The Payment Card Industry Data Security Standard (PCI DSS) protects cardholder and sensitive authentication data wherever merchants or service providers store, process, or transmit it. Established by the Payment Card Industry Security Standards Council (PCI SSC), PCI DSS compliance requires a Self-Assessment Questionnaire (SAQ) and Qualified Security Assessor (QSA) to ensure credit card information remains on a secure network.
To maintain PCI DSS compliance, merchants and service providers must meet the security requirements of PCI, including firewall installation and configuration, regular vulnerability scans, access controls, and more.
The PCI Security Standards Council founding members, including card brands American Express, Discover Financial Services, JCB International, Mastercard, and Visa, Inc., created the PCI Data Security Standard so that a single set of security controls to protect against data breaches would exist for merchants and service providers.
What is PCI compliance?
PCI compliance refers to adherence to the Payment Card Industry Data Security Standard (PCI DSS) for any business that transmits, processes, or stores payment card data in debit or credit card transactions. It includes a set of security requirements, compliance levels, and compliance programs designed to ensure that companies maintain a cybersecurity environment that protects sensitive cardholder data from hackers, malware, and data breaches.
The PCI DSS applies to any entity that stores, processes, or transmits cardholder data. The standard covers technical and operational system components included in or connected to cardholder data, such as firewalls, data storage, software development, and more. Meeting PCI DSS compliance requires installing anti-malware, changing default passwords to strong passwords, and working with Approved Scanning Vendors (ASVs) for validation testing.
Is PCI DSS a Legal Compliance Requirement?
Adhering to the PCI Data Security Standard (PCI DSS) is not an option for any business that accepts payment cards such as Visa, Mastercard, American Express, Discover, and JCB. The payment brands require PCI DSS compliance based on the technical details of contracts signed with merchants and service providers that handle transactions and card data.
If an organization fails to maintain PCI compliance, the card brands can fine acquiring banks, which typically pass hefty fines onto retailers and payment processors. If a data breach enabling fraud occurs due to PCI DSS non-compliance, the business faces substantial fraud recovery, monitoring, and remediation costs. Fines from card brands for a Report on Compliance (ROC) that do not demonstrate compliance can range from $5,000 to $500,000 monthly, depending on severity.
So, while PCI DSS is not a cybersecurity law per se, validation and compliance are contractually compulsory for any entity that engages in credit or debit card transactions, stores, processes, or transmits payment card data. Not complying with PCI DSS can inflict significant financial consequences and cybersecurity risks.
The 12 Requirements of PCI DSS Compliance
PCI compliance incorporates twelve PCI DSS requirements.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Establish and implement firewall and router configurations that identify all connections between the Cardholder Data Environment (CDE) and other networks, including documentation and diagrams to secure card data.
- Build firewall and router configurations that restrict all inbound and outbound traffic.
- Prohibit public access between the internet and any system component in the CDE.
- Ensure all company- and employee-owned devices have installed personal firewall software or equivalent functions.
- Document security policies and operational procedures, communicate those, and ensure they are in use.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Change all vendor-supplied defaults and remove or deactivate unnecessary default accounts before installing systems on the network.
- Develop configuration standards for all system components to address known security vulnerabilities and update configurations when new vulnerabilities are discovered.
- Use strong cryptography and encrypt all non-console administrative access
- Inventory all in-scope system components
- Document security policies and operational procedures, communicate those, and ensure they are in use.
Requirement 3: Protect stored cardholder data
- Only store and retain cardholder data as required for business, legal, and regulatory purposes and at least quarterly purge unnecessary data.
- Never store authentication data after authorization, and ensure the data is unrecoverable.
- Only display the six or last four digits of the Primary Account Number (PAN) for anyone in the organization other than an authorized individual with a legitimate business need.
- Encrypt PAN with either a one-way hash function, truncation, index tokens, or strong cryptography to ensure portable digital media, backup media, logs, and wireless networks cannot read PAN
- Document and implement protection procedures used to protect encryption keys
- Document and implement key management processes and procedures for cryptographic keys
- Document security policies and operational procedures, communicate those, and ensure they are in use.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
- Protect sensitive cardholder data using strong cryptography and security protocols.
- Never send unprotected PANs through end-user messaging technologies
- Document security policies and operational procedures, as well as communicate those and ensure they are in use
Requirement 5: Protect all systems against malware and regularly update anti-virus software
- Ensure anti-virus software is used on systems commonly targeted by malicious software and perform periodic reviews of other software to ensure they remain secure.
- Perform period scans and generate audit logs to ensure anti-virus mechanisms are current.
- Ensure anti-virus mechanisms are actively running and cannot be disabled or altered.
- Document security policies and operational procedures, communicate those, and ensure they are in use.
Requirement 6: Develop and maintain secure systems and applications
- Assign risk ratings to create a process for identifying security vulnerabilities
- Install security updates within one month of release
- Follow change control processes and procedures when making changes to any system components
- Train developers in secure coding techniques and develop applications based on secure coding guidelines
- Protect all public-facing web applications from known attacks by at least annually performing a vulnerability assessment as part of the vulnerability management program or installing an automated solution to detect and prevent attacks
- Document security policies and operational procedures, as well as communicate those and ensure they are in use
Requirement 7: Restrict access to cardholder data by business need-to-know
- Use a role-based Principle of Least Privilege (PoLP) for access to system components
- Restrict access based on the need to know and “deny all” unless allowed explicitly
- Document security policies and operational procedures, as well as communicate those and ensure they are in use
Requirement 8: Identify and authenticate access to system components
- Define and implement user identification management policies and procedures across the enterprise and assign all users a unique ID
- Ensure authentication methods include something you know (password/passphrase), something you have (token device/keycard), or something you are (biometrics), and use strong cryptography to ensure passwords/passphrases remain unreadable during transmission and storage
- Use multifactor authentication by requiring at least two of the three above-listed authentication methods for non-console administrative access and remote access to the CDE
- Develop, implement, and communicate the policies and procedures governing authentication to all users
- Never use group, shared, or generic IDs or authentication methods
- Assign physical security tokens, smart cards, certificates, and other authentication mechanisms to individual accounts
- Restrict access to databases containing cardholder data using the programmatic method, application IDs for application users, and assigning only database administrators direct or query access
- Document security policies and operational procedures, as well as communicate those and ensure they are in use
Requirement 9: Restrict physical access to cardholder data
- Ensure appropriate facility for strong access control measures
- Develop procedures to easily distinguish onsite personnel from visitors, such as ID badges
- Limit physical access based on job function and ensure that access is immediately revoked upon employment termination, including the return or disablement of keys, access cards, or other mechanisms
- Track visitors using logs that trace name and company and give visitors badges or identification that expires, which must be returned upon leaving the facility
- Physically secure all media and store media backups in an off-site location.
- Strictly control internal or external media distribution
- Precisely prevent media storage and accessibility
- Destroy media is no longer needed for business or legal reasons
- Ensure that devices such as POS devices and others directly interacting with payment cards are protected from tampering and substitution
- Document security policies and operational procedures, as well as communicate those and ensure they are in use
Requirement 10: Track and monitor all access to network resources and cardholder data
- Establish audit trails to link all access to system components to individual users
- Implement automated audit trails for all system components to ensure reconstruction of individual user access to cardholder data, root or administrative privilege user actions, audit trail access, invalid logical access attempts, use of and changes to identification and authentication mechanisms, all changes, additions, and deletions to root or administrative privilege accounts, activities affecting audit logs, system-level object creation and deletion.
- Ensure audit logs incorporate user identification, event type, date, time, success or failure, event origination, and identity/name of affected data, system component, or resource.
- Synchronize all critical system clocks and times using synchronization technology and implement controls for acquiring, distributing, and storing time.
- Secure audit trails to ensure they are not altered
- Review all logs to identify anomalous or suspicious activity daily
- Retain audit trail history for at least one year and provide the most recent three months can be made available immediately
- Document security policies and operational procedures, as well as communicate those and ensure they are in use
Requirement 11: Regularly test networks, security systems, and processes
- Implement a testing process for the presence of wireless access points that detect and identify all authorized and unauthorized access and review at least quarterly
- Maintain records of authorized wireless access points and implement incident response procedures when unauthorized wireless access points are detected
- Run internal and external network vulnerability scans at least quarterly as well as after any significant network changes
- Address vulnerabilities and rescan if necessary until passing scans are achieved
- Develop and implement a penetration testing methodology that includes external and internal testing at least annually, as well as when significant upgrades and modifications are made
- Use network intrusion detection and intrusion prevention techniques to detect or prevent intrusions
- Monitor all traffic at the CDE perimeter as well as critical points inside the CDE and alert personnel to suspected compromises
- Deploy a change detection software that alerts personnel to unauthorized modification of necessary system files, configuration files, or content files that makes critical file comparisons at least weekly
- Implement a process to respond to alerts provided by the change detection software
- Document security policies and operational procedures, as well as communicate those and ensure they are in use
Requirement 12: Maintain a policy that addresses information security for all personnel
- Establish, publish, maintain, and share across the organization a security policy that is reviewed at least annually and updated when the environment changes
- Perform a formal risk assessment at least annually or when significant changes to the environment are made that identifies critical assets, threats, and vulnerabilities as part of the risk assessment process
- Establish usage policies for critical technologies that define proper use, including remote access, wireless access, removable electronic media, laptops, tablets, handheld devices, email, and internet use.
- Incorporate clearly defined information security responsibilities for all personnel and all service providers as part of the security policies and procedures.
- Assign security responsibilities to an individual or security team
- Implement formal security awareness training that includes data security policy and procedures
- Incorporate background checks for potential employees to limit internal attacks
- Manage service providers with CDE access using policies and procedures aligned with its information security policy
- Provide customers with a written acknowledgment taking responsibility for cardholder data security that the organization possesses or otherwise stores, processes, or transmits on behave of the customer
- Implement an incident response plan that prepares the organization to respond to a system breach immediately
- Perform and document, at least quarterly, reviews confirming personnel follow security policies and operating procedures
What is PCI DSS v4.0?
PCI DSS v4.0 is the latest Payment Card Industry Data Security Standard version, released in March 2022. This updated standard contains several new security requirements and compliance enhancements focused on improving cybersecurity practices for any entity that stores, processes, or transmits cardholder data and sensitive authentication information.
Some key changes in PCI DSS 4.0 include:
- Enhanced multi-factor authentication for access to systems
- Improved software security through proper validation and patching
- Detecting and responding to attempted compromises through increased logging and monitoring
- A higher bar for meeting compliance, with all requirements needing to show proof of implementation
- Overall, v4.0 aims to address emerging threats to cardholder data and fortify environments against current attack methods used by hackers and cybercriminals seeking this type of sensitive information.
What is The Deadline for Becoming PCI DSS v4.0 Compliant?
The official deadline for transitioning from PCI DSS v3.2.1 to PCI DSS v4.0 is March 31, 2024. However, any new requirements and testing procedures will take effect on all PCI DSS assessments undertaken after January 1, 2024.
In reality, businesses should target complete migration to PCI DSS v4.0 by the end of 2023 to ensure compliance and avoid any issues regarding validation for the 2024 assessment cycle. Many major card brands also recommend early adoption of v4.0 before final deadlines.
Tips For Becoming PCI Compliant
Maintaining rigorous compliance with the Payment Card Industry Data Security Standard (PCI DSS) is crucial for any business that handles credit or debit card transactions and data. Here are some key tips for effectively meeting PCI standards:
- Understand the current PCI DSS version and all requirements that apply to your business. Review the self-assessment questionnaire to identify any gaps.
- Work with a Qualified Security Assessor (QSA) to evaluate your compliance posture objectively. A QSA can identify weaknesses and provide guidance tailored to your operations.
- Install a proper firewall and implement anti-virus software and malware detection. Ensure all software is updated and securely configured.
- Never store cardholder data unless necessary for the transaction. If storing data, encrypt it and protect encryption keys.
- Restrict access to cardholder information only to those who need to know. Enforce strong access controls with changing passwords and multi-factor authentication.
- Monitor networks and systems, log activity, and establish breach notification procedures. Quick incident response can significantly mitigate penalties and damage from non-compliance-related issues.
Maintaining Your PCI DSS Compliance with ZenGRC
Navigating the complexities of PCI DSS can be challenging for any business. Ensure air-tight data security and avoid steep penalties by leveraging a tailored compliance platform.
ZenGRC makes achieving and maintaining PCI compliance smooth and simple. Our user-friendly software centralizes processes – from managing assessments to tracking security controls and generating reports. Pre-configured PCI templates accelerate your program, while robust features like automated workflow streamline operations.
See how ZenGRC transforms compliance. Request a demo today.