Companies that process payments through cards and other electronic means open themselves up to cybercrime risks. Hackers target card information for direct theft and fraud and payment processors can also fall victim to cyberattacks. To mitigate these risks, the Security Standards Council (SSC) of the Payment Card Industry (PCI) has devised numerous controls across several security standards to keep companies and consumers safe. But this begs the question: how many PCI controls are there, and what are PCI controls in the first place?
How Many PCI Controls are There?
The SSC has developed controls to protect most forms of electronic payment — with or without an actual card. While the PCI DSS applies to most companies, its controls are far from the only ones to have on your radar. Controls are constantly evolving to keep pace with changing technologies and hackers’ ability to compromise them.
In the sections that follow, we’ll enumerate all the major PCI controls, including:
- The main PCI DSS controls, along with the closely related PA DSS controls
- Alternative, non-DSS controls, including P2PE and PTS (HMS and POI)
Not sure what all these abbreviations mean? We’ll also provide an overview that contextualizes each framework. Let’s dive in.
The Main PCI DSS Controls
For most companies, there are 12 main PCI controls to implement. These 12 requirements, spread across six groups, make up the core of the PCI DSS v.3.2.1, current as of May 2018:
- Maintain secure networks and systems – Including two requirements:
- 1. Establish firewalls and web filtering to protect cardholder data
- 2. Replace default or vendor-supplied device security configurations
- Protect payment card and cardholder data – Including two requirements:
- 3. Protect stored cardholder data (in company servers, networks, etc.)
- 4. Protect transmitted cardholder data (in or on open, public networks)
- Maintain a system of vulnerability management – Including two requirements:
- 5. Update anti-virus and malware software to protect cardholder data
- 6. Develop secure protocols and behaviors across all applications
- Maintain identity and access management – Including three requirements:
- 7. Limit access to cardholder data by “business need to know”
- 8. Limit all access to cardholder data to authenticated users
- 9. Limit access to cardholder data via physical hardware and devices
- Assess network traffic and activity regularly – Including two requirements:
- 10. Monitor access to network resources, especially cardholder data
- 11. Assess the efficacy of existing security systems and processes regularly
- Maintain staff-wide information security policy – Including one requirement:
These controls apply to all companies that process payments via cards. They also apply to any company that stores, transmits, or comes into contact with protected cardholder data.
Additional PA DSS Controls
The other set of widely applicable PCI controls comprises 14 requirements of the Payment Application DSS (v.3.2). As of May 2016, its controls break down as follows:
- 1. Do not retain card verification codes, PIN data, or other card tracking information.
- 2. Safeguard all stored cardholder data with encryption and other security measures.
- 3. Provide security features like authentication to restrict access to cardholder data.
- 4. Monitor, log, and analyze the use and behavior of payment applications.
- 5. Develop and deploy secure payment platforms to protect cardholders and users.
- 6. Protect traffic of cardholder data over wireless networks, especially open networks.
- 7. Assess risks and vulnerabilities of payment applications, mitigating them in real-time.
- 8. Facilitate the implementation of secure networks for cardholder data processing.
- 9. Do not store cardholder data on servers that are connected to the internet.
- 10. Facilitate secure remote access to and use of payment applications via the cloud.
- 11. Encrypt cardholders’ and other protected data for transmission over public networks.
- 12. Secure non-console administrative and further access to protected cardholder data.
- 13. Maintain PA DSS Implementation Guides for clientele and strategic partners.
- 14. Assign PA DSS responsibilities to all stakeholders (staff, customers, etc.).
These requirements apply primarily to the software developers themselves. But companies that implement and integrate these payment applications may also need to follow the 14 controls.
Additional PCI Controls
Another significant set of PCI controls is in the Point to Point Encryption (P2PE) v3.0. There are five P2PE domains, each of which has one main requirement that breaks down into multiple sub-requirements for a total of 19 total controls:
- Domain 1: Encryption and Device Management – Including five controls:
- Requirement 1A: Resist physical and logical corruption of data
- Requirement 1B: Restrict and control logical access to POI devices
- Requirement 1C: Utilize applications that specifically prioritize safeguarding Primary Account Numbers (PAN) and Sensitive Authentication Data (SAD)
- Requirement 1D: Implement secure application management
- Requirement 1E: Report on status to solution providers
- Domain 2: Security Across all Applications – Including three controls:
- Requirement 2A: Implement protections for PAN and SAD across all apps
- Requirement 2B: Develop and maintain security measures across all apps
- Requirement 2C: Implement management for secure applications
- Domain 3: Management of P2PE Solutions – Including three controls:
- Requirement 3A: Implement management of P2PE solutions
- Requirement 3B: Manage third parties and their risks
- Requirement 3C: Maintain P2PD Instruction Manual
- Domain 4: Environment of Decryption – Including five controls:
- Requirement 4A: Use devices approved for decryption
- Requirement 4B: Secure the environment of decryption
- Requirement 4C: Monitor and respond to decryption incidents
- Requirement 4D: Utilize hybrid, secure decryption measures
- Requirement 4E: Report on status to solution providers
- Domain 5: Cryptographic Key Operations – Including three controls:
- Requirement 5A: Process account data through secure algorithms
- Requirement 5H: Implement secure, hybrid management of keys
- Requirement 5I: Report on status to solution providers
PTS HSM and POI Controls Breakdown
Finally, the PCI PIN Transaction Security (PTS) frameworks add unique controls for select stakeholders. The Hardware Security Module (HSM) comprises the following:
- Evaluation Module 1: Core Requirements – Including the following controls:
- Five general physical security requirements
- 20 general logical security requirements
- One general policy and procedure specification
- Evaluation Module 2: Key Loading Devices – Including five controls for KLDs
- Evaluation Module 3: Remote Administration – Including the following controls:
- Two logical requirements for remote administration
- Four requirements for devices’ message authentication
- Four requirements for devices’ essential generation functions
- Two requirements for devices’ digital signature functions
- Evaluation Module 4: Device Management Security – Including the following controls:
- Eight manufacturing requirements for device security
- Eight initial deployment requirements for device security
And the other half of PTS, Point of Interaction (POI), adds the following PCI controls:
- Evaluation Module 1: Physical and Logical Security – Including the following controls:
- 14 general physical security requirements
- 26 general logical security requirements
- Evaluation Module 2: POS Terminal Integration – Including the following controls:
- One requirement, and two sub-requirements, for PIN Entry integration
- One requirement, and five sub-requirements, for integration into POS
- Evaluation Module 3: Communications/Interfaces – Including the following controls:
- 13 requirements for communications and interfaces
- Evaluation Module 4: Life Cycle Security – Including the following controls:
- 12 requirements implemented during manufacturing
- Eight requirements implemented during initial deployment
Taken together, the controls of the PTS frameworks apply to manufacturers that “specify and implement device characteristics… for personal identification number (PIN) entry terminals,” per the SSC’s guide to understanding differences across the various PCI security standards.
Maintaining Full PCI Compliance
Given the sheer volume and complexity of PCI’s controls across all frameworks, many companies may find compliance challenging. RSI Security offers a suite of PCI advisory services focused mainly on PCI DSS certification. Our team of experts has been helping companies of all sizes implement PCI controls for over a decade.
To return to the first question posed above: how many PCI controls are there? It can be as few as 12, depending on which standard(s) you’re required to follow. No matter how many or what kinds of PCI controls apply to your company, contact RSI Security today for assistance.