What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) serves as a global standard for safeguarding payment card (credit, debit or prepaid cards) data against criminal activity and compromise. It is maintained by the PCI Security Standards Council (PCI SSC), which was formed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. in 2006.
PCI DSS outlines a set of technical and operational requirements intended to strengthen the security of payment card data. By providing clear security controls and procedures, it ensures that all entities involved in the payment card ecosystem adopt consistent measures to protect payment data.
Which organizations and entities does PCI DSS apply to?
The PCI Data Security Standard applies to a wide range of entities within the payment processing landscape, encompassing merchants, processors, acquirers, issuers, and various service providers.
It is intended for “all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE).” It can also apply to entities that outsource payment operations or the management of their CDE, even if they don’t directly handle sensitive data.
Card Data categories that PCI DSS focuses on
The core focus of PCI DSS is safeguarding two critical categories of data: Cardholder Data (CHD) and Sensitive Authentication Data (SAD).
Cardholder Data
- Primary Account Number (PAN)
- Cardholder Name
- Expiration Date
- Service Code
Sensitive Authentication Data
- Full track data (magnetic stripe data or equivalent on a chip)
- Card verification code
- PINs/PIN blocks
PCI DSS v4 Principles and Requirements
There are twelve PCI DSS requirements or main controls listed under six security principles:
Building and Maintaining a Secure Network and Systems
This involves implementing network security controls to prevent unauthorized access to payment system networks and protect payment account data.
Requirements:
- Install and maintain network security controls
- Apply secure configurations to all system components
Protecting Account Data
Entities accepting payment cards are tasked with safeguarding account data, whether it’s stored locally, printed, or transmitted over networks. Unauthorized use must be prevented at all costs.
Requirements:
- Protect stored account data
- Protect cardholder data with strong cryptography during transmission over open, public networks
Maintaining a Vulnerability Management Program
Businesses must systematically identify and mitigate vulnerabilities in their payment card environment on an ongoing basis.
Requirements:
- Protect all systems and networks from malicious software
- Develop and maintain secure systems and software
Implementing Strong Access Control Measures
Access to payment account data should be granted only on a need-to-know basis, with logical and physical access controls in place to regulate data access.
Requirements:
- Restrict access to cardholder data on a need-to-know basis
- Identify users and authenticate access to system components
- Restrict physical access to cardholder data
Regularly Monitoring and Testing of Networks
Entities must conduct regular network monitoring and testing to detect and address unexpected access, security system failures, vulnerabilities, and suspicious activities.
Requirements:
- Log and monitor all access to system components and cardholder data
- Test security of systems and networks regularly
Maintaining an Information Security Policy
A robust security policy sets the tone for security across an organization, ensuring that all employees understand the importance of protecting payment account data and their roles in maintaining security.
Requirements:
- Support information security with organizational policies and programs
Key Steps in the PCI DSS Assessment Process
The PCI DSS assessment process comprises six key steps
- Determining the scope of the assessment
- Carrying out the actual assessment
- Completing the Attestation of Compliance
- Submitting the assessment documentation to the requesting entity
- Remediation in cases where certain conditions are not met
Communicating PCI DSS Compliance
To communicate their compliance status with PCI DSS, organizations need validation documents as the official mechanism. These documents serve to convey their adherence to the requirement to acquirers or payment brands.
Three primary types of validation documents:
- Report on Compliance (ROC): A detailed report created by assessors to document the outcomes of a PCI DSS assessment. ROCs provide in-depth insights beyond what’s covered in Self-Assessment Questionnaires (SAQs).
- Self-Assessment Questionnaires (SAQs): SAQs offer alternative validation tools for entities eligible to perform self-assessments according to payment brand compliance programs. Different SAQs cater to different merchant environments.
- Attestations of Compliance (AOC): An AOC serves as a declaration of PCI DSS assessment results, co-signed by the assessed entity and, if applicable, the Qualified Security Assessor (QSA) company. It summarizes the assessment outcomes documented in an associated ROC or SAQ.
PCI DSS stands as a global standard dedicated to bolstering the security of payment card data. Adherence to PCI DSS not only enhances payment account security but also engenders trust among consumers and stakeholders in the digital payments landscape.
PCI DSS Compliance Tracking with CYRISMA
CYRISMA’s Compliance Tracking feature enables you to map your existing security program to PCI DSS Compliance Requirements. You can easily identify and assess gaps between your cybersecurity controls and PCI DSS requirements.
In addition to PCI DSS, the CYRISMA platform enables compliance tracking with the NIST Cybersecurity Framework, HIPAA and the Center for Internet Security’s (CIS) Critical Controls.
CYRISMA includes capabilities to comply with many of the requirements outlined under PCI DSS such as Vulnerability and Patch Management, Network Discovery, Sensitive Data Discovery and Data Protection, Secure System Configuration, Cyber Risk Assessment, Reporting, and more.
Read more about the platform here: CYRISMA Platform Overview