What is PCI Compliance?
Companies of all sizes and in all industries continue to fall prey to attacks from thieves who get past their cybersecurity measures and steal consumer and financial data. They target system vulnerabilities to acquire the information they seek, which is often cardholder data.
Until 2006, there were no set regulations or standards for merchants and vendors to follow for preventing cardholder theft. A council, including major credit card providers Visa, Mastercard, and American Express, created the Payment Card Industry (PCI) Security Standards Council (SSC). The council issues specific security procedures called the Data Security Standards (DSS). Any organization that uses a payment provider’s services must adhere to these standards to prevent or minimize the threat of lost credit card data.
In March 2022, the council unveiled PCI DSS 4.0, the first update of the standards since 2018. Any company that handles cardholder data should examine their processes carefully to ensure continued compliance. This toolkit can help you get started.
Why PCI Compliance is Important
Because PCI DSS guidelines are the industry standard, compliance is mandatory for the benefit of both merchants and customers. The buyer can take action against the seller if the latter loses the buyer’s sensitive information, meaning the seller must ensure their networks are secure at all times.
Not adhering to PCI compliance policies can result in significant barriers. The credit card companies will stop allowing the business to process credit payments . The providers can also fine the merchant’s bank between $5,000 to $100,000 each month if they experience a data breach.
The PCI Security Standards Council operates on these four principles:
- Increase industry participation and knowledge in the PCI Standards development process and stakeholder support for standards implementation
- Evolve security standards and validation programs to support a range of environments, technologies, and methodologies for achieving security
- Secure emerging payment channels via development of PCI Standards and resources to support broader payment acceptance
- Increase standards alignment and consistency of PCI Standards to minimize redundancy and support effective implementation
An Overview of PCI SSC Data Security Standards
The PCI DSS includes a specific set of technical and operational guidelines and rules that an organization must follow when they store, process, or transmit cardholder data and/or sensitive authentication data that could impact the security of the cardholder data environment. Requirements apply to everyone involved in the payment process, including merchants, processors, acquirers, issuers, and other service providers.
Requirements for PCI DSS Compliance
Any company that interacts with cardholder data must be within PCI compliance at all times. Below are the 12 essential compliance parameters.
Install and maintain network security controls (NSCs)
Traditionally, this function has been fulfilled by a physical firewall but can now be met by virtual devices, cloud access controls, virtualization/container systems, and other software-defined networking technology. NSCs control traffic within an entity’s own networks, such as more-secure and less-secure internal environments, and from exposure to untrusted networks.
Apply secure configurations to all system components
Applying secure configurations to system components reduces the means available to an attacker. Methods to reduce the potential attack surface include changing default passwords, removing unnecessary software, functions, and accounts, and disabling or removing unnecessary services.
Protect stored account data
The regulation requires that storage of account data is kept to a minimum and that any sensitive authentication data (SAD) is not stored after authorization. Restrictions are placed on full display of primary account number (PAN). Cryptographic keys should be used to protect stored account data, with key management processes and procedures defined and implemented.
Protect cardholder data with strong cryptography during transmission over open, public networks
PAN transmissions can be protected by encrypting the data before transmission, encrypting the session where data is transmitted, or adopting both approaches. It is also recommended that strong cryptography be deployed at both the data level and the session level.
Protect all systems and networks from malicious software
The requirement calls for the effective use of anti-malware software in a consistent and monitored manner. Anti-phishing software is also required.
Develop and maintain secure systems and software
This may sound obvious, but systems, software, and public-facing websites must be deployed securely, monitored continuously, and patched in an expeditious manner as any vulnerabilities are identified.
Restrict access to system components and cardholder data by business need to know
Available to protected data should be restricted to the minimum necessary to perform a job or job function. Rights access should apply to employees, contractors, consultants, internal and external vendors, and other third parties.
Identify users and authenticate access to system components
Multi-factor authentication should be enabled for anyone accessing cardholder data. That can be a combination of elements, including a password/passphrase, a token or smart card, or a biometric reading.
Restrict physical access to cardholder data
In addition to the electronic security of cardholder data, physical environments must also be protected, including the buildings that house equipment containing sensitive data and the flow of people into and out of these areas.
Log and monitor all access to system components and cardholder data
Organizations should create access logs that record every instance of a security breach. Records within the database should contain all pertinent information about the situation and be readily available without compounding system vulnerabilities.
Test security of systems and networks regularly
Yearly internal and external penetration testing and vulnerability scanning a minimum of every three months are necessary to maintain PCI DSS compliance. A company must regularly scan and test their system’s flaws with the assistance of security professionals who have a thorough understanding of compliance testing.
A vulnerability scan and penetration testing do not provide the same functions. A scan is an automated test performed by a scanning vendor that uncovers vulnerabilities within servers, networks, and systems.
Compliance PCI penetration testing takes a vulnerability scan further. A cybersecurity professional will attempt to exploit any weaknesses they discover using the same manual techniques a hacker would use. Such PCI compliance testing provides clients with a better understanding of each flaw’s real-world level of risk to the organization.
Support information security with organizational policies and programs
Much like healthcare employees must undergo continual training regarding protected health information, every employee at companies that interact with cardholder data must undergoing periodic training, supported by appropriate organizational policies aimed at protecting data.
Use an Approved Scanning Vendor
PCI SSC mandates the use of an approved scanning vendor (ASV) to meet PCI DSS Requirement 11.2.2 for external vulnerable scanning services. The council tests and approves scanning solutions before they are added to PCI SSC’s List of Approved Scanning Vendors.
Digital Defense by Fortra has been a PCI-Approved Scanning Vendor for 18 years running. Learn more about how Digital Defense can help your company maintain PCI compliance.