The Payment Card Industry Data Security Standards (PCI DSS) is the most widely applicable PCI compliance framework that protects the security of card payment transactions. The PCI DSS stipulates requirements for protecting sensitive card payment data through storage, processing, or transmission activities. Nearly all organizations that conduct these activities must comply with the PCI DSS framework. Read on for a comprehensive walkthrough of the PCI DSS.
Essential Components of the PCI Compliance Framework
PCI compliance frameworks such as the DSS help minimize risks to sensitive card payment data, such as cardholder data (CHD) and sensitive authentication data (SAD). In addition, compliance with the PCI DSS includes best practices organizations can adopt to secure card payments and broader IT infrastructure to help prevent the chances of cyberattacks.
Critical components of the PCI DSS compliance process include:
- Implementing and maintaining PCI DSS Requirements
- Reporting on PCI compliance
- Enforcement of PCI compliance
Download Our PCI DSS Checklist
What are the PCI DSS Requirements?
The DSS is a comprehensive PCI compliance framework comprising 12 Requirements, grouped into six goals that include:
- Network and system security
- Cardholder data protection
- Vulnerability management
- Access control
- Network monitoring and testing
- Security policy implementation
The PCI compliance framework requirements provide guidelines for your organization to establish a secure infrastructure for processing card payment transactions.
Requirement 1: Secure Firewall Configurations for Cardholder Data
The PCI DSS framework requires organizations to implement firewall security to protect CHD against network breaches.
Firewall security practices include:
- Securing firewall and router configuration standards
- Restricting connections between untrusted networks and system components in CHD environments
- Preventing direct public access of the Internet to CHD environments
- Installing firewalls on any personal-use devices with access to CHD environments to prevent intrusion from Internet traffic
- Documenting security policies for managing firewalls
Secured firewall configurations are critical to preventing the intrusion of malicious traffic into CHD environments.
Requirement 2: Avoid Using Vendor Defaults for Security Parameters
PCI DSS Requirement 2 mandates that organizations must not use vendor-supplied default passwords and security parameters.
Specific PCI-compliant access control parameters include:
- Changing vendor-supplied default passwords and configurations as soon as possible
- Meeting industry-accepted c
- r protecting CHD, ensuring policy documentation
Protecting any CHD stored on networks (cloud or otherwise) helps minimize breach risks.
Requirement 4: Encrypting CHD Transmission
The PCI compliance framework stipulations for encrypted transmission of CHD include:
- Using strong cryptography to protect the transmission of CHD over open, public networks
- Avoiding the use of end-use messaging applications for sending unprotected PANs
- Implementing security policies and procedures for encrypted CHD transmission, documenting policies for all affected parties
Protecting CHD during transmission across organizations minimizes exposure risks.
Requirement 5: Protecting Systems Against Malware
The PCI compliance framework stipulates guidelines for anti-virus and malware protection, mandating organizations to:
- Install anti-virus software on all systems at risk for malicious software threats
- Verify that anti-virus programs are capable of robust detection, removal, and protection against malicious software
- Maintaining updated anti-virus programs
- Ensure that anti-virus programs are consistently active
- Establish security policies for minimizing malware threats
Robust malware protections will help minimize threats to critical card payment processing software and data storage environments.
Requirement 6: Securing Systems and Applications
Organizations must secure systems and applications used in card payment processing via best practices, including:
- Establishing assessment processes for security vulnerabilities based on:
- Reputable outside sources (e.g., the National Institute of Standards and Technology’s (NIST) Common Vulnerability Scoring System (CVSS))
- Assigned risk rankings (e.g., low, medium, or high)
- Protecting systems and software from known vulnerabilities using vendor-supplied security patches
- Securely developing internal and external software applications
- Implementing change control processes and procedures for any changes to systems within CHD environments
- Identifying and remediating common coding vulnerabilities during software development
- Addressing new threats in public-facing web applications as they emerge
- Maintaining and documenting policies for securing systems and applications
Assessment and remediation of system and application vulnerabilities will help your organization comply with PCI secure software framework requirements.
Requirement 7: Restricting Access to CHD by Business Need
PCI compliance framework provisions for restricting access to CHD by business need include:
- Limiting access to CHD and system components to users whose roles require access
- Implementing access control systems to restrict access to CHD on a need-to-know basis, denying access to all users except when allowed
- Documentation of security policies concerning access to CHD
Defining access to CHD on a need-to-know basis helps prevent malicious exposure of CHD to external unsecured environments.
Requirement 8: Identifying and Authenticating Access to Systems
Organizations can control access to sensitive PCI data by assigning unique IDs to anyone with computer access and then monitoring the activity associated with them. Monitored activity should cover both authentication (i.e., identity verification at login) and authorizations (i.e., the access rights granted to a given user).
Specific PCI DSS framework identification and authentication measures include:
- Defining and implementing policies for user identification management for all users with access to system components
- Managing proper user authentication protocols for non-consumer users and administrators accessing system components
- Securing administrative and remote access to CHD environments using multi-factor authentication
- Documenting and communicating policies for user authentication to all users
- Avoiding the use of group, shared, or generic IDs, passwords, and authentication methods
- Use of other authentication methods (e.g., security tokens, smart cards, certificates) must be:
- Assigned to individual and not shared accounts
- Securely controlled to prevent unassigned users from gaining access
- Access to databases containing CHD is restricted to:
- Use of programmatic methods for all user actions (e.g., access, queries)
- Specified user privileges for direct access or queries (i.e., administrators)
- Use of application IDs to perform actions only within database applications
- Documentation and dissemination of security policies for identification and authentication
Defining access control to sensitive data is critical to detecting, monitoring, and addressing suspicious network activity.
Requirement 9: Restricting Physical Access to CHD
PCI compliance framework guidelines for physical protection of CHD include:
- Establishing facility entry controls for physical CHD environments
- Developing procedures for easy identification of onsite personnel and visitors
- Controlling access of onsite personnel to physical CHD environments
- Identifying and authorizing visitors with potential access to CHD environments
- Physically securing media storage
- Strict controls of media storage distribution
- Setting up controls for the storage and accessibility of media
- Destroying media storage when not needed for business or legal reasons
- Protecting devices used to process CHD and SAD
- Documenting policies for the physical security of CHD
Minimizing risks to physical access to sensitive data storage can help protect your organization against threat attacks.
Requirement 10: Tracking and Monitoring Access to Networks and CHD
The PCI DSS framework mandates for protecting networks and the CHD contained therein include:
- Auditing access to system components to individual users
- Implementing audit processes for actions involving access to system components
- Recording audit trails for events within system components
- Time-synchronizing critical system timekeeping methods
- Securing audit trails against alteration
- Reviewing logs of security events to identify suspicious activity within system components
- Retaining audit trail history for at least one year, ensuring a minimum of three months immediately available for analysis
- Service providers are required to implement processes for timely detection and reporting of critical system failures
- Documenting and disseminating security policies for monitoring access to networks and CHD environments
Limiting unauthorized access to networks containing CHD can help prevent data breaches.
Requirement 11: Regular Testing of Security Systems and Processes
Organizations must also implement testing procedures to identify vulnerabilities in security systems.
Requirements for PCI compliance framework testing include:
- Testing to identify and detect all wireless access points, authorized or not
- Scanning internal and external networks for vulnerabilities at least quarterly and after any changes to the CHD environment
- Implementing a penetration testing methodology
- Preventing network intrusions via intrusion detection/prevention techniques
- Deploying mechanisms for timely detection of changes to CHD environments, notifying appropriate security personnel to modifications
- Documenting and disseminating organization-wide policies for security testing
Your organization can strengthen sensitive data security by timely identification and remediation of security system vulnerabilities.
Requirement 12: Maintaining an Organization-Wide Security Policy
Implementing PCI compliance framework requirements is more feasible when your organization has an established security policy.
Specific PCI DSS security policy guidelines include:
- Establishing, publishing, and disseminating a security policy
- Implementing risk assessment processes
- Defining a policy for the use of critical technologies
- Ensuring defined security responsibilities for all personnel
- Assigning information security management responsibilities to individuals or teams
- Security awareness programs to support workforce adherence to security policies
- Screening of potential hires to minimize internal risk threats
- Managing the sharing of CHD with third-party vendors
- Ensuring service providers understand defined scopes of PCI DSS security
- Incident response planning for system breaches, should they occur
- Service providers must review their systems at least quarterly to confirm adherence to security policies
Well-defined security policies will help your organization protect the sensitivity of CHD and SAD, especially with the help of a security program advisor.
Reporting on Compliance to the PCI DSS Framework
PCI compliance framework guidelines mandate organizations to report on their PCI compliance efforts annually. Reporting on compliance is based on organization-specific PCI Levels, determined by specific SSC Members (i.e., Visa, Mastercard, American Express, JCB International, and Discover).
There are currently three types of reports used for PCI compliance framework reporting.
Self-Assessment Questionnaire (SAQ)
All organizations (except those required to submit a Report on Compliance (ROC)) must fill out the SAQ, which involves answering a series of yes or no questions. Depending on your organization’s PCI Level, you might need to submit just the SAQ or an Attestation of Compliance (AOC) along with it.
Organizations are required to determine the appropriate version of SAQ to fill out, depending on:
- Type of organization reporting on compliance
- Technologies used to collect and process CHD
- Level of outsourcing of card payment transactions
Filling out an SAQ helps verify that your organization meets the PCI DSS framework requirements.
Report on Compliance (RoC)
Some organizations are required to submit an RoC to demonstrate compliance to the PCI DSS framework. A Qualified Security Assessor (QSA) helps complete the RoC, verifying the organization’s PCI compliance efforts. QSAs must also be certified by the PCI SSC.
ROCs are the most thorough compliance audit necessary for PCI DSS reporting and apply to the organizations that manage the highest transaction volumes.
Some of the critical roles of a QSA in helping organizations report on compliance include:
- Validate scopes of CHD environments
- Identify gaps in PCI compliance
- Evaluate PCI compensating controls
- Conduct compliance reassessment, if needed
Working with an experienced QSA will help your organization assess PCI DSS framework compliance.
Attestation of Compliance (AOC)
Once organizations have assessed their compliance internally (via SAQ) or externally (via ROC), the next step is to verify compliance assessment with an AOC.
AOCs are completed by a QSA to verify that you have met PCI DSS compliance requirements.
Reporting PCI compliance annually is critical to avoiding non-compliance fines and penalties. Assessment of PCI compliance by a QSA can also help identify gaps in securing CHD during card payment activities.
Enforcement of PCI Compliance
The Founding Members of the SSC are responsible for enforcing compliance to the PCI DSS framework. Enforcement penalties for PCI noncompliance are costly and can range anywhere from $5K to $100K monthly, depending on PCI level.
Compliance with the PCI DSS framework will help your organization prevent sensitive data breaches, which can have significant legal, financial, and reputational consequences. Implementing PCI compliance framework requirements also communicates your organization’s commitment to protecting sensitive data from cybersecurity threats.
Implement a PCI Compliance Strategy
Your organization can minimize risks to CHD and adhere to the DSS by implementing the PCI compliance framework Requirements. With the help of an experienced PCI compliance partner, you can define organization-specific measures and policies to protect sensitive data.
As a PCI compliance expert, QSA, Approved Scanning Vendor (ASV), and overall cybersecurity expert, RSI Security helps your organization manage all of its CHD protections and reporting.
Contact RSI Security today to learn more.