What is PCI compliance?
Payment card industry (PCI) compliance, originally known as payment card industry data security standard (PCI DSS) compliance, is a self-regulatory industry code of conduct administered by the Payment Card Industry Security Standards Council.
PCI compliance mandates organizations that handle branded credit cards under major card schemes (Visa, Mastercard, American Express, etc.) to securely accept, store, process, and transmit cardholder data.
Companies need to discover sensitive data stored, transmitted, or processed in their system and protect it from unauthorized access to comply with PCI. Sensitive data discovery software makes it easier to locate this sensitive data and helps companies set proper measures to prevent hackers from accessing it.
Organizations need the following to become PCI compliant:
- 12 general requirements of PCI compliance
- 78 base requirements based on your business
- Four hundred test procedures to ensure your organization is complying with PCI requirements (depending on your business)
PCI compliance regulations ensure that both customers and businesses stay protected from data breaches. It applies to all enterprises carrying credit card information and is a cornerstone of every organization’s security protocol.
PCI standards have expanded their outlines to include encrypted internet transactions and added new rules and regulations to accommodate recent advances in payment technology and commerce.
PCI compliance levels
Four PCI compliance levels determine the number of transactions a merchant handles every year.
- Level 1: Merchants that process over 6 million card transactions per year.
- Level 2: Merchants that process 1 to 6 million card transactions per year.
- Level 3: Merchants that process 20,000 to 1 million card transactions per year.
- Level 4: Merchants that process fewer than 20,000 card transactions per year.
For organizations on PCI compliance level 1, achieving PCI compliance includes performing external audits by a qualified security assessor (QSA) or an internal security assessor (ISA). QSA or ISA conducts an on-site evaluation to:
- Validate the scope of assessment
- Review technical information and documentation,
- Determine if PCI requirements are met
- Offer guidance and support during the compliance process
- Evaluate compensating controls
After successful evaluation, the qualified security assessor submits a Report on Compliance (RoC) to the organization’s operational banks to demonstrate compliance.
PCI compliance Level 2 organizations should also complete an RoC.
Level 2 to 4 organizations can complete a self-assessment questionnaire instead of external audits to determine compliance.
Benefits of PCI DSS compliance
PCI DSS compliance provides a set of regulations and requirements to ensure optimal data confidentiality and security.
Some of the benefits to being PCI DSS compliant are:
- PCI DSS compliance ensures that company assets have multiple layers of security.
- It enlists evolving threats and attacks vectors, making the data environment more secure.
- PCI DSS involves setting up firewalls, SIEM systems, and other security infrastructure to gather threat intelligence in the event of anomalies.
- PCI compliance emphasizes encrypting cardholder data, making a PCI DSS compliant business a less valuable target for cybercriminals.
- PCI compliance principles put a strong focus on protecting cardholder data as it’s stored or transmitted. It emphasizes enforcing PCI principles with an appropriate security infrastructure to help organizations prevent data breaches.
- PCI DSS compliance builds and maintains customer trust and makes data security hassle-free.
- PCI compliance helps align businesses with industry-accepted standards in storing, processing, and transmitting cardholder information.
- PCI DSS compliance helps organizations comply with industry-recognized data security standards.
PCI compliance requirements
PCI DSS compliance requirements focus on achieving PCI compliance and protecting cardholder data from unauthorized access.
1. Protect the company network with firewalls
Steps you can take to protect your network:
- Configure firewalls to secure the company network and regulate incoming and outgoing traffic based on the organizational criteria.
- Use hardware firewalls and software firewalls to protect the network.
- Configure the firewalls for inbound and outbound traffic. If an attacker penetrates the system, it’ll be difficult for them to export the stolen information owing to outbound rules.
2. Refrain from using default passwords and configure settings
To comply with the second requirement of PCI compliance:
- Change default passwords and implement system hardening and system configuration management.
- Address all vulnerabilities in the system, remediate and report them, and ensure that the system hardening standards align with industry best practices.
- Adopt system management software, which serves as a complete package for monitoring, scanning, and configuring devices and system hardening options.
- Verify that the system hardening standard is securely implemented as new devices and applications are introduced into the system environment.
3. Protect stored cardholder data against unauthorized access
Adopt the following measure to protect cardholder data against unauthorized access:
- Encrypt cardholder data using strong and industry-accepted encryption standards like AES-256.
- Ensure that the systems store confidential cardholder details in an encrypted format.
- Create and document the cardholder data (CHD) flow diagram. It’s a graphical representation of the data flow within an organization.
- Use a sensitive data discovery tool to find sensitive information like social security number in the company systems to encrypt or remove it.
4. Encrypt transmission of cardholder data across open, public networks
Consider the following to encrypt the transmission of cardholder data across open or public networks:
- Identify how and where the data is being transmitted. Keep track of all areas where similar details are being sent.
- Make the transition from secure sockets layer (SSL) and early versions of transport layer security (TLS) to more secure versions of TLS.
- Check the gateways, terminal providers, service providers, and banks to see if they use updated encryption for transactional applications.
5. Use an updated version of antivirus software
Adopt the following measures to comply with the fifth PCI DSS requirement.
- Use antivirus software and prevent the systems from known malware.
- Update the antivirus software regularly.
- Gather information on emerging malware and the different ways it can penetrate company systems.
- Configure the systems and design processes to be alerted when any malicious activity occurs in the system environment.
- Run periodic malware scans to ensure that you have a process designed to implement it.
6. Develop and maintain secure systems and applications
Practice the following methods to develop and maintain secure systems and applications:
- Patch security weaknesses with recent patches released by the software provider.
- Install latest security updates and patched vulnerabilities in applications and systems that are crucial to the flow of card data.
- Install critical patches within a month of their release to ensure compliance
- Be proactive in patch management and implementation as soon as the patch is released.
7. Restrict access to cardholder data by business need to know
Consider the following to restrict access to cardholder data:
- Ensure strict access controls to cardholder data by implementing role-based access control (RBAC) systems that grant access to cardholder details on a need-to-know basis.
- Refrain from creating group users or share a common user account with other users. It’ll be challenging to track data breaches. `
8. Assign a unique ID to each person with computer access
Take the following steps to comply with the eighth requirement of the PCI DSS requirement:
- Assign a unique ID to each user with computer access and create strong passwords to prevent unauthorized access.
- Create multiple layers of security when protecting user accounts.
- Use multi-factor authentication solutions to provide additional layers of defense and to shield your systems from attackers.
9. Restrict physical access to workplace and cardholder data
Important things to consider to comply with the ninth requirement of PCI DSS:
- Limit employee access to areas with stored cardholder data.
- Document employees with access to secure environments and the ones in need of access privileges. List all authorized device users, locations where the device isn’t allowed, and where it’s currently located. Note all applications that can be accessed on a device. Record what, where, when, and why devices are being used.
- Differentiate between employees and visitors in the organization, and use methods to monitor people with access to secure environments.
- Ensure that the user’s access privileges are removed, and physical access mechanisms like keys and access cards are disabled or returned when offboarding employees.
10. Track and monitor access to rework resources and cardholder data
Crucial points to consider while tracking and monitoring access to network resources and cardholder data:
- Implement and maintain a logging system to view all logs and get alerts in the event of anomalies.
- Check the system event logs at least once a day to identify patterns, gather threat intelligence, and detect behaviors that contradict expected trends.
- Use security information and event management (SIEM) solutions to build and manage a centralized log collection system, monitoring, and inspection.
11. Regularly test security systems and process
Follow the practices mentioned below to comply with the eleventh requirement of PCI DSS.
- Conduct frequent vulnerability scans to identify if the security weaknesses were successfully patched.
- Perform quarterly vulnerability scans for all external IPs and domains exposed in the cardholder data environment using a PCI-approved scanning vendor (ASV).
- Conduct regular penetration tests to identify different ways hackers can exploit vulnerabilities to safely configure your security systems and protect the data against similar malicious tactics. (Penetration test frequency depends on your self-assessment questionnaire (SAQ), environment, size, procedures, and other factors).
12. Risk assessment and documentation
Adopt the following practices to comply with the final requirement of PCI DSS compliance:
- Document all policies, procedures, and evidence associated with the organization’s information security practices.
- Assess formal and annual risks to determine critical threats, vulnerabilities, and associated risks.
Sagar Joshi
Sagar Joshi is a former content marketing specialist at G2 in India. He is an engineer with a keen interest in data analytics and cybersecurity. He writes about topics related to them. You can find him reading books, learning a new language, or playing pool in his free time.
