Compliance with the Payment Card Industry Data Security Standard (PCI DSS) means meeting 12 specific compliance requirements. If your organization processes credit- or debit card payments, you’ll need to comply with them.
- Install and maintain a firewall to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update antivirus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access, to prevent unauthorized access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
We’ll explore each of these requirements, and how to comply with each, in detail below. But first, let’s find out whether your entity needs to operate in compliance with PCI DSS, and to what extent. If you’re preparing for a PCI DSS compliance audit and want to ensure your success, download our free audit guide.
PCI DSS: Who Needs to Comply?
The Payment Card Industry Data Security Standard (PCI DSS) is an information security framework intended to help merchants and service providers protect credit and debit card transactions from data breaches.
PCI DSS is not a law or regulation but an industry mandate. If your enterprise accepts credit card payments or handles payment card data, it must be PCI-compliant.
PCI DSS Compliance: Where to Begin
Twelve requirements doesn’t seem like a lot. But each of the PCI DSS requirements has directives and sub-requirements, for a total of 281. Not every one of these directives pertains to every organization, however.
To save time, money, and hassle, you’ll want to begin your PCI DSS compliance journey with scoping, in which you determine which requirements and directives are relevant to your enterprise.
Scoping begins with understanding which PCI DSS level your organization belongs to. The higher the level, the more requirements you’ll need to follow.
The Four PCI DSS Compliance Levels
The PCI Security Standards Council (PCI SSC), comprising major credit-card companies and other financial organizations, has established four PCI compliance levels. Your organization’s level depends on how many payment-card transactions you process yearly, and which cards you accept. Generally, the levels are as follows:
PCI Compliance Level 1: More than six million Visa, Mastercard, or Discover or more than 2.5 million American Express transactions per year
PCI Compliance Level 2: More than 1 million to 6 million Visa or Mastercard or more than 50,000 American Express transactions per year
PCI Compliance Level 3: 20,000 to 1 million Visa or Mastercard transactions, or fewer than 50,000 American Express transactions per year
PCI Compliance Level 4: Fewer than 20,000 Visa or Mastercard eCommerce transactions per year and fewer than 1 million total Visa or Mastercard credit card transactions, and no data breach or attack that compromised card or cardholder data
Those falling in merchant levels 2, 3, or 4 must complete the PCI DSS Self-Assessment Questionnaire (SAQ) annually and assess their network security every quarter.
Level 1 merchants must do much more:
- File an Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or Internal Security Assessor
- Submit the results of quarterly network vulnerability scans by an Approved Scan Vendor (ASV)
- Complete the PCI SSC Attestation of Compliance (AOC) form
PCI Compliance Checklist
The PCI DSS requirements fall into six categories. Here we list the categories, followed by the requirements that fall under them and a brief explanation of what compliance with each entails. Check out our ultimate guide, PCI DSS Compliance Explained, for detailed information on every aspect of PCI DSS, including compliance levels, scoping, and the 12 requirements.
Build and Maintain a Secure Network
Install and maintain a firewall to protect cardholder data
- Review firewall configurations every six months, at minimum. Your firewalls should:
- Test changes and identify system connections that might affect cardholder data
- Deny traffic from “untrusted” networks and hosts
- Block public access to the cardholder data environment
- Be installed on every mobile or employee-owned computer that connects to your network
- Review firewall configurations every six months, at minimum. Your firewalls should:
Do not use vendor-supplied defaults for system passwords and other security parameters
- When adding a system, change its defaults before installing it-including defaults on wireless devices.
- Make sure that your software settings address known security vulnerabilities and meet industry requirements.
- Encrypt everything.
- Make sure that hosting providers are protecting your information and your cardholders’ sensitive data.
Protect Cardholder Data
Cardholder data includes credit card data and debit card data: any information printed, processed, transmitted, or stored in any form on a payment card.
Protect Stored Cardholder Data
- Do not store authentication information, even if it is encrypted.
- Do not display the Primary Account Numbers (PAN).
- Mask PANs wherever they are stored, and minimize the places where you store it.
- Protect cryptographic keys.
- Document all the ways you use encryption and protect cryptographic keys.
Encrypt Transmission of Cardholder Data Across Open, Public Networks
- Use Secure Socket Layer/Transport Layer Security (SSL/TLS) encryption when transmitting data. Follow industry best practices, and don’t use outmoded Wired Equivalent Privacy (WEP) with your wireless system.
- Always encrypt PANs before transmission.
Maintain a Vulnerability Management Program
Use and Regularly Update Antivirus Software
- Continually update antivirus software and install patches promptly.
- Install anti-virus software and anti-malware on all systems, particularly personal ones, that could be attacked by malicious software.
- Make sure that anti-virus software and programs are up-to-date, actively used, and generating logs for your auditors.
Develop and Maintain Secure Systems and Applications
- Install vendor-supplied security updates within one month after their release.
- Use an alert system to identify new vulnerabilities.
- Use PCI DSS best practices end-to-end when developing a new system.
- Follow your policies and procedures when making a control change.
- Meet coding guidelines when developing web-based applications, so you can identify vulnerabilities.
- If you have a public, web-facing application, protect against known attacks by reviewing the code and installing the needed firewall.
Implement Strong Access Control Measures
Restrict Access to Cardholder Data by Business Need-to-Know
- Limit access to system components to only those who need them.
- For systems components with multiple users, provide each person only with what they need to perform their job.
- Control user access to cardholder data.
Assign a Unique ID to Each Person with Computer Access
- Limit access to systems and data based on the minimum information necessary for the job.
- Use at least one type of authentication, but preferably more.
- Provide remote workers with two-factor authentication or, even more preferable, multi-factor.
- Encrypt password information.
- Make sure that every non-consumer has proper authentication and password management.
Restrict Physical Access to Cardholder Data
- Place appropriate controls and monitoring on access to physical information.
- Create procedures that clearly state who is allowed in each physical area. This includes employees and visitors.
- Authorize visitors with a physical token that expires upon leaving the facility or on a certain date.
- Keep a visitor log.
- Make sure all media backups are off-site and protected.
- Lock up the paper and electronic media containing cardholder data.
- Control the use of media containing cardholder data.
- Provide management with information on, and approval of, the location and movement of information.
- Strictly control storage and access to media.
- Destroy data once you no longer need it, using established protocols.
Regularly Monitor and Test Networks
Track and Monitor All Access to Network Resources and Cardholder Data
- Provide each user with unique access rights and document and monitor their access, especially users with administrative privileges.
- Develop automated audit trails to track entry to your information environment in case there’s a security breach.
- Synchronize all clocks.
- Lockdown audit trails to prevent tampering.
- Review logs daily.
- Retain audit documentation for at least one year and immediate history for at least three months.
Regularly Test Security Systems and Processes
- Use wireless intrusion detection systems (IDS)/intrusion prevention systems (IPS) to identify wireless devices connected to your system at least every quarter, so you know all wireless access points.
- Scan for internal and external vulnerabilities quarterly or after a significant network change.
- Perform external and internal penetration testing at least once a year or after significant infrastructure or application upgrades.
- Monitor traffic into and out of your cardholder data environment. Keep IDS/IPS engines up to date.
- Deploy alerts to your IT department about unauthorized modification of system files, configuration files, or content files.
Maintain an Information Security Policy
Maintain a Policy that Addresses Information Security
- Create an information security policy and distribute it to all users of your system and network; verify that all have read it. Review the policy every year to ensure it provides protection for your current cardholder data environment (CDE).
- Assign daily security duties that meet PCI requirements.
- Write policies for employee and contractor access to company technology and information, and share the policies with affected users.
- Clearly define the rights and responsibilities of employees and contractors.
Modernize your PCI DSS Compliance Program
The penalties for PCI DSS non-compliance can be severe, and crippling to any organization. If you fail to meet the requirements, the PCI SSC council could revoke your rights to process payment cards. The council is serious about protecting cardholder data and insists that you be, too.
The best way to keep those card-processing rights intact is to follow the rules. And the best way to follow the PCI DSS rules is to use software to automate your compliance, alert you when you stray, and document your efforts to help you pass those dreaded certification audits effortlessly.
ZenGRC performs all these tasks and more. Our software:
- Probes your system and networks to determine where you comply with more than a dozen regulatory and industry frameworks, and where you fall short
- Displays findings on an easy-to-read dashboard with checklists telling you exactly what to do to fill compliance gaps
- Tracks workflows so that you always know where your compliance efforts stand
- Helps you generate vendor questionnaires and compiles responses
- Alerts you in real-time to compliance gaps
- Conducts unlimited self-audits with a few clicks
- Documents all your compliance activities in our patented “Single Source of Truth” repository for a complete audit trail
Our “ZenConnect” integrator works with ZenGRC to extend risk management and compliance throughout your network, including all your business applications.
Compliance with PCI DSS needn’t be a hassle or a dream. The modern, worry-free path is just a click away. Contact us now for your free consultation, and embark on the journey to PCI DSS compliance the Zen way.