What is the PCI DSS?
The PCI DSS (Payment Card Industry Data Security Standard) is administered by the PCI SSC (Payment Card Industry Security Standards Council) to decrease payment card fraud across the Internet and increase payment card data security.
Organizations that accept, store, transmit, or process cardholder data must comply with the PCI DSS. While not federally mandated in the U.S, the PCI DSS Standard is mandated by the PCI SSC. The council comprises major credit card bands. Some states have even incorporated the PCI DSS into their laws.
The latest iteration of the PCI DSS – version 4.0 – was released at the end of March 2022.
Read the full text of PCI DSS v4.0 on the PCI SSC website
Merchants and service providers have a two-year transition period to update their security controls to conform to the new version of the Standard. Version 3.2.1 will be retired on March 31, 2024.
Read the full text of PCI DSS v3.2.1 on the PCI SSC website
IT Governance USA is a PCI QSA (Qualified Security Assessor) company.
View our full range of PCI DSS services
Who needs to comply with the PCI DSS?
The PCI DSS applies to any organization (regardless of size or number of transactions) that accepts, stores, transmits, or processes cardholder data.
- If you are a merchant, the PCI DSS applies to you. Even if you have subcontracted all PCI DSS activities to a third party, you are still responsible for ensuring all contracted parties comply with the Standard.
- If you are a service provider, including a software developer, the PCI DSS applies to you if you process, transmit or store cardholder data, or your activities affect the security of the cardholder data as it is being processed, transmitted, or stored.
Speak to a PCI DSS expert
We provide services to support you at each stage of your organization’s PCI DSS compliance project. Call our team on +1 877 317 3454 or request a call back using the form below. Our experts are ready and waiting with practical advice.
Why is PCI DSS compliance important?
PCI DSS compliance is important because it helps ensure that organizations that process, store, or transmit credit card information maintain a secure environment. PCI DSS compliance also helps organizations avoid costly fines and penalties if they experience a data breach.
The cardholder data that you store can be stolen from many places, including:
- Compromised card readers
- Filed paper records
- Cardholder data stored in databases
- Rogue access to your organization’s wireless or wired network
- Concealed cameras recording the entry of authentication data
If implemented correctly, the PCI DSS can help organizations secure cardholder data. It provides a baseline set of security requirements that lets organizations know what action they should take.
A key benefit of the Standard is the detailed action plan it provides – this can be applied to organizations of any size or type that use any method of processing or storing payment card data.
Penalties for non-compliance with the PCI DSS
The breach or theft of cardholder data affects consumer confidence that results in the loss of business. Any merchant that breaches the PCI DSS could face serious consequences, including fines, litigation, and reputational damage.
The implications can be far-reaching and include:
- Fraud losses
- Loss of customer confidence
- Diminished sales
- Cost of reissuing new payment cards
- Higher subsequent costs of compliance
- Legal costs, settlements, and judgements
- Fines and penalties
- Termination of ability to accept payment cards
- Lost jobs
Payment data – a target for attack
Payment card data is the prime target in attacks against commercial environments.
Indeed, the 2019 Trustwave Global Security Report identified that threat actors targeted payment card data in most incidents, with CNP (card-not-present) data making up nearly 25% of events, and card-track (magnetic stripe) data comprising 11%.
Criminal hackers want your cardholder data. By obtaining the PAN (primary account number) and sensitive authentication data, an attacker can impersonate the cardholder, use the card, and steal the cardholder’s identity. Following guidance in the PCI DSS helps keep your cyber defenses primed against attacks aimed at stealing cardholder data.
The 12 PCI DSS requirements
The PCI DSS specifies 12 requirements that are organized into 6 control objectives.
1) Install and maintain a firewall configuration to protect cardholder data
Firewalls protect cardholder data by providing a barrier between the network and untrusted sources, allowing only legitimate traffic to pass through.
When configuring a firewall, you should consider the following:
- The types of traffic that should be allowed or blocked
- The specific ports that should be open or closed
- The IP addresses that should be allowed or blocked
In addition, you should regularly check the firewall configuration to ensure that it is still effective and has not been modified by unauthorized users.
2) Do not use vendor-supplied defaults for system passwords and other security parameters
The default values of vendor-supplied security parameters have been well-documented, and attackers have used these values to compromise systems. Therefore, do not use vendor-supplied defaults when configuring security parameters. Instead, configure security parameters to a strong value. For example, set a strong password as the root user password.
3) Protect stored cardholder data
When you store cardholder data, you need to take extra care to protect it. This data is very valuable to criminals, and if it falls into the wrong hands, it can be used to commit fraud. There are a few things you can do to protect stored cardholder data:
- Encrypt it: Encryption is one of the best ways to protect data. When data is encrypted, it is much more difficult for criminals to access it.
- Store it securely: Make sure that you store cardholder data in a secure location. This data should not be stored on your computer’s hard drive or on a server that is connected to the Internet.
- Restrict access: Only allow authorized personnel to access stored cardholder data. Make sure that these personnel have the proper training and security clearance.
- Monitor access: Keep track of who accesses stored cardholder data. This will help you to identify unauthorized access and to take steps to prevent it.
- Destroy data: When you no longer need to store cardholder data, make sure that you destroy it securely. This data should not be left on your computer or on any storage devices.
4) Encrypt transmission of cardholder data across open, public networks
According to the PCI DSS, cardholder data must be encrypted when it is transmitted across open, public networks. This includes any time the data is transmitted from one system to another, such as when it is transmitted from a POS (point-of-sale) system to a payment processor.
5) Use and regularly update anti-virus software or programs
PCI DSS Requirement 5 says that you must use and regularly update anti-malware software or programs. This is important because it helps to protect your systems and data from malware. There are many different types of anti-malware software available, so you should choose the one that best meets your needs. Be sure to keep your software up to date, as new viruses are constantly being created.
6) Develop and maintain secure systems and applications
Organizations that handle payment card information are responsible for ensuring that their systems and applications are secure. This includes developing and maintaining secure systems, as well as ensuring that all payment card information is properly encrypted. PCI DSS Requirement 6 helps organizations to protect their customers' payment card information, and to avoid any potential data breaches.
7) Restrict access to cardholder data by business need-to-know
PCI DSS Requirement 7 stipulates that businesses must restrict access to cardholder data to only those employees who need to know such information in order to perform their job duties. This requirement is designed to prevent unauthorized individuals from gaining access to sensitive cardholder data, which could be used for fraudulent purposes.
To comply with this requirement, businesses should implement access control measures such as role-based access control, which would grant employees access to cardholder data based on their job function.
8) Assign a unique ID to each person with computer access
By assigning a unique ID to each person with computer access, organizations can ensure that only authorized individuals have access to sensitive information. This requirement is important for preventing data breaches and protecting the confidentiality of customer data.
9) Restrict physical access to cardholder data
PCI DSS Requirement 9 states that physical access to cardholder data must be restricted. This means that only authorized personnel should have access to the data, and that access should be controlled and monitored. Physical access includes access to data storage devices, servers, and network components.
10) Track and monitor all access to network resources and cardholder data
PCI DSS Requirement 10 states that organizations must track and monitor all access to network resources and cardholder data. This requirement is important to ensure that only authorized individuals have access to sensitive information and to prevent unauthorized access to network resources. Organizations should develop and implement procedures for tracking and monitoring access to network resources and cardholder data and should regularly review access logs to identify any suspicious activity.
11) Regularly test security systems and processes
PCI DSS Requirement 11 calls for regular testing of security systems and processes to ensure that they are functioning properly. This testing can be conducted internally or by an external party and should be done at least annually. Testing should include all aspects of the security system, from physical security to logical security, and should be tailored to the specific needs of the organization.
12) Maintain a policy that addresses information security for employees and contractors
It is the responsibility of every organization to maintain a policy that addresses information security for all personnel. This policy should include measures to protect information from unauthorized access, use, disclosure, and destruction. All personnel should be trained on this policy and be aware of their responsibility to uphold it.
The exact PCI DSS compliance requirements vary depending on the number of card transactions processed annually by your organization.
To find out more about the 12 requirements, read our dedicated information page>>
Assessing the security of your cardholder data
Many organizations use a three-step process to achieve PCI DSS compliance:
- PCI DSS gap analysis: Usually the first step clients take to understand their compliance status. It provides a detailed comparison of what their business is currently doing against what it should be doing to comply with the PCI DSS.
- PCI DSS remediation: A comprehensive plan for fixing vulnerabilities and eliminating the storage of cardholder data unless necessary to fully comply with the relevant PCI DSS requirements.
- PCI DSS audit: Review your cardholder data environment and the risks you need to manage. This provides evidence that your controls are in place and working effectively.
For organizations that process more than 6 million card transactions annually
Large organizations must have an external audit performed annually by a QSA and submit an RoC (Report on Compliance) to their acquiring banks to prove their compliance.
The QSA will:
- Validate the scope of the assessment
- Review all documentation and technical information provided
- Determine whether the Standard has been met
- Provide support and guidance during the compliance process
- Be onsite for the duration of the assessment as required
- Adhere to the PCI DSS assessment procedures
- Evaluate compensating controls
- Produce the final RoC
Free paper: PCI DSS Audits – Preparing for success
Download this paper – updated for PCI DSS v4.0 – to better understand the PCI DSS audit process and learn about our step-by-step approach to preparing for audit success.
For organizations that process fewer than 6 million card transactions annually
Most small merchants can use an SAQ (self-assessment questionnaire), consisting of yes–no questions, to assess their level of cardholder data security.
There are nine different questionnaires available to meet different merchant environments.
Regardless of how many transactions you process, you must also run internal and external network vulnerability scans at least quarterly and after any significant changes in the network.
Learn more about PCI SAQs in our free paper
Download PCI DSS Compliance – Simplifying your SAQ submissions now to learn about the benefits of PCI DSS compliance, how to minimize the compliance burden by reducing your scope, and how to choose the right SAQ under PCI DSS v4.0.
Discover our range of best-selling PCI DSS products and services
IT Governance provides services to support you at each stage of your organization’s PCI DSS compliance project. Whether you need to conduct a gap analysis, reduce the scope of your CDE, conduct a risk assessment, or test the security of your systems and processes for vulnerabilities, we can help.
View our range of best-selling products and services to find out more about what we can do.