what to do to fill compliance gaps
- Tracks workflows so that you always know where your compliance efforts stand
- It helps you generate vendor questionnaires and compiles responses.
- Alerts you in real-time to compliance gaps
- Conducts unlimited self-audits with a few clicks
- Documents all your compliance activities in our patented “Single Source of Truth” repository for a complete audit trail
Compliance with PCI DSS needn’t be a hassle or a dream. The modern, worry-free path is just a click away. So contact us now to schedule a demo and embark on the journey to PCI DSS compliance, the Zen way.