How Many PCI Controls are There?

Companies that process credit card or electronic payments face constant exposure to cybercrime risks. Hackers frequently target cardholder data for theft and fraud, while payment processors and merchants can also become victims of large-scale cyberattacks. To reduce these threats, the Payment Card Industry Security Standards Council (PCI SSC) developed a comprehensive set of PCI controls, security measures designed to protect payment environments and safeguard sensitive financial data.

But this raises an important question: how many PCI controls are there, and what do these controls actually involve?

How Many PCI Controls are There?

The SSC has developed controls to protect most forms of electronic payment — with or without an actual card. While the PCI DSS applies to most companies, its controls are far from the only ones to have on your radar. Controls are constantly evolving to keep pace with changing technologies and hackers’ ability to compromise them.

In the sections that follow, we’ll enumerate all the major PCI controls, including:

• The main PCI DSS controls, along with the closely related PA DSS controls
• Alternative, non-DSS controls, including P2PE and PTS (HMS and POI)

Not sure what all these abbreviations mean? We’ll also provide an overview that contextualizes each framework. Let’s dive in.The Main PCI DSS Controls

For most companies, there are 12 main PCI controls to implement. These 12 requirements, spread across six groups, make up the core of the PCI DSS v.3.2.1, current as of May 2018:

• Maintain secure networks and systems – Including two requirements:
  • 1. Establish firewalls and web filtering to protect cardholder data
  • 2. Replace default or vendor-supplied device security configurations
• Protect payment card and cardholder data – Including two requirements:
  • 3. Protect stored cardholder data (in company servers, networks, etc.)
  • 4. Protect transmitted cardholder data (in or on open, public networks)
• Maintain a system of vulnerability management – Including two requirements:
  • 5. Update anti-virus and malware software to protect cardholder data
  • 6. Develop secure protocols and behaviors across all applications
• Maintain identity and access management – Including three requirements:
  • 7. Limit access to cardholder data by “business need to know”
  • 8. Limit all access to cardholder data to authenticated users
  • 9. Limit access to cardholder data via physical hardware and devices
• Assess network traffic and activity regularly – Including two requirements:
  • 10. Monitor access to network resources, especially cardholder data
  • 11. Assess the efficacy of existing security systems and processes regularly
• Maintain staff-wide information security policy – Including one requirement:
  • 12. Maintain security policy accessible and addressed to all personnel

These controls apply to all companies that process payments via cards. They also apply to any company that stores, transmits, or comes into contact with protected cardholder data.

Assess your PCI compliance

Additional PA DSS Controls

The other set of widely applicable PCI controls comprises 14 requirements of the Payment Application DSS (v.3.2). As of May 2016, its controls break down as follows:

• 1. Do not retain card verification codes, PIN data, or other card tracking information.
• 2. Safeguard all stored cardholder data with encryption and other security measures.
• 3. Provide security features like authentication to restrict access to cardholder data.
• 4. Monitor, log, and analyze the use and behavior of payment applications.
• 5. Develop and deploy secure payment platforms to protect cardholders and users.
• 6. Protect traffic of cardholder data over wireless networks, especially open networks.
• 7. Assess risks and vulnerabilities of payment applications, mitigating them in real-time.
• 8. Facilitate the implementation of secure networks for cardholder data processing.
• 9. Do not store cardholder data on servers that are connected to the internet.
• 10. Facilitate secure remote access to and use of payment applications via the cloud.
• 11. Encrypt cardholders’ and other protected data for transmission over public networks. 
• 12. Secure non-console administrative and further access to protected cardholder data.
• 13. Maintain PA DSS Implementation Guides for clientele and strategic partners.
• 14. Assign PA DSS responsibilities to all stakeholders (staff, customers, etc.).

These requirements apply primarily to the software developers themselves. But companies that implement and integrate these payment applications may also need to follow the 14 controls.

 

Additional PCI Controls

Another significant set of PCI controls is in the Point to Point Encryption (P2PE) v3.0. There are five  P2PE domains, each of which has one main requirement that breaks down into multiple sub-requirements for a total of 19 total controls:

• Domain 1: Encryption and Device Management – Including five  controls: 
• • • Requirement 1A: Resist physical and logical corruption of data
    • Requirement 1B: Restrict and control logical access to POI devices
    • Requirement 1C: Utilize applications that specifically prioritize safeguarding Primary Account Numbers (PAN) and Sensitive Authentication Data (SAD)
    • Requirement 1D: Implement secure application management
    • Requirement 1E: Report on status to solution providers

• Domain 2: Security Across all Applications – Including three controls:
• • • Requirement 2A: Implement protections for PAN and SAD across all apps
    • Requirement 2B: Develop and maintain security measures across all apps
    • Requirement 2C: Implement management for secure applications

• Domain 3: Management of P2PE Solutions – Including three controls:
• • • Requirement 3A: Implement management of P2PE solutions
    • Requirement 3B: Manage third parties and their risks
    • Requirement 3C: Maintain P2PD Instruction Manual

• Domain 4: Environment of Decryption – Including five  controls:
• • • Requirement 4A: Use devices approved for decryption
    • Requirement 4B: Secure the environment of decryption
    • Requirement 4C: Monitor and respond to decryption incidents
    • Requirement 4D: Utilize hybrid, secure decryption measures
    • Requirement 4E: Report on status to solution providers
• Domain 5: Cryptographic Key Operations – Including three controls:
• • Requirement 5A: Process account data through secure algorithms
  • Requirement 5H: Implement secure, hybrid management of keys
  • Requirement 5I: Report on status to solution providers

PTS HSM and POI Controls Breakdown

Finally, the PCI PIN Transaction Security (PTS) frameworks add unique controls for select stakeholders. The Hardware Security Module (HSM) comprises the following:

• Evaluation Module 1: Core Requirements – Including the following controls:
  • Five general physical security requirements
  • 20 general logical security requirements
  • One general policy and procedure specification
• Evaluation Module 2: Key Loading Devices – Including five controls for KLDs
• Evaluation Module 3: Remote Administration – Including the following controls:
  • Two logical requirements for remote administration
  • Four  requirements for devices’ message authentication
  • Four  requirements for devices’ essential generation functions
  • Two requirements for devices’ digital signature functions
• Evaluation Module 4: Device Management Security – Including the following controls:
  • Eight manufacturing requirements for device security
  • Eight initial deployment requirements for device security

And the other half of PTS, Point of Interaction (POI), adds the following PCI controls:

• Evaluation Module 1: Physical and Logical Security – Including the following controls:
  • 14 general physical security requirements
  • 26 general logical security requirements
• Evaluation Module 2: POS Terminal Integration – Including the following controls:
  • One requirement, and two sub-requirements, for PIN Entry integration
  • One requirement, and five sub-requirements, for integration into POS
• Evaluation Module 3: Communications/Interfaces – Including the following controls:
  • 13 requirements for communications and interfaces 
• Evaluation Module 4: Life Cycle Security – Including the following controls:
  • 12 requirements implemented during manufacturing
  • Eight requirements implemented during initial deployment

Taken together, the controls of the PTS frameworks apply to manufacturers that “specify and implement device characteristics… for personal identification number (PIN) entry terminals,” per the SSC’s guide to understanding differences across the various PCI security standards.

Maintaining Full PCI Compliance

Given the sheer volume and complexity of PCI’s controls across all frameworks, many companies may find compliance challenging. RSI Security offers a suite of PCI advisory services focused mainly on PCI DSS certification. Our team of experts has been helping companies of all sizes implement PCI controls for over a decade.

To return to the first question posed above: how many PCI controls are there? It can be as few as 12, depending on which standard(s) you’re required to follow. No matter how many or what kinds of PCI controls apply to your company, contact RSI Security today for assistance.

---

Download PCI Compliance Checklist