PCI DSS compliance – that is, the security standard to protect the personal data of credit card users – can feel insurmountable. The Payment Card Industry Security Standards Council (PCI SSC) wrote more than 100 pages of detailed data security standards, and the reading necessary to understand the security standards can feel overwhelming. Meeting PCI DSS standards means understanding your cardholder information, where you store it, and how you protect it. With that in mind, below is an introduction to the materials provided by the information security standard.

What Is PCI DSS Compliance?

In 2004 many card brands such as American Express, Visa, MasterCard, Discover Financial Services, and JCB International established a group of security requirements known as the Payment Card Industry Data Security Standard (PCI DSS). This compliance program, overseen by the Payment Card Industry Security Standards Council (PCI SSC), strives to protect credit and debit card transactions against fraud and data breaches.

Although PCI compliance is not required by law, the PCI SSC mandates that every company wanting to process credit or debit card transactions must comply. Companies that refuse to follow the standard risk losing their rights to process credit card transactions.

What Is the PCI Compliance Scope?

Determining the appropriate scope of PCI DSS is the most challenging part of the review. When determining size, you need to define your cardholder data environment (CDE), which is any area of your computer or networked IT systems or processes that store and transmit cardholder data or sensitive payment authentication data. The PCI standard describes “system components” as network devices, servers, computing devices, and all applications; and provides six specific examples:

  1. Security services, segmentation services, or services impacting security.
  2. Virtual components, including machines, switches/routers/appliances, applications/desktops, and hypervisors.
  3. Network components.
  4. Server types.
  5. Internal and external applications.
  6. Anything connected to the CDE.

In addition, companies must perform an annual review to verify the accuracy of the PCI DSS compliance reporting and assure appropriate vulnerability management.

Who Must Comply With PCI DSS?

All retailers, banks, and service providers that want to process credit card transactions must comply with PCI DSS, but “compliance” differs from one company to the next based upon the quantity of transactions a company conducts annually. Compliance is classified into four compliance levels, and what an organization must do to comply depends on the categorization level.

Level 1. Businesses fall into this category when they execute more than 6 million credit or debit card transactions annually. They must go through an internal audit once yearly, conducted by a PCI-accredited auditor. Additionally, they must submit a PCI scan by an Approved Scanning Vendor (ASV) once every three months.

Level 2. These businesses execute 1 million to 6 million transactions annually. Once a year they must complete an evaluation using a Self-Assessment Questionnaire (SAQ). A quarterly PCI scan is also necessary.

Level 3. These businesses execute 20,000 to 1 million e-commerce transactions annually. They are required to finish an annual evaluation using the pertinent SAQ. A PCI scan every quarter can also be necessary.

Level 4. This category applies to businesses that execute up to 1 million physical transactions yearly, or fewer than 20,000 e-commerce transactions annually. A quarterly PCI scan may be necessary, as well as annual review via an SAQ.

Do I Need To Network Segmentation To Be PCI Compliant?

Network segmentation is the process of isolating the CDE from other information in your organization. While not required as a part of PCI DSS compliance, segmentation is a way to reduce scope, cost, the difficulty of implementation, and risk.

If you have a non-segmented network (also called a “flat” network), the entire network is considered to be in scope and must be reviewed. Putting up internal firewalls or separating routers can keep information separate. You should restrict cardholder data to as few locations as possible. In addition, make a dataflow diagram to document this for PCI DSS compliance purposes.

Proving segmentation means verifying the isolation of systems that store, process, or transmit information. Remember, however, that network configuration and legacy technologies can be problematic. When these are standardized across a whole organization, it can make the mapping easier.

How Do Wireless Networks Fit Into PCI compliance?

Any point-of-sale technology (including a website), line-busting technology, or WLAN used to store, process, or transmit cardholder data is part of the CDE, and therefore must be tested. PCI-DSS compliance is less cumbersome when using wireless technology for non-sensitive data only.

Can I Use Third-Party Service Providers/Outsourcing To Manage My PCI DSS Requirement?

If you use a third-party service provider, assess its services carefully. The contract should delineate which parts of the PCI-DSS requirements are covered by you and which by the service provider.

The service provider needs to prove its compliance. It can do this by either:

  1. Annual assessments, done independently and provided to the provider’s users.
  2. On-demand multiple evaluations at the request of each client.

If the service provider chooses to do its annual assessment, the customers must assure that the assessment covers their compliance needs and is part of the contract.

What Are The Best Practices For Implementing PCI DSS Into Business-as-Usual Processes?

As with all compliance, your program will strengthen if you create a culture of compliance to the point that it becomes second nature. PCI lists six ways that an organization can make this happen.

  1. Monitor everything.
  2. If something goes wrong, have processes in place to respond quickly. This includes restoring security controls, figuring out the reason for failure, addressing what caused the loss, finding a way to mitigate the cause of failure, and resuming monitoring.
  3. Review any changes to the environment before putting them into action.
    1. Always assess the risk of those changes to PCI compliance.
    2. Review any PCI DSS requirements that are triggered by the changes.
    3. Update your scope and controls.
  4. If you have any changes in your organizational structure (such as mergers or acquisitions) , remember to review the impact on scope and requirements.
  5. Do periodic reviews to prove continued compliance, and assure you have all the documentation to back up those reviews. This means looking at the written policies/procedures and assuring that people follow them.
  6. Review all your hardware and software. If you have hired vendors, review their PCI DSS compliance annually.

As a Qualified Security Assessor (QSA), How Do I Sample Business Facilities/System Components?

If you are a large organization with a lot of locations, you can choose to review a random sampling of components for your PCI DSS audit. You cannot, however, decide to inspect only a tiny portion of your whole environment, or review only a sample of requirements. In other words, your entire environment needs to be compliant equally. You sample the location of the information, not the conditions themselves.

Samples should consider two criteria: business facility samples, and system component samples. Business facilities are the physical locations where information is stored; system components are the software and hardware used in those physical locations. These samples must be representative and large enough to capture a good landscape snapshot.

When selecting your samples, you need to think about the following:

  1. You can make your sample smaller if you have a centralized, standardized process and controls that everyone has to follow. If you don’t have a standardized process, then your sample must be big enough to show that every location complies with PCI DSS.
  2. If each business area has its way of doing things, the sample needs to assure that each of these methods of compliance is reviewed.
  3. If everyone handles compliance independently and no standards exist, the sample needs to be more significant to survey all the different ways the various facilities do things.
  4. System component samples need to ensure a review of every type and combination used. This means making sure that different versions of applications, platforms, and hardware are documented.

Whenever you choose to sample:

  1. Document how you made the decisions about location, component, and sample size.
  2. Document and validate which of the sample types above you used (organization standards, business area standards, location standards).
  3. Explain why the sample is a good overview of everything in your organization.

Compensating Controls

Review all your compensating controls annually.

Compliance Management with Reciprocity ZenComply

Failure to comply with PCI DSS can bring severe consequences for any retailer, bank, or other commerce provider. You must take securing cardholder data seriously.

The ideal way to abide by PCI DSS regulations is to employ software that automates compliance, notifies you when you err, and tracks your progress so that you can easily pass certification audits.

ZenComply does all of these tasks and more. Our program:

  • Determines where you comply with more than a dozen regulatory and industry guidelines and where you fall short by probing your system and networks.
  • Displays results on a simple dashboard with instructions on closing compliance gaps in the form of checklists.
  • Assists you in creating vendor questionnaires and compiling replies. It tracks processes, so you always know how your compliance efforts progress.
  • Notifies you immediately of compliance shortcomings. Self-audits are carried out with a few clicks.
  • Records your compliance-related activity for an entire audit trail in our unique “single source of truth” repository.

PCI DSS compliance can be straightforward. The current, stress-free route is only a click away. So get in touch with us immediately to schedule a demo and start your PCI DSS compliance journey the Zen way.