Everything you need to know about the Payment Card Industry Data Security Standard (PCI DSS) including its goals and requirements, and how your business or organization can achieve and maintain compliance.
Whether your organization is a start-up or a global enterprise, if you accept credit card payments, you must be compliant with the Payment Card Industry Data Security Standard (PCI DSS).
In this article we’ll take a closer look at PCI DSS, including its goals and requirements, and provide guidance on how your organization can achieve and maintain PCI DSS compliance.
What Is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations of all sizes that handle credit card transactions from major credit card companies. The security standard was created to increase controls around cardholder data to reduce credit card fraud. Although mandated by the card brands themselves, PCI DSS is actually administered by the Payment Card Industry Security Standards Council, an independent body created by Visa, American Express, MasterCard, Discover, and JCB.
PCI DSS provides comprehensive standards and supporting materials as well as support resources to help organizations assure the security of cardholder information. The security standard itself is the cornerstone of the Payment Card Industry Security Standards Council and provides the necessary framework for developing a complete payment card data security process that encompasses prevention, detection, and appropriate reaction to cybersecurity incidents such as a data breach.
Some of the tools and resources available with PCI DSS include:
- Self-assessment questionnaires designed to help organizations validate their PCI DSS compliance.
- PIN Transaction Security (PTS) requirements for device vendors and manufacturers, as well as a list of approved PIN transaction devices.
- Payment Application Data Security Standard (PA-DSS) and a list of Validated Payment Applications to help software vendors and others develop secure payment applications.
- A number of public resources, including:
- Lists of Qualified Security Assessors (QSAs)
- Payment Application Qualified Security Assessors (PA-QSAs)
- Approved Scanning Vendors (ASVs)
- Internal Security Assessor (ISA) education program
PCI DSS Standards: Goals
PCI DSS consists of 12 requirements for compliance, which are organized into six groups called “compliance objectives.” We’ll introduce the six PCI DSS goals and give a brief explanation along with the requirements for each. In the following section, we will discuss each of the 12 requirements in more depth.
You can also find complete information about each of these standards and requirements in our comprehensive guide, PCI Compliance Explained.
1. Build and Maintain a Secure Network and Systems
Before the age of digital transformation, criminals had to gain physical access to steal financial records. Today, the use of internet, e-commerce, and internet banking for the majority of financial transactions means that most PIN entry devices and computer networks are more at risk than ever before.
The first PCI DSS compliance objective, to build and maintain a secure network and systems, is primarily concerned with the need for a secure network. To achieve this goal, your organization should employ robust network security protocols and controls to prevent and deter any criminal activity. More specifically, your network security protocols should protect cardholder data from theft through any illegitimate virtual access of your payment system networks.
The requirements for this PCI DSS goal are:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
2. Protect Cardholder Data
Cardholder data includes any information from a payment card that is printed, processed, transmitted or stored in any form. Any organizations accepting payment cards must protect cardholder data to prevent its unauthorized use, no matter where the cardholder data is stored – locally, or transmitted over an internal or public network to a remote server or service provider.
The requirements for this PCI DSS goal are:
- Protect stored cardholder data.
- Encrypt transmission of cardholder data over open public networks.
3. Maintain a Vulnerability Management Program
A robust vulnerability management program is a must for any organization, but particularly for those dealing in sensitive information. Vulnerability management is the systematic and continuous process of identifying weaknesses in your organization’s systems, and particularly in your business’s payment card system infrastructure. This includes security procedures, system design, implementation, or internal controls that could be exploited to breach your system security policy.
The requirements for this PCI DSS goal are:
- Protect all systems against malware and regularly update antivirus software or programs.
- Develop and maintain secure systems and applications.
4. Implement Strong Access Control Measures
Control measures are actions that can be taken to reduce the likelihood of a risk occurring. Access controls are designed to allow the effective management and control of sensitive data by permitting or denying access to the Primary Account Number (PAN) and other cardholder data such as credit card numbers. With access controls, any access must be granted only on a need-to-know basis.
Generally your organization can use two types of controls to protect itself from security incidents involving cardholder data: physical access controls and logical or technical access controls.
Physical access controls typically include all of the physical systems you use to manage, monitor, and restrict access to storage media, paper records, or system hardware. Most often, the term refers to physical security: the locks or other tangible mechanisms you use to protect sensitive information.
Logical access controls have more to do with the technology you use to protect your sensitive information. They are generally designed to limit the use of payment devices, computing devices, and wireless networks to authorized users only, as well as to control the access to any digital files which contain cardholder data.
The requirements for this PCI DSS goal are:
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
5. Regularly Monitor and Test Networks
Your organization’s payment infrastructure comprises both the physical and wireless networks that connect all of your endpoints, devices, and servers. Ultimately, any weaknesses in your payment infrastructure can present the opportunity for a threat actor to gain illegitimate access to your payment cardholder data.
To prevent this type of security incident from occurring, you must regularly monitor and test your networks to find and remediate any vulnerabilities.
The requirements for this PCI DSS goal are:
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
6. Maintain an Information Security Policy
An information security policy is a set of rules and guidelines that dictate how your organization’s information technology (IT) assets and resources should be used, managed, and protected. Generally speaking, your information security policy should apply to all of the users in your organization or its networks as well as to all digitally stored information under your control.
Simply creating an information security policy, however, is not enough. You also need to make sure that all of your employees understand the policy and the sensitive and confidential nature of cardholder data, as well as their responsibilities for protecting it. Your information security policy will set the tone for security affecting your entire organization, and will inform stakeholders and employees of their expected roles and duties related to the protection of cardholder data.
The requirement for this PCI DSS goal is:
- Maintain an information security policy.
PCI DSS Standards: Requirements
The 12 high-level requirements of PCI-DSS are those bullet points listed above for each of the standard’s six primary goals. The requirements themselves have remained unchanged since its inception. Let’s examine them more closely to better understand their specific expectations.
1. Install and Maintain a Firewall Configuration to Protect Cardholder Data
A firewall works by inspecting incoming network traffic and assessing it against a pre-configured rule set, so the firewall can either allow or deny traffic to protect internal networks. To assure that your organization’s firewall is performing properly, you should assess and update your firewall configuration rules at least every six months.
To meet PCI DSS requirements, your firewall rules must be configured to restrict traffic to both servers and ports. Additionally, your servers and ports must be documented and necessary for business operations. You also must be able to justify any port or server left open as required for business needs.
2. Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters
Manufacturer-supplied passwords are often easy for malicious actors, hackers, and cybercriminals to obtain. In many cases, the failure to change or disable standard passwords and accounts can lead to the exploitation of internal networks, resulting in compromised cardholder data.
To meet PCI DSS requirements, you must change all manufacturer settings for your wireless networks as well, including passphrases, passwords, and any other login credentials. You’ll need to delete any unsecured, undocumented, or unnecessary services to make sure that they can’t be used to gain access to your internal networks.
3. Protect Stored Cardholder Data
Regardless of PCI DSS compliance, your organization should strive to eliminate the storage of cardholder data, with the exception of data that’s necessary for business, legal, or regulatory needs. Following authorization, any Sensitive Authentication Data (SAD) must never be stored. This includes data on the magnetic stripe and CVV, EMV chip, and PIN/PIN Block.
Any cardholder data that is necessary to store must be rendered unreadable via encryption. This includes information such as the PAN, cardholder name, and expiration date.
4. Encrypt Transmission of Cardholder Data Over Open Public Networks
When using public networks for transmitting cardholder data, the data needs to be encrypted using strong cryptography. Whichever encryption method you select, it must feature a secure version and the appropriate level of encryption strength. Likewise, you should never use messaging applications such as chat, email or instant messaging to transmit PANs.
5. Protect All Systems Against Malware and Regularly Update Antivirus Software or Programs
To meet PCI DSS requirements, your organization must install, maintain and regularly update your antivirus software. You’ll also need to schedule periodic scans and generate appropriate audit records for all antivirus software, and restrict the ability to deactivate your antivirus software to management or authorized administrators. If you do need to disable your antivirus software, it should only be for a limited period of time.
6. Develop and Maintain Secure Systems and Applications
Any vulnerabilities identified during the vulnerability management process must be classified according to the level of risk they pose to your cardholder data environment. Vulnerabilities might include buffer overflows, cross-site request forgery, and cross-site scripting. Any public-facing web applications are also required to undergo testing via application penetration testing; so must application security tools or methods. Additionally, you must use Web Application Firewall to be PCI DSS compliant.
7. Restrict Access to Cardholder Data by Business Need to Know
Any role-based access should operate on the “need to know” notion. This means that an individual can only access the minimum amount of data necessary to perform his or her job. (Sometimes this is also referred to as the “principle of least privilege.”) Generally speaking, any access to your systems should be covered by this principle, which can be achieved by setting the default access to “deny all” users, with the exception of those who are expressly granted authorization.
8. Identify and Authenticate Access to System Components
To assure accountability for all actions taken on a system, you’ll need to make sure that users confirming their access are using a unique ID and robust passwords containing at least seven alphanumeric characters.
To meet this PCI DSS requirement, you also must employ multi-factor authentication (MFA) by using a secondary authentication in addition to a robust password. This can be done by sending a code to a device, using a biometric scan, or providing a key fob or smart card.
9. Restrict Physical Access to Cardholder Data
Physical access to secure areas within your cardholder data environment must be controlled and monitored by video or access control. All access data is required to be retained for 90 days, unless prohibited by law. When the requirement is no longer valid, cardholder data must be destroyed.
For example, paper forms with cardholder data must be shredded once the retention period has passed. Any point of interaction devices must also be listed, maintained and protected from tampering or unauthorized replacement.
10. Track and Monitor All Access to Network Resources and Cardholder Data
To connect specific actions to specific accounts and individuals, your organization must implement system logging. You are required to keep system logs for a minimum of one year, and have at least three months’ worth of logs readily available at all times. To avoid the alteration or deletion of system log information, you are required to backup your logs to a centralized server. You should also review logs daily to address any anomalies as soon as they occur.
11. Regularly Test Security Systems and Processes
You must perform penetration testing in conjunction with internal and external vulnerability scans to defend your payment cardholder environment from any network vulnerabilities. To do so, your organization is required to assure that your payment cardholder environment is routinely scanned for vulnerabilities, whether using manual or automated methods to identify any potential unauthorized access points. You should also employ file integrity monitoring and intrusion detection systems to identify and alert you to any unexpected changes in your environment.
12. Maintain an Information Security Policy
Your organization must develop and maintain an information security policy to meet this PCI DSS requirement. This policy should document the procedures and policies that relate to the security of your cardholder data, as well as a usage policy, which identifies which users can use which devices in which locations and for what purposes.
Similarly, your organization must also have an incident response plan in place. An incident response plan usually includes requirements for informing card brands, a business continuity plan, and data backup policies in case of a disruptive event. When notifying the public of a security incident, your organization should refer to the rules in your specific jurisdiction.
What Is PCI DSS Compliance?
PCI DSS compliance is a requirement for any organizations that accept, process, store or transmit credit card information. The goal of PCI DSS is to create a secure environment for such transactions to take place, starting at the point of sale. To meet PCI DSS requirements, all cardholder data must be stored on a private network that has no access or connection to the public internet.
PCI DSS compliance also requires merchants to hire a qualified security assessor (QSA), whose independent “attestation of compliance” assures that the merchant is compliant. The resulting compliance report should incorporate a review of the merchant’s security controls under the 12 requirements, including vulnerability management. Some merchants use approved scanning vendors (ASV) to manage their vulnerability scans.
PCI DSS non-compliance can lead to card data theft, fines, or even a bank’s refusal to allow a merchant or service provider to accept credit card or debit card payments. Understanding PCI DSS compliance is critical for your organization, and should be a top priority regardless of size or industry.
For tips on passing your PCI DSS audit with ease, check out Preparing for a PCI-DSS Audit: Five Steps to Success and our PCI DSS Audit Checklist.
What Are the Four Levels of PCI Compliance?
PCI DSS establishes four levels of PCI compliance regarding information security. Your organization’s PCI DSS compliance level depends on the number of debit card payments and credit card transactions you process per year, which credit cards you accept, and whether your enterprise has suffered a breach or cyberattack resulting in compromise of credit card or cardholder data.
The four merchant levels are:
- Level 1: Merchants processing more than 6 million total credit card payments annually (across all channels), depending on which cards you accept.
- Typically includes larger entities.
- These organizations must meet the most stringent requirements for validating compliance. This includes passing an annual on-site audit by a Qualified Security Assessor (QSA) or an Internal Security Assessor.
- This compliance level also requires on-site audits every year, network vulnerability scans every 90 days, and for service providers, penetration tests and internal scans.
- Level 2: Merchants processing 1 million to 6 million transactions annually.
- Typically includes mid-size and smaller enterprises.
- Although Level 2 merchants generally aren’t required to undergo an on-site audit by a QSA, in some instances, acquiring banks may require an audit and a report on compliance (ROC), especially for larger Level 2 merchants.
- Level 3: Merchants processing 20,000 to 1 million transactions annually.
- Typically includes mid-size and smaller enterprises.
- Most of the time, these organizations can forgo an audit and instead complete a self-assessment questionnaire (SAQ) and file an Attestation of Compliance (AOC).
- Level 4: Merchants processing fewer than 20,000 transactions annually.
- Typically includes mid-size and smaller enterprises.
- Most of the time, these organizations can forgo an audit and instead complete a self-assessment questionnaire (SAQ) and file an Attestation of Compliance (AOC).
Although an on-site audit by a QSA is only required for Level 1 merchants and service providers, many Level 2 and Level 3 entities also choose to comply with this requirement. Regardless of your merchant level, PCI DSS compliance will be an ongoing and continuous process.
To maintain these rigorous standards, you must be vigilant. The price of non-compliance with PCI DSS can be high, and in some cases, even crippling to your organization.
Meeting the 12 requirements and 281 sub-directives of PCI DSS can be overwhelming, especially if you’re using spreadsheets for your organization’s compliance management. Simply gathering all the documentation needed at audit time can be daunting, nevermind that your organization needs to stay current with the latest standards. Add to that the task of tracking vendor compliance and continually testing your controls and PCI DSS compliance can quickly become a seemingly impossible endeavor.
Fortunately, there are PCI DSS compliance solutions that can perform many of these tasks for you.
Maintain PCI DSS Compliance with ZenGRC
ZenGRC is a compliance and audit management solution that delivers a faster, easier, and smarter path to compliance by eliminating tedious manual processes, accelerating onboarding and keeping you up-to-date on the progress and effectiveness of your programs. With ZenGRC, your organization can get audit ready in less than 30 minutes – no coding or cumbersome imports required.
With expert-built preloaded content at your fingertips to make scoping, sending requests, and gathering evidence easier than ever, ZenGRC can help you reach your goals faster and keep your teams connected. Streamlined collaboration capabilities and automated workflows minimize manual task tracking and eliminate audit fatigue.
But ZenGRC doesn’t stop at maintaining compliance. It also helps you understand how your compliance activities are impacting your risk posture so you can effectively prioritize your investments. Now you can easily handle your compliance needs and take managing your IT risks to the next level.
With seamless integrations across the platform, ZenGRC gives you a unified, real-time view of risk and compliance, and the contextual insight needed to make smart, strategic business decisions that keep your organization secure and earn the trust of your customers, partners and employees.
Take your compliance to the next level with ZenGRC. Schedule a demo today.