PCI DSS compliance is crucial for any business that processes, stores, or transmits cardholder data. But who exactly is responsible for implementing and enforcing PCI DSS requirements?
This blog post will unpack PCI data security standard controls, who owns them, the penalties for non-compliance, and how a Governance, Risk management, and Compliance (GRC) platform like ZenGRC can help streamline compliance.
What are PCI controls?
The Payment Card Industry Data Security Standard (PCI DSS) controls are the security measures organizations must implement across the many potential touchpoints for cardholder data to ensure safety.
These controls should be mapped based on inputs from IT, security teams, and other functions that interact with cardholder data.
Proper attention must be paid to defining suitable security configurations and protocols when implementing PCI DSS controls.
The PCI DSS requirements cover six key areas:
- Building and maintaining secure networks
- Protecting stored cardholder data
- Maintaining a vulnerability management program
- Implementing strong access control measures
- Regularly monitoring and testing networks
- Maintaining an information security policy
Specific controls include firewall installation, encryption, access restrictions, anti-virus software, vulnerability scans, penetration testing, and more.
Implementing PCI DSS controls reduces risk and helps protect sensitive data from hackers and malware.
Penalties for Non-Compliance with PCI DSS
If an organization does not comply with PCI DSS, consequences can be severe. Penalties for non-compliance include:
- Fines of $5,000 to $100,000 per month by card brands
- Increased transaction fees
- Loss of ability to process payments
- Reputation damage
- Litigation expenses and civil penalties
- Costs associated with a data breach
According to IBM, the average total cost of a data breach is close to $4.45 million. Being PCI DSS compliant reduces security incidents and protects organizations from these penalties.
PCI DSS Compliance Goals
The overarching goal of PCI DSS is to protect cardholder data wherever it resides within an organization. More specific objectives include:
Safeguarding Cardholder Data
The overarching aim of PCI DSS is to protect sensitive cardholder data wherever it resides – whether at rest, in transit, or actively being processed. This includes securing the Primary Account Number (PAN) and related personal card information.
Building a Secure Network
PCI requires properly configuring firewalls to analyze incoming traffic and block unauthorized access attempts. Default passwords must be changed and unnecessary services disabled to prevent exploits.
Protecting Stored Data
When cardholder data storage is unavoidable, PCI DSS limits retention to only what is necessary for business needs. Sensitive Authentication Data (SAD) should never be stored post-authorization. Strong cryptography and encryption must be used to render stored data unreadable.
Maintaining Vulnerability Programs
Robust security requires constant system monitoring, malware protection through antivirus software, and prompt patching. Web applications must be scanned and protected.
Implementing Access Controls
PCI mandates strict access limits based on job function. Multi-factor authentication should supplement unique IDs and complex passwords. Default “deny all” settings provide an extra layer of protection.
Monitoring and Testing Networks
Logs must be maintained and reviewed to identify abnormalities. Both internal and external vulnerability testing, like penetration testing, are required to validate security measures.
Enforcing Security Policies
A comprehensive set of security policies must govern employee access to cardholder information, including acceptable usage, devices, and card transaction locations. Incident response plans are also mandatory.
Achieving Compliance
To accomplish PCI DSS goals, merchants must identify all system components interacting with payment card data, implement required security controls, establish access controls, complete Self-Assessment Questionnaire (SAQs) and validation, conduct scans and penetration testing, and maintain a compliant environment.
Achieving these goals requires involvement from stakeholders across the business, not just IT.
Who is Responsible for Enforcing PCI DSS Standards?
The PCI Security Standards Council (SSC) owns and manages the PCI DSS, but compliance responsibility continues beyond that. Multiple stakeholders must work together to enforce PCI standards:
- Payment Card Industry Security Standards Council (PCI SSC): Sets standards and manages updates.
- Credit Card Companies (Visa, Mastercard, American Express, Discover, JCB): Enforce standards, assess penalties, and validate compliance.
- Acquirers: Monitor compliance and report to card brands.
- Qualified Security Assessors (QSAs): Audit merchants and service providers.
- Approved Scanning Vendors (ASVs): Scan for vulnerabilities
- Merchants & Service Providers: Implement controls and meet compliance requirements
While each party plays a role, the merchant or service provider protects cardholder data according to PCI standards.
What It Means to “Own” PCI DSS Controls for Your Organization
To truly “own” PCI DSS controls, an organization must take full responsibility for implementing, managing, and monitoring all required data security requirements, procedures, and controls. Ownership goes beyond IT to involve leadership, finance, legal, and other groups.
Required Actions for Compliance
For merchants and service providers, ownership requires:
- Performing annual risk assessments to identify vulnerabilities
- Defining the Cardholder Data Environment (CDE)
- Assembling a cross-functional security team
- Developing comprehensive data security policies and procedures
- Implementing all PCI DSS technical and operational controls
- Managing an ongoing compliance program
- Completing annual SAQs
- Contracting Approved Scanning Vendors (ASVs) for external vulnerability scans
- Scheduling onsite audits by Qualified Security Assessors (QSAs)
- Submitting the Report on Compliance (ROC) to acquirers
Providing Adequate Resources
Leadership must provide adequate resources, budget, and support for PCI DSS ownership across business units. Compliance cannot fall solely on IT.
Ongoing Monitoring and Management
Owning PCI DSS also requires ongoing monitoring and management, such as:
- Quarterly reviews of controls
- Prompt risk remediation
- Regular SAQ completion
- Annual QSA audits
- Implementing updated standards
- Periodic penetration testing
- Revised policies as threats evolve
With complete PCI DSS ownership, merchants and service providers can fully protect cardholder data, avoid fines, and reduce data breach risks.
Implementing PCI DSS Controls with ZenGRC
A GRC platform like ZenGRC provides an efficient way to build, manage, and streamline PCI DSS compliance programs.
Rather than relying on spreadsheets or manual processes, ZenGRC gives organizations a single source of truth for all compliance data. This saves time, reduces overhead for stakeholders, and helps merchants and service providers seamlessly own PCI DSS controls.
By taking a proactive approach to compliance with ZenGRC, organizations can avoid steep penalties and protect sensitive cardholder data from breaches. If you’re interested in learning more, schedule a demo today!