Companies that process credit card payments are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). This standard comprises guidelines created to protect the privacy and security of cardholder data, and in this post, we’ll review the requirements of PCI DSS compliance.
In this article:
PCI DSS was introduced in September 2006 to improve the security of cardholder transactions in the digital age. The PCI Security Standards Council (PCI SSC) is an independent body that manages and administers PCI DSS.
Enforcement of the standards, including levying fines for noncompliance, is performed by the individual payment card brands, such as Discover and Visa, responsible for the creation of PCI DSS. PCI merchant levels determine the specific requirements a company must comply with.
In all, several hundred requirements are contained in PCI DSS, grouped into the following 12 categories:
PCI DSS v3.2.1 is the current version of the standard and is slated to be replaced by PCI DSS v4.0 in early 2024; however, the main requirements discussed here apply to both versions.
IT environments used for processing credit card information need to maintain compliance with these regulations. PCI DSS applies to a company’s on-premises IT environments and any they have contracted with a third-party such as a cloud service provider (CSP).
Companies must effectively configure, update, and maintain network firewalls to prevent unauthorized access to systems containing cardholder data. Configuration parameters should be reviewed at least bi-annually to address changes and ensure only authorized entities can access the network.
Remote employees or those with home offices used to access enterprise data resources are also required to have firewalls installed on their computers and mobile devices.
Vendor-supplied passwords and security parameters must be changed on all hardware and software components. Cybercriminals can exploit the use of default passwords to gain access to a system to compromise cardholder data.
Passwords must always be changed before introducing a new device or software solution into the environment and interacting with regulated systems.
Merchants are required to protect cardholder data during storage to prevent unauthorized access. All transactional data must be encrypted at all times and is subject to strict retention policies. Lastly, obsolete data must be purged at least quarterly.
Measures must be in place to ensure that cardholder data cannot be compromised when traversing public networks, and strong cryptography and encryption must be used with every piece of cardholder information. Companies need to implement industry standards, such as IEEE 802.11i for wireless networks, to comply with PCI DSS.
Companies must implement antivirus and anti-malware software as a component of the organization’s vulnerability management program. All machines that access cardholder information should have this software installed, activated, and updated with the most recent virus definitions.
Merchants must install security patches as soon as vendors make them available. Systems developed to process cardholder data must be secure and comply with PCI DSS code development standards.
Access to cardholder data should only be authorized for employees who need it to do their jobs. Need to know is fundamental to PCI DSS as a means to control users requesting access to the data and the reason they require access. Users must be both authorized and have a valid reason before being allowed to access cardholder data.
All personnel with computer access must have a unique ID that can be used for monitoring their activities when interacting with regulated systems.
Companies must monitor and log access and enforce access controls to prohibit unauthorized entities from physically accessing systems that contain cardholder data. Removable storage devices, such as that used to hold backups, must be secured and destroyed when no longer needed by the organization.
Merchants are required to implement comprehensive monitoring and tracking solutions to ensure that only authorized individuals access the systems. PCI DSS compliance requires logging and maintaining audit trails of all network activity, and the tools should also identify unauthorized attempts to compromise IT resources.
Merchants must conduct quarterly internal and external vulnerability scans to ensure the effectiveness of all existing security protocols and procedures.
Companies must develop an information security policy and ensure that all personnel comply by providing ongoing PCI compliance training. The policy should be assessed and revised annually.
Next provides a cloud-native data loss prevention (DLP) solution that helps companies maintain compliance with PCI DSS and other security standards, such as GDPR. The Reveal Platform by Next enforces an organization’s data handling policy, which should reflect the measures necessary to maintain compliance with the regulations.
Specific ways Reveal addresses PCI DSS compliance include:
Get in touch with Next and see how Reveal can help your company comply with PCI DSS. You can also book a demo and get a closer look at this advanced DLP solution in action.
The PCI DSS compliance process comprises three essential steps:
During the first step, you should identify assets and processes that handle sensitive data and assess them for vulnerabilities. Step two involves repairing those vulnerabilities, while step three is the documentation of the processes utilized during the first two steps.
PCI DSS requirement 12.6 states that organizations must have a formal security awareness program for its employees. This must include refresher training at least annually, with employees also required to sign an acknowledgment to say they have read and understand the security policy.
This refers to any service providers you work with as part of your business. You are required to maintain a list of these providers, have a written agreement stating the providers are responsible for any data they handle, implement a process for delegating service providers, and, lastly, monitor your service providers’ compliance status on a regular basis.
Blog
Blog
Blog
Blog
Resources
Resources
Resources
Resources
