PCI DSS Requirements: Protect Your Customers' Data
"Hotel giant Marriott confirms yet another data breach," was the wry headline from TechCrunch. Many eyes must have rolled on seeing this news about hackers stealing a massive 20 gigabytes of customer data, including credit card information, yet again from a business that's been breached before. Got fooled once, shame on the bad guys; but fooled twice, no thrice, now?
Can businesses do anything to prevent such breaches? Indeed, they can! The PCI DSS requirements are designed precisely to prevent such data breaches. Learn about PCI DSS, its components, and compliance strategies in this deep dive.
What Is PCI DSS?
Hackers are constantly targeting debit and credit cards to steal money from customers and businesses. To manage these threats, the Payment Card Industry (PCI) — consisting of the major card brands Visa, UnionPay, Mastercard, American Express, Discover, and JCB — set up the Payment Card Industry Security Standards Council (PCI SSC) to publish security standards for the entire ecosystem. One such standard is the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS is a set of security guidelines that specify how customer and card transaction data must be stored and handled by all the participants in payment transactions. It provides comprehensive security guidance and self-assessments that businesses must follow to receive or process any card payments.
The latest and recommended version of the standard is PCI DSS v4.0, published in March 2022. Businesses still on v3.2.1 have until March 31, 2024, to update their processes and systems to v4.0.
Does PCI DSS Apply to Your Business?
PCI DSS applies to almost everyone that stores, processes, or transmits cardholder data, regardless of their size or transaction volume.
It applies to merchants who receive card payments directly or indirectly, including:
- E-commerce sellers
- Merchants that use physical payment terminals, including mom-and-pop shops
- Merchants that use web-based virtual payment terminals or payment applications in physical stores
- Mail order or telephone order sellers
Each card brand has different enforcement levels for merchants depending on their size.
Service providers and vendors that provide services to store, process, or transmit cardholder data must also comply. They include:
- Web-based payment gateways
- E-commerce hosting providers
- Software-as-a-service providers, such as online ticket booking applications
- Managed security providers
- Cloud-based or physical hosting providers that offer storage and processing services
Other vendors that sell equipment or software to handle cardholder data, like point-of-sale (POS) sellers, need not comply directly with the PCI DSS. Instead, they must comply with other standards like the Payment Application Data Security Standard or point-to-point encryption standard, also published by the same PCI Security Standards Council.
Is PCI DSS Mandatory?
PCI DSS is not a government regulation. It's not mandatory like the General Data Protection Regulation (GDPR) is.
PCI DSS is adopted voluntarily by everyone in the payments ecosystem. That said, the dominance of the major card brands and their enforcement through partner banks makes it quasi-regulatory. Unless you comply, you can't receive or process any payments.
Penalties for Non-Compliance
What happens if you fail a PCI DSS assessment? If you've implemented your compliance diligently, you just address any gaps the card companies point out and resubmit your reports.
The bigger risk is if you have a data breach and have cardholder data stolen. Stolen cards are problematic for everyone and increase everyone's compliance costs. So the banks impose large fines based on the severity and quantity of stolen data.
If you're in the clear but still end up with a fine, you can sue back. In 2012, a restaurant that was fined, allegedly unfairly, sued back to recover the amount. In 2013, a large retail chain that incurred a fine of $13 million sued Visa.
The biggest risk of non-compliance is probably the loss of reputation and business. Do you really want your customers to avoid you because they suspect you're negligent with their data? The next sections cover how to become and remain compliant.
What Are the 6 Principles and 12 Compliance Requirements of PCI DSS?
PCI DSS organizes its security standards under six overarching principles. Each principle is accompanied by a couple of specific security requirements for a total of 12 requirements that stakeholders must follow. Guidance and best practices are given for each requirement in the requirements and testing procedures document.
We'll briefly review these requirements and guidance next. If you're a PCI veteran, you can skip them and just look at the subsection on what's new in v4.0.
1. Build and Maintain Secure Networks and Systems
You must create and maintain secure systems and networks under two requirements:
- Requirement 1 — network security controls: You must implement robust network security controls through firewalls, router configuration, network segmentation, and network isolation.
- Requirement 2 — secure configurations: Change all vendor-supplied default passwords and settings. Use secure credentials and multi-factor authentication for all system components.
2. Protect Account Data
You must store and transmit cardholder data with the highest possible security under two requirements:
- Requirement 3 — protect stored cardholder data: Use strong cryptography to encrypt all cardholder data, as well as credit card data, stored on your systems. Follow data masking rules. Train your employees to not send sensitive account data over messaging apps or email.
- Requirement 4 — network protections for cardholder data: Use network encryption methods like transport layer security (TLS) to protect the transmission of cardholder and payment card data over public networks.
3. Maintain a Vulnerability Management Program
Two requirements encourage you to have a proactive approach toward vulnerabilities:
- Requirement 5 — protection from malicious software: Use anti-malware and antivirus software on all your systems and employee devices. Update anti-virus software regularly to detect and prevent the latest malware threats.
- Requirement 6 — secure systems and software: Develop and maintain secure systems and applications through regular scans and security testing of systems, operating systems, and networks.
4. Implement Strong Access Control Measures
Restrict cardholder data access to authorized individuals only by implementing three requirements:
- Requirement 7 — access restrictions based on business need to know: Restrict cardholder data access to only those individuals who need it for their job functions.
- Requirement 8 — user identification and authentication: For accountability around user actions, assign a unique ID to every employee and don't allow account sharing. Enforce password policies to prevent unauthorized access to systems and network resources.
- Requirement 9 — physical security: Limit and monitor physical access to cardholder data, including the building or data center, to prevent unauthorized access.
5. Regularly Monitor and Test Networks
Monitor your network activity and regularly test your security systems:
- Requirement 10 — logging and monitoring: Use security information and event management systems and audit trails to trace all access to network resources and cardholder data.
- Requirement 11 — regular security testing: Test your systems for external and internal vulnerabilities. Conduct regular penetration testing of your networks.
6. Maintain an Information Security Policy
Develop and maintain a comprehensive organization-wide security policy as expected by this requirement:
- Requirement 12 — organizational policies: Develop and maintain a comprehensive security policy, and ensure that all employees are trained on the policy and understand their roles and responsibilities in protecting cardholder data.
What's New in v4.0 From v3.2.1?
The v3.2.1 to v4.0 summary of changes document lists all the changes. Here are some important ones:
- The first requirement's focus on firewalls is expanded to cover cloud, virtual, container, and other software-defined networks.
- Include protection against phishing attacks as part of the fifth requirement.
- The sixth requirement to secure systems and software includes maintaining an inventory of all the software used in your organization and deploying automated protection for web applications against web-based attacks.
- For the eighth requirement, implement multi-factor authentication for all access to cardholder data and increase password lengths.
- For requirement 10, deploy automated reviews of audit logs.
- You must look for rogue wireless access points during security testing (requirement 11), even if wireless networks aren't used or are prohibited.
The 6 Steps of the PCI DSS Compliance Workflow
Security principles and requirements look good on paper, but how exactly should you implement them? For that, the PCI DSS quick reference guide suggests six stages. You must note that this isn't a one-time process but an ongoing and cyclic one. The six stages are explained below.
1. Scoping
During PCI DSS scoping, you identify all your networks, systems, people, and processes involved in storing, processing, or transmitting cardholder data. Any connected processes that influence your cardholder data environment must also be identified. Don't forget to include your third-party vendors, like payment gateways, with access to such data.
You must conduct your scoping at least once a year and whenever your payment environment changes significantly. Document your scoping methodology and the identified scope.
2. Assessment Using the PCI DSS Requirements Checklist
Each of the 12 requirements consists of more fine-grained requirements, and each of those has detailed testing procedures. These include both technical tests as well as people-oriented ones like personnel interviews. Conduct your assessment by following these testing procedures.
Note that some requirements must be assessed by external auditors or vendors. For example:
- You must use an approved scanning vendor (ASV) for the external vulnerability scans required by requirement 11 of monitoring and testing your security.
- You may be required by a card company or bank to use PCI-certified qualified security assessors (QSAs) for advice, validation, and reporting on your compliance.
Plus, some requirements must be assessed regularly and periodically. For example, external vulnerability scans must be done at least once every three months.
3. Reporting
Your business must produce a report on compliance (ROC) that comprehensively details your compliance on all 12 requirements. If you're a large organization, you must undergo an external audit by a QSA who then prepares the ROC.
But if you're a small merchant, you may be allowed to self-assess and submit just a self-assessment questionnaire (SAQ) instead of an ROC. It's basically a checklist you can use to cover all the bases. Use the SAQ appropriate to your payment practices.
4. Attestation
You must also prepare an attestation of compliance (AOC) that attests to your organization's PCI DSS compliance and certifies that your ROC is accurate. Your AOC must be signed by your executive management and the QSA.
5. Submission
You must submit the following documents to the card company or bank that requested your compliance:
- Your ROC (or SAQ)
- Your AOC
- Supporting documents like ASV scan reports
- PCI DSS compliance reports of your third-party service providers and vendors
6. Remediation
Once the requester has reviewed and indicated any deficiencies in your processes, remediate them, reassess, and provide an updated report.
4 Strategies to Remain PCI Compliant
We suggest the following four strategies to always remain compliant.
1. Make PCI DSS Part of a More Comprehensive Risk Management Strategy
The security principles of PCI DSS are not particularly comprehensive because they focus only on payment data.
Other security risk management and risk assessment frameworks like the cybersecurity framework, cloud controls matrix, and the International Organization for Standardization's ISO 27001 are far more comprehensive and enable you to integrate data security holistically. Adopting them elevates your organization to a far higher security posture and makes PCI DSS compliance a breeze.
2. Weave PCI DSS Compliance Into Your Business-As-Usual Processes
Weave the six security principles into all your business-as-usual activities. Don't implement them as an afterthought but make them part of the routine day-to-day activities of your employees. Introduce data security principles into your organizational culture and employee training.
3. Ensure Your Third-Party Service Providers Are Compliant
Your compliance depends on the compliance of the service providers and vendors you rely on. Include compliance goals in all your contracts. Set up third-party risk management and compliance monitoring to ensure they're adhering to their promises.
4. Document and Track Your Compliance Centrally
Words like "documented" and its variants are some of the most used ones in the PCI DSS. Every stage in the compliance process, and almost every requirement's testing procedure or best practice, involves documenting something or the other. By using a centralized compliance documentation system to store and track your initiatives and reports, you can ace your DSS assessments every time.
PCI DSS Requirements: Protect Your Customers' Data
"Hotel giant Marriott confirms yet another data breach," was the wry headline from TechCrunch. Many eyes must have rolled on seeing this news about hackers stealing a massive 20 gigabytes of customer data, including credit card information, yet again from a business that's been breached before. Got fooled once, shame on the bad guys; but fooled twice, no thrice, now?
Can businesses do anything to prevent such breaches? Indeed, they can! The PCI DSS requirements are designed precisely to prevent such data breaches. Learn about PCI DSS, its components, and compliance strategies in this deep dive.
What Is PCI DSS?
Hackers are constantly targeting debit and credit cards to steal money from customers and businesses. To manage these threats, the Payment Card Industry (PCI) — consisting of the major card brands Visa, UnionPay, Mastercard, American Express, Discover, and JCB — set up the Payment Card Industry Security Standards Council (PCI SSC) to publish security standards for the entire ecosystem. One such standard is the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS is a set of security guidelines that specify how customer and card transaction data must be stored and handled by all the participants in payment transactions. It provides comprehensive security guidance and self-assessments that businesses must follow to receive or process any card payments.
The latest and recommended version of the standard is PCI DSS v4.0, published in March 2022. Businesses still on v3.2.1 have until March 31, 2024, to update their processes and systems to v4.0.
Does PCI DSS Apply to Your Business?
PCI DSS applies to almost everyone that stores, processes, or transmits cardholder data, regardless of their size or transaction volume.
It applies to merchants who receive card payments directly or indirectly, including:
- E-commerce sellers
- Merchants that use physical payment terminals, including mom-and-pop shops
- Merchants that use web-based virtual payment terminals or payment applications in physical stores
- Mail order or telephone order sellers
Each card brand has different enforcement levels for merchants depending on their size.
Service providers and vendors that provide services to store, process, or transmit cardholder data must also comply. They include:
- Web-based payment gateways
- E-commerce hosting providers
- Software-as-a-service providers, such as online ticket booking applications
- Managed security providers
- Cloud-based or physical hosting providers that offer storage and processing services
Other vendors that sell equipment or software to handle cardholder data, like point-of-sale (POS) sellers, need not comply directly with the PCI DSS. Instead, they must comply with other standards like the Payment Application Data Security Standard or point-to-point encryption standard, also published by the same PCI Security Standards Council.
Is PCI DSS Mandatory?
PCI DSS is not a government regulation. It's not mandatory like the General Data Protection Regulation (GDPR) is.
PCI DSS is adopted voluntarily by everyone in the payments ecosystem. That said, the dominance of the major card brands and their enforcement through partner banks makes it quasi-regulatory. Unless you comply, you can't receive or process any payments.
Penalties for Non-Compliance
What happens if you fail a PCI DSS assessment? If you've implemented your compliance diligently, you just address any gaps the card companies point out and resubmit your reports.
The bigger risk is if you have a data breach and have cardholder data stolen. Stolen cards are problematic for everyone and increase everyone's compliance costs. So the banks impose large fines based on the severity and quantity of stolen data.
If you're in the clear but still end up with a fine, you can sue back. In 2012, a restaurant that was fined, allegedly unfairly, sued back to recover the amount. In 2013, a large retail chain that incurred a fine of $13 million sued Visa.
The biggest risk of non-compliance is probably the loss of reputation and business. Do you really want your customers to avoid you because they suspect you're negligent with their data? The next sections cover how to become and remain compliant.
What Are the 6 Principles and 12 Compliance Requirements of PCI DSS?
PCI DSS organizes its security standards under six overarching principles. Each principle is accompanied by a couple of specific security requirements for a total of 12 requirements that stakeholders must follow. Guidance and best practices are given for each requirement in the requirements and testing procedures document.
We'll briefly review these requirements and guidance next. If you're a PCI veteran, you can skip them and just look at the subsection on what's new in v4.0.
1. Build and Maintain Secure Networks and Systems
You must create and maintain secure systems and networks under two requirements:
- Requirement 1 — network security controls: You must implement robust network security controls through firewalls, router configuration, network segmentation, and network isolation.
- Requirement 2 — secure configurations: Change all vendor-supplied default passwords and settings. Use secure credentials and multi-factor authentication for all system components.
2. Protect Account Data
You must store and transmit cardholder data with the highest possible security under two requirements:
- Requirement 3 — protect stored cardholder data: Use strong cryptography to encrypt all cardholder data, as well as credit card data, stored on your systems. Follow data masking rules. Train your employees to not send sensitive account data over messaging apps or email.
- Requirement 4 — network protections for cardholder data: Use network encryption methods like transport layer security (TLS) to protect the transmission of cardholder and payment card data over public networks.
3. Maintain a Vulnerability Management Program
Two requirements encourage you to have a proactive approach toward vulnerabilities:
- Requirement 5 — protection from malicious software: Use anti-malware and antivirus software on all your systems and employee devices. Update anti-virus software regularly to detect and prevent the latest malware threats.
- Requirement 6 — secure systems and software: Develop and maintain secure systems and applications through regular scans and security testing of systems, operating systems, and networks.
4. Implement Strong Access Control Measures
Restrict cardholder data access to authorized individuals only by implementing three requirements:
- Requirement 7 — access restrictions based on business need to know: Restrict cardholder data access to only those individuals who need it for their job functions.
- Requirement 8 — user identification and authentication: For accountability around user actions, assign a unique ID to every employee and don't allow account sharing. Enforce password policies to prevent unauthorized access to systems and network resources.
- Requirement 9 — physical security: Limit and monitor physical access to cardholder data, including the building or data center, to prevent unauthorized access.
5. Regularly Monitor and Test Networks
Monitor your network activity and regularly test your security systems:
- Requirement 10 — logging and monitoring: Use security information and event management systems and audit trails to trace all access to network resources and cardholder data.
- Requirement 11 — regular security testing: Test your systems for external and internal vulnerabilities. Conduct regular penetration testing of your networks.
6. Maintain an Information Security Policy
Develop and maintain a comprehensive organization-wide security policy as expected by this requirement:
- Requirement 12 — organizational policies: Develop and maintain a comprehensive security policy, and ensure that all employees are trained on the policy and understand their roles and responsibilities in protecting cardholder data.
What's New in v4.0 From v3.2.1?
The v3.2.1 to v4.0 summary of changes document lists all the changes. Here are some important ones:
- The first requirement's focus on firewalls is expanded to cover cloud, virtual, container, and other software-defined networks.
- Include protection against phishing attacks as part of the fifth requirement.
- The sixth requirement to secure systems and software includes maintaining an inventory of all the software used in your organization and deploying automated protection for web applications against web-based attacks.
- For the eighth requirement, implement multi-factor authentication for all access to cardholder data and increase password lengths.
- For requirement 10, deploy automated reviews of audit logs.
- You must look for rogue wireless access points during security testing (requirement 11), even if wireless networks aren't used or are prohibited.
The 6 Steps of the PCI DSS Compliance Workflow
Security principles and requirements look good on paper, but how exactly should you implement them? For that, the PCI DSS quick reference guide suggests six stages. You must note that this isn't a one-time process but an ongoing and cyclic one. The six stages are explained below.
1. Scoping
During PCI DSS scoping, you identify all your networks, systems, people, and processes involved in storing, processing, or transmitting cardholder data. Any connected processes that influence your cardholder data environment must also be identified. Don't forget to include your third-party vendors, like payment gateways, with access to such data.
You must conduct your scoping at least once a year and whenever your payment environment changes significantly. Document your scoping methodology and the identified scope.
2. Assessment Using the PCI DSS Requirements Checklist
Each of the 12 requirements consists of more fine-grained requirements, and each of those has detailed testing procedures. These include both technical tests as well as people-oriented ones like personnel interviews. Conduct your assessment by following these testing procedures.
Note that some requirements must be assessed by external auditors or vendors. For example:
- You must use an approved scanning vendor (ASV) for the external vulnerability scans required by requirement 11 of monitoring and testing your security.
- You may be required by a card company or bank to use PCI-certified qualified security assessors (QSAs) for advice, validation, and reporting on your compliance.
Plus, some requirements must be assessed regularly and periodically. For example, external vulnerability scans must be done at least once every three months.
3. Reporting
Your business must produce a report on compliance (ROC) that comprehensively details your compliance on all 12 requirements. If you're a large organization, you must undergo an external audit by a QSA who then prepares the ROC.
But if you're a small merchant, you may be allowed to self-assess and submit just a self-assessment questionnaire (SAQ) instead of an ROC. It's basically a checklist you can use to cover all the bases. Use the SAQ appropriate to your payment practices.
4. Attestation
You must also prepare an attestation of compliance (AOC) that attests to your organization's PCI DSS compliance and certifies that your ROC is accurate. Your AOC must be signed by your executive management and the QSA.
5. Submission
You must submit the following documents to the card company or bank that requested your compliance:
- Your ROC (or SAQ)
- Your AOC
- Supporting documents like ASV scan reports
- PCI DSS compliance reports of your third-party service providers and vendors
6. Remediation
Once the requester has reviewed and indicated any deficiencies in your processes, remediate them, reassess, and provide an updated report.
4 Strategies to Remain PCI Compliant
We suggest the following four strategies to always remain compliant.
1. Make PCI DSS Part of a More Comprehensive Risk Management Strategy
The security principles of PCI DSS are not particularly comprehensive because they focus only on payment data.
Other security risk management and risk assessment frameworks like the cybersecurity framework, cloud controls matrix, and the International Organization for Standardization's ISO 27001 are far more comprehensive and enable you to integrate data security holistically. Adopting them elevates your organization to a far higher security posture and makes PCI DSS compliance a breeze.
2. Weave PCI DSS Compliance Into Your Business-As-Usual Processes
Weave the six security principles into all your business-as-usual activities. Don't implement them as an afterthought but make them part of the routine day-to-day activities of your employees. Introduce data security principles into your organizational culture and employee training.
3. Ensure Your Third-Party Service Providers Are Compliant
Your compliance depends on the compliance of the service providers and vendors you rely on. Include compliance goals in all your contracts. Set up third-party risk management and compliance monitoring to ensure they're adhering to their promises.
4. Document and Track Your Compliance Centrally
Words like "documented" and its variants are some of the most used ones in the PCI DSS. Every stage in the compliance process, and almost every requirement's testing procedure or best practice, involves documenting something or the other. By using a centralized compliance documentation system to store and track your initiatives and reports, you can ace your DSS assessments every time.
Implement the PCI DSS Requirements Comprehensively With Certa
Certa offers a wide range of capabilities to support your PCI DSS compliance:
- Design custom workflows tailored to your organization for the assessment's testing procedures, reviews, and interviews.
- Automate your compliance testing and workflows.
- Implement organization-wide risk management policies, including security risks.
- Monitor your vendors' risks and compliance.
- Store and search all your assessment documents, ROC/SAQ/AOC report templates, final reports, and other supporting documents centrally.
- Integrate information from cybersecurity services like SecurityScorecard and CyberGRX to manage your security findings from a single platform.
Schedule a demo with our compliance experts to see Certa in action.
