What is PCI DSS and who is it for?
The standard was developed and is maintained by the Payment Card Industry Security Standards Council (PCI-SSC), which is a forum launched in 2006 by the five major credit card companies: Visa, MasterCard, JCB, Discover and American Express.
PCI-DSS compliance is relevant for any organisation accepting, transmitting, or storing cardholder data, regardless of size or number of transactions. This can include businesses, online sellers, and service providers of all shapes and sizes, from corner shops to national retail chains. It also includes entities involved in the payment card account processing, such as acquirers and issuers.
If your organisation handles payment card data in any form, you are required to comply with PCI-DSS requirements. Failure to comply can result in fines, increased transaction fees, or losing the ability to accept credit card payments entirely.
PCI-DSS includes 12 mandatory requirements for organisations. These requirements specify the framework for a robust payment card data security process, which includes prevention, detection, and appropriate reaction to security incidents. They are designed to help businesses proactively protect their customer's account data.
Ongoing PCI-DSS requirements include things like maintaining a secure network, protecting cardholder data, managing vulnerabilities, implementing strong access control measures, regularly monitoring, and testing networks, and maintaining an information security policy.
PCI-DSS: an overview
The PCI Council classify the 12 principal requirements of the standard into six categories as follows:
Build and maintain a secure network and systems
- Install and maintain network security controls
- Apply secure configurations to all system components.
Protect account data
- Protect stored account data.
- Protect cardholder data with strong cryptography during transmission over open, public networks.
Maintain a vulnerability management program
- Protect all systems and networks from malicious software
- Develop and maintain secure systems and software.
Implement strong access control measures
- Restrict access to system components and cardholder data by business need to know
- Identify users and authenticate access to system components
- Restrict physical access to cardholder data.
Regularly monitor and test networks
- Log and monitor all access to system components and cardholder data
- Test security of systems and networks regularly.
Maintain an information security policy
- Support information security with organisational policies and programmes.
Support and guidance for organisations seeking PCI-DSS compliance
The PCI SSC provides more than 60 documents and information supplements to provide guidance and support to organisations aiming to comply with the standard. These include:
- Guidance for organisations on PCI-DSS scoping and network segmentation
- Third-party security assurance
- PCI SSC cloud computing guidelines
- Multi-factor authentication guidance
- Effective daily log monitoring
- Protecting telephone-based payment card data
- Penetration testing guidance
- Best practices for implementing a security awareness programme.
What do organisations need to know about PCI-DSS 4.0?
The PCI-SSC released PCI-DSS 4.0 in March 2022 – providing a significant update with modifications aiming to increase the flexibility, approachability, and security of the data standard. Informed by more than 200 companies and 6,000 items of feedback, this update reflects the evolving landscape of risks and threats to payment data, with improved practices to secure organisations and protect their customers.
Its predecessor, PCI-DSS v3.2.1, is valid until 31st March 2024 after which time it is considered retired. After this date, all PCI-DSS validations must be to version 4 or later. For this reason, it is recommended that organisations comply with the most recent iteration as soon as possible.
What are the goals of PCI-DSS v4.0?
- To continue to meet the security needs of the payment industry by incorporating new information relating to:
- Expanded multi-factor authentication requirements,
- Updated password requirements,
- New e-commerce and phishing requirements to address ongoing threats.
- To promote security as a continuous process through updates such as:
- Clearly assigned roles and responsibilities for each requirement,
- Updated guidance designed to help people to better understand how security may be implemented and maintained,
- A new reporting option enabling entities to highlight areas for improvement and offer report reviewers greater transparency.
- To add flexibility for different methodologies as payment technologies evolve. For example:
- Allowing group, shared and generic accounts,
- Providing targeted risk analyses that give organisations the control to establish frequencies for performing activities,
- Offering a more customised approach that enables organisations to use innovative methods to achieve their security objectives.
- To enhance validation methods for greater transparency and granularity through steps such as:
- Increased alignment between Report on Compliance (RoC) or Self-Assessment Questionnaire (SAQ) reporting and information summarised in an Attestation of Compliance.
In PCI-DSS 4.0, it is clearer than ever that compliance is not merely a box to be checked. Instead, compliance should be seen by organisations as an opportunity to check that security standards remain high and provide an opportunity to carry out any remedial work necessary.
What are the benefits of PCI-DSS compliance for businesses?
PCI-DSS compliance has several benefits for businesses. These include:
Improved customer trust
By demonstrating PCI-DSS compliance, businesses demonstrate that they take their customers' financial data security seriously, which can improve customer trust and loyalty.
Protection against data breaches
Adhering to the PCI-DSS guidelines can significantly reduce the risk of data breaches, potentially saving a business from financial loss, reputational damage, and potential legal action.
Avoidance of fines
Payment brands can levy fines against acquiring banks for PCI-DSS compliance violations, and these banks will most likely pass this fine onto the violating merchant. By maintaining compliance, businesses can avoid these fines – which are often devastatingly large.
Better data security
PCI-DSS compliance leads to a more secure business operation overall, which can protect not just credit card data, but other forms of sensitive customer data as well.
Competitive advantage
PCI-DSS compliant businesses may gain a competitive edge over those that are not, as it is an indication of the importance and emphasis placed on data security.
Access to certain markets
Some clients, especially in the B2B space, may require PCI-DSS compliance as a prerequisite for doing business. This can open new markets and opportunities for compliant businesses.
Regulatory compliance
PCI-DSS compliance can also help businesses meet other regulatory requirements such as GDPR (General Data Protection Regulation) or CCPA (California Consumer Privacy Act), as there is significant overlap in the principles and controls.
And, using the Hicomply ISMS, organisations that already meet the requirements of other certifications such as ISO 27001 can more easily demonstrate compliance with PCI-DSS.
It's important to note that PCI-DSS compliance isn't a one-time event but an ongoing process. Businesses need to continually assess their operations, fix detected vulnerabilities, and make the necessary reports to the acquiring bank and card brands they do business with.
Understanding the scope of PCI-DSS requirements
Understanding your PCI-DSS scope can be a challenging task, but it's an essential step in ensuring your organisation's security and compliance. PCI-DSS requirements apply to all aspects of the cardholder data environment (CDE). This incorporates system components, people and processes that store, process and transmit cardholder data and/or sensitive authentication data.
The CDE also includes system components that may not store, process, or transmit CHD but possess unrestricted connectivity to the components that do – as well as components, people and processes with the ability to impact the security of the CDE.
What constitutes a PCI-DSS system component?
A PCI-DSS system component may include:
- Network devices
- Servers
- Computing devices
- Virtual components
- Cloud components
- Software.
Payment terminals, payment back-office systems, shopping cards and fraud monitoring systems can all be categorised as system components.
Third parties and service providers
All business partners, suppliers and entities that are connected to your cardholder data environment have the potential to compromise security; this is a risk that should always be factored into the scope of PCI-DSS.
Establishing PCI-DSS out-of-scope systems and de-scoping
While it’s important to capture all the systems that need to be considered within the cardholder data environment, one of the most effective steps in working towards compliance is identifying out of scope systems that can be disregarded for the purposes of PCI-DSS.
Similarly, de-scoping can help to simplify the compliance process and mitigate risk. De-scoping may involve:
Data minimisation: storing only necessary cardholder data and for the least time possible. If it’s not needed, don’t store it!
Segmentation: Isolating the CDE from the rest of your network to reduce the risk of cardholder data breaches. By configuring the network to reduce the scope as much as is reasonably possible, you will also serve to reduce the work associated with achieving compliance and reduce the cost of PCI-DSS assessment – not to mention reduce risk.
Tokenisation and encryption: Replacing sensitive data with tokens or encrypted data to mitigate the impact of potential breaches.
What is the best practice for PCI-DSS compliance?
As the PCI SSC states, PCI-DSS compliance is best achieved by implementing the relevant processes into business-as-usual activities as part of an overall security strategy. Managing good risk posture should be considered a normal course of business, rather than as a project that can be completed and then ignored.
The PCI SSC lays out some of the ways in which PCI-DSS requirements may be incorporated into business-as-usual activities, including:
- Assigning overall responsibility and accountability for compliance to a specific individual or team.
- Developing suitable metrics to measure performance and assess the effectiveness of security initiatives and controls. This should include those that are relied upon by an organisation such as network security controls, intrusion-detection systems/intrusion-prevention systems, access controls, anti-malware solutions, and change-detection mechanisms.
- Frequently reviewing logged data to gather insights into behaviours or trends that aren’t obvious through monitoring.
- Taking steps to ensure the prompt detection and response to failures in security controls.
- Scrutinising changes that may introduce new security risks to the environment – e.g. system additions, system changes or network configuration changes.
- Reviewing the impact of organisations structure changes on PCI-DSS scope and requirements.
- Regular reviews of external connections and third-party access.
- Regular reviews the impact of third-party activities – such as software development – on compliance.
- Regular reviews of adherence to established processes by personnel.
Performing these checks as part of an organisation’s business as usual processes and procedures will not only serve to reduce risk but also help to show compliance. Within best practice, it is also important that organisations:
- Communicate newly identified threats or changes to organisational structure to both internal and external parties that may be impacted.
- Review hardware and software on an annual basis to confirm that vendors and solutions continue to meet security requirements. Where technologies are no longer supported or cannot meet security needs, a remediation plan should be prepared.
PCI-DSS testing methods
Understanding the Testing Procedures for each requirement within PCI-DSS is critical to ensuring compliance and preparing for a successful audit. The PCI SSC set out the intent behind these testing methods as follows:
Examine
A Qualified Security Assessor (QSA), a professional trained to perform PCI-DSS audits, is responsible for critically evaluating data evidence, including documentation (electronic or physical), configuration files, audit logs, screenshots and data files.
Observe
An assessor is required to watch actions – e.g. an employee performing a card transaction – or view elements within the cardholder data environment.
Interview
An assessor interviews individual personnel to establish whether activities have been performed, procedures followed, or training has been delivered successfully.
When documenting the results of these three assessment forms, the assessor identifies the testing activities performed and the result of each activity.
PCI DSS Requirements
More PCI DSS...
How can Hicomply help you meet PCI-DSS requirements?
The Hicomply platform is a one-stop solution that enables organisations like yours to do away with endless spreadsheets, complicated internal processes, poor visibility and an absence of accountability.
Hicomply’s ISMS becomes the home of all your documentation – from scoping documents to task management reports, enabling you to assess and mitigate risks more effectively. Our clients find that Hicomply dramatically reduces the time and resource needed to prepare for audit and, therefore, the time it takes to achieve certification.