Nearly all companies that collect, store, process, or transmit credit card data must comply with the Payment Card Industry (PCI) Data Security Standard (DSS). The PCI DSS, which prioritizes the protection of cardholder data (CHD), establishes the overarching framework organizations must follow for their credit card compliance policy.
The PCI DSS and Your Credit Card Compliance Policy
The majority of companies interact with credit card data in some way or another, even if payment processing is outsourced to a third-party platform. As a result, they must ensure that their IT infrastructure, outsourced services, and organizational processes comply with these credit card data security standards.
Developing a comprehensive credit card compliance policy requires:
- Knowledge of the PCI DSS framework’s 12 Requirements
- Knowledge of each Requirement’s sub-requirements
The PCI DSS Framework’s 12 Requirements
The PCI DSS was established by the Security Standards Council (SSC) as the credit card industry standard. The SSC’s members—which include some of the most globally recognized credit card companies, such as Visa and MasterCard—enforce the PCI DSS as a means to protect CHD and minimize the likelihood and impact of data breaches. To this end, most of the PCI DSS focuses on companies’ cybersecurity efforts.
The current PCI DSS framework (version 3.2.1) comprises six Goals, 12 Requirements, numerous sub-requirements:
- Goal 1 – Build and maintain secure company networks and systems.
- Requirement 1 – Protect CHD by installing and maintaining firewall configurations.
- Requirement 2 – Replace vendor-supplied default passwords and other security parameters and configurations.
- Goal 2 – Protect CHD.
- Requirement 3 – Protect stored CHD.
- Requirement 4 – Encrypt CHD whenever it is transmitted across open, public networks.
- Goal 3 – Establish and maintain a vulnerability management program.
- Requirement 5 – Protect all systems with antimalware and antivirus software or programs, updating them regularly.
- Requirement 6 – Develop and maintain secure company systems and applications.
- Goal 4 – Implement robust access control measures and restrictions.
- Requirement 7 – Restrict CHD access to only those employees who require it for their role within the company.
- Requirement 8 – Implement identity and access management, requiring strict user authentication before they access system components.
- Requirement 9 – Restrict individuals’ physical access to CHD storage.
- Goal 5 – Monitor and test networks regularly to detect threats and noncompliant activity.
- Requirement 10 – Track and monitor user’s access of the company’s network resources and CHD (e.g., activity logs).
- Requirement 11 – Test security systems and processes regularly to ensure up-to-date cybersecurity.
- Goal 6 – Maintain and distribute an information security policy.
- Requirement 12 – Maintain a policy for all personnel that addresses PCI DSS efforts, threat intelligence, and employee response plans.
Requirement 1 Sub-requirements
Requirement 1 primarily focuses on the cybersecurity perimeter protecting a company’s entire IT environment—notably, implemented firewalls. Requirement 1’s sub-requirements are:
- 1.1 – Establish firewall and router configurations that:
- Formalize testing following configuration changes.
- Identify all connections made between the CHD data environment and other networks, creating documentation and diagrams, including for wireless connections.
- Document each implementation’s business purpose, specifications, and settings.
- Diagram the flow of CHD between systems and networks.
- Plan for configuration reviews twice per year.
- 1.2 – Restrict all traffic originating from or going to untrusted networks, denying all but the necessary CHD environment protocols.
- 1.3 – Prohibit a CHD environment system from public internet access.
- 1.4 – Install firewall software (or an equivalent) on all company or personal devices connected to both the CHD environment within company networks and the Internet when outside of them.
- 1.5 – Ensure that Requirement 1-related security policies are documented, updated, and promulgated to all personnel.
Requirement 2 Sub-requirements
Requirement 2 seeks to eliminate data breaches caused by the unsecure use of the default passwords and configurations set for newly implemented technologies. The PCI DSS equates unchanged passwords and configurations to leaving a company’s physical doors unlocked, as the defaults can easily be hacked.
Requirement 2’s sub-requirements are:
- 2.1 – Change vendor-supplied default passwords and configurations and delete or disable (unnecessary) default accounts before installation in the CHD environment.
- 2.2 – Develop a configuration standard to adopt for all implementations that covers known vulnerabilities, updating it when new ones are identified.
- 2.3 – Employ strong cryptography and encrypt all non-console administrative access to systems.
- 2.4 – Maintain an active inventory of all DSS-applicable system components.
- 2.5 – Ensure that Requirement 2-related security policies are documented, updated, and promulgated to all personnel.
- 2.6 – Hosting CHD environments extends PCI DSS compliance responsibilities to shared hosting providers.
Requirement 3 Sub-requirements
While the PCI DSS as a whole prioritizes CHD protections, Requirement 3 specifically establishes the security efforts companies must maintain for the credit card data they store (e.g., primary account numbers (PAN), names, authentication data). Generally, stored CHD must (or should) be encrypted and rendered unreadable.
Requirement 3’s sub-requirements are:
- 3.1 – Restrict CHD storage explicitly to the minimal period necessary and purge any unnecessary CHD quarterly.
- 3.2 – Do not store sensitive credit card authentication data (e.g., full track data; CAV2, CVC2, CVV2, CID; PINs/PIN blocks) following transaction authorization and render it unrecoverable as soon as possible.
- 3.3 – Mask PAN whenever it is displayed, revealing no more than the first six and last four digits; only authorized individuals whose company roles require it may be permitted to view unmasked PAN.
- 3.4 – Render PAN unreadable via encryption, one-way hash functions, truncation, or index tokens anywhere it is stored (e.g., portable digital media, backup media, logs).
- 3.5 – Document and implement encryption key procedures to prevent their disclosure or misuse.
- 3.6 – Document and implement management processes and procedures for cryptographic keys used to encrypt CHD.
- 3.7 – Ensure that Requirement 3-related security policies are documented, updated, and promulgated to all personnel.
Requirement 4 Sub-requirements
Requirement 4 similarly covers CHD encryption, but when transmitted across open, public networks. Public networks’ absent protections require CHD to be rendered unreadable without the associated cryptographic key should it be intercepted.
Requirement 4’s sub-requirements are:
- 4.1 – Use strong cryptography and security protocols to protect public-network CHD transmissions, as well as industry best practices for securing private wireless networks via authentication and transmission.
- 4.2 – Never transmit PAN via end user messaging technologies (e.g., email, SMS).
- 4.3 – Ensure that Requirement 4-related security policies are documented, updated, and promulgated to all personnel.
Requirement 5 Sub-requirements
Requirement 5 specifies that companies must enhance their firewall protections with up-to-date antivirus and antimalware software. Requirement 5’s sub-requirements are:
- 5.1 – Deploy antivirus and antimalware software on all company endpoints (e.g., workstations, devices) commonly targeted by these cyber attacks and periodically assess emerging threats to determine whether systems and endpoints not commonly targeted require it.
- 5.2 – Update all antivirus and anti malware software, perform basic scans, and compile audit logs (as per Requirement 10.7).
- 5.3 – Restrict end users from being able to disable or alter antivirus and antimalware software.
- 5.4 – Ensure that Requirement 5-related security policies are documented, updated, and promulgated to all personnel.
Requirement 6 Sub-requirements
Requirement 6 relates to companies’ software, hardware, and firmware patch management. Security teams must monitor vendor-provided patch releases to implement the most up-to-date vulnerability fixes. Requirement 6’s sub-requirements are:
- 6.1 – Establish a process and utilize reputable sources to identify and rank vulnerabilities (e.g., “low,” “medium,” “high”).
- 6.2 – Install vendor-supplied security patches to protect all system components and critical vulnerabilities patches within one month of their release.
- 6.3 – Ensure that all internally developed software or customized, third-party platforms comply with the credit card data security standards and industry best practices.
- 6.4 – Ensure system components continue to comply with credit card data security standards after significant system and network updates of alterations.
- 6.5 – Adopt and train developers on secure coding techniques and guidelines.
- 6.6 – Perform vulnerability scans on all public-facing web applications annually and after changes or via automated vulnerability scanning solutions.
- 6.7 – Ensure that Requirement 6-related security policies are documented, updated, and promulgated to all personnel.
Requirement 7 Sub-requirements
Requirement 7 adopts the “principle of least privilege” regarding CHD environments—restricting user access so that only those who require it for their role’s responsibilities receive authorization. Requirement 7’s sub-requirements are:
- 7.1 – Limit access to system components and CHD to only those users whose job requires it.
- 7.2 – Establish an access control system that automatically denies users unless their account permissions allow otherwise.
- 7.3 – Ensure that Requirement 7-related security policies are documented, updated, and promulgated to all personnel.
Requirement 8 Sub-requirements
Requirement 8’s sub-requirements revolve around companies’ identity and access management systems and procedures. Each user must be provided with unique accounts or IDs to allow the company to track and log all of their activity related to CHD environments. Requirement 8’s sub-requirements are:
- 8.1 – Define and implement identity management procedures to ensure proper authentication; assign unique user accounts or IDs before individuals receive access to CHD environments.
- 8.2 – Adopt strict authentication processes—rendering credentials unreadable via strong cryptography during transmission or storage—and require at least one of the following to verify user identities at login:
- Something the user knows (e.g., password)
- Something the user has (e.g., smart card, token device)
- Something the user is (e.g., biometric checks)
- 8.3 – Secure all non-console administrative access and all instances of remote access to CHD environments via multi-factor authentication—which requires, at a minimum, two different verification forms from those specified in Requirement 8.2.
- 8.4 – Develop, implement, and inform all users of company authentication policies.
- 8.5 – All users and third parties must have unique accounts or IDs.
- 8.6 – Any physical authentication mechanisms must be unique and individually assigned to personnel.
- 8.7 – All access to any databases containing CHD must be restricted:
- Users may only access the database programmatically.
- Administrators are the only personnel allowed direct or query access.
- Application IDs for database applications must be unique and exclusive to the application.
- 8.8 – Ensure that Requirement 8-related security policies are documented, updated, and promulgated to all personnel.
Requirement 9 Sub-requirements
Requirement 9 covers physical access restrictions to facilities and rooms that house technologies storing CHD—or hosting the software or services enabling its collection, processing, or transmission. Requirement 9’s sub-requirements are:
- 9.1 – Use secure facility entrance controls to limit and monitor physical access to systems in the CHD environment.
- 9.2 – Develop easily distinguished identification methods (e.g., ID badges) for regular on-site personnel (e.g., employees) and visitors.
- 9.3 – Control on-site personnel’s physical access to sensitive areas:
- Authorize access according to job roles.
- Revoke access immediately following employee termination or departure.
- Collect or change all physical access mechanisms (e.g., keys, security codes).
- 9.4 – Ensure all visitors are authorized before entering sensitive physical areas, given an expiring physical or other ID, and surrender their ID after the visit concludes or upon expiration; use a visitor log to register a physical audit trail that is retained for three months at a minimum.
- 9.5 – Physically secure all media and store media backups in secure locations (ideally off-site).
- 9.6 – Maintain strict control over all media distributions.
- 9.7 – Maintain strict control over all media storage and accessibility.
- 9.8 – Destroy media once its retention is no longer necessary.
- 9.9 – Protect and periodically inspect all physical devices that directly capture CHD.
- 9.10 – Ensure that Requirement 9-related security policies are documented, updated, and promulgated to all personnel.
Requirement 10 Sub-requirements
Requirement 10 instructs PCI DSS-applicable companies to compile user activity logs for all network resources and CHD environments to create audit trails. Requirement 10’s sub-requirements are:
- 10.1 – Implement audit trails that link all system component access to individual users.
- 10.2 – Implement automated audit trails for reconstructing:
- All individual access to CHD
- All activity conducted by users granted root or administrative privileges and changes to or deletions of these accounts
- Audit trail access and actions taken to initiate or pause them
- Invalid logical access attempts
- Use of and alterations to accounts and authentication mechanisms
- Creation or deletion of system-level objects
- 10.3 – Record audit trail entries for all system components, including at a minimum:
- Event type
- Date and time
- Activity success or failure
- Event origination
- Identity or name of affected data
- System component or resource
- 10.4 – Synchronize all critical system clocks and times, implementing controls for acquiring, distributing, and storing time via synchronization technology.
- 10.5 – Secure audit trails against alteration.
- 10.6 – Review logs and security events to identify anomalies or suspicious activity related to all system components, performing daily reviews for critical logs.
- 10.7 – Retain audit trail history for a year at a minimum, with the prior three months immediately available for analysis.
- 10.8 – Service providers must implement a timely detection and reporting process for critical security control system failures.
- 10.9 – Ensure that Requirement 10-related security policies are documented, updated, and promulgated to all personnel.
Requirement 11 Sub-requirements
Requirement 11 mandates that companies regularly test CHD environments for vulnerabilities to existing and emerging threats. Requirement 11’s sub-requirements are:
- 11.1 – Implement testing processes to detect and inventory all wireless access points, whether authorized or not. Execute incident response procedures following the detection of unauthorized access points.
- 11.2 – Conduct internal and external vulnerability scans quarterly and following significant network changes. SSC-designated Approved Scanning Vendors (ASV), such as RSI Security, must conduct the quarterly scans.
- 11.3 – Conduct regular internal and external penetration testing:
- Annually for both CHD environments and to ensure any segmentation methods, if used, remain operational and effective.
- Following significant upgrades or modifications.
- Service providers utilizing segmentation must perform penetration testing on relevant controls every six months and following any control changes.
- 11.4 – Utilize network intrusion detection and prevention to secure the CHD environment’s perimeter and critical points, alerting relevant personnel of suspected compromises.
- 11.5 – Deploy change detection mechanisms (e.g., file integrity monitoring) to notify security teams following unauthorized modifications of critical system, configuration, or content files. Perform file comparisons weekly at a minimum and implement an incident response plan for received alerts
- 11.6 – Ensure that Requirement 11-related security policies are documented, updated, and promulgated to all personnel.
Requirement 12 Sub-requirements
Requirement 12 relates to managing a credit card compliance policy and ensuring its distribution to all personnel. All employees and involved parties must be aware of the credit card data security standards and compliance efforts. Policies must be redistributed following any updates.
Requirement 12’s sub-requirements are:
- 12.1 – Establish, publish, maintain, and distribute the company’s security policy, performing annual reviews and a minimum and updating it as necessary.
- 12.2 – Implement a risk assessment process—performed annually at a minimum and following significant changes—that identifies:
- Critical assets
- 12.3 – Develop critical technologies policies to govern personnel’s use, covering:
- Remote access
- Wireless connection
- Portable electronic media
- 12.4 – Define all personnel’s information security responsibilities clearly. Service providers must establish their executive responsibility for managing CHD data.
- 12.5 – Assign an individual or team as responsible for overseeing information security policies.
- 12.6 – Implement a formal PCI DSS security awareness program for all personnel.
- 12.7 – Screen prospective employees to minimize internal cybersecurity threats.
- 12.8 – Implement and maintain policies and procedures for managing third-party service providers.
- 12.9 – Service providers must acknowledge in writing their CHD responsibilities to customers.
- 12.10 – Implement an incident response plan and execute it immediately following a detected breach.
- 12.11 – Service providers must perform and document quarterly reviews to ensure personnel follow the established security policies and operational procedures.
Credit Card Compliance Policy Advisory
The PCI DSS establishes the credit card industry standards for protecting CHD, and your organization’s credit card compliance policy should directly follow its specifications. RSI Security leverages its expertise as a PCI SSC-approved third party for constructing policies, conducting assessments, and reporting.
Contact RSI Security today to receive expert compliance and cybersecurity guidance for constructing and implementing company policies that adhere to credit card data security standards.