There are numerous regulations that companies in different industries have to contend with as a natural part of doing business. One compliance standard that virtually any company that seeks to process payment card data must follow is PCI DSS (The Payment Card Industry Data Security Standard).
What is PCI DSS? Why does it matter for your business? How can you ensure your company meets PCI DSS requirements both now and in the future? Here’s a brief PCI DSS definition and an explanation of some of the compliance requirements for this data security standard.
PCI DSS is a data security standard that is administered by the PCI Security Standards Council. It details the 12 controls that organizations processing payment card data (PCD) and cardholder data (CHD) need to have in place.
PCI DSS compliance, as noted in version 3.2.1 of the Data Security Standard document, “applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data” (emphasis from original document).
The standards document undergoes periodic updates and review, with the most recent update being made in May 2018 (at the time of this writing), bringing the standard to version 3.2.1.
The 12 controls mandated by the PCI DSS requirements document are spread across six categories:
PCI DSS compliance requires organizations to maintain a minimum set of controls to protect payment card data and cardholder data from outside threats:
Both of these items are crucial for guarding against the most casual outside cyber threats.
This category of compliance requirements urges organizations to:
Examples of steps for protecting stored data include encrypting data at rest, minimizing the amount of data stored to the absolute minimum, and never storing authentication data without a strong “business justification.”
To better protect stored payment card and cardholder data, organizations need to have a robust vulnerability management program to find and fix security gaps. The specific requirements cited in PCI DSS are:
These requirements are broadly-worded. However, the first can be largely addressed by establishing and adhering to a rigorous security patch schedule—as well as periodically assessing your cybersecurity tools and checking for better alternatives. The second requires careful management of your network assets and resources to ensure all new additions are secure and don’t create potential vulnerabilities that attackers could exploit.
Unauthorized persons should be prevented from being able to access PCD and CHD whenever possible. So, strong account controls are a must. PCI DSS specifically calls for companies to:
Following a policy of least privilege (POLP), wherein users only have access to systems and information they need for their job function, is a good starting point. It’s also important to have a system in place for logging when sensitive data is accessed (and by whom). Finally, physical security for the servers/databases that store sensitive data should prevent unauthorized persons from coming into contact with them (to prevent the copying of data to USB drives or the outright theft of these devices).
PCI DSS calls for companies to have rigorous network monitoring and testing solutions in place to identify potential security breaches (and to verify what, if any, data has been compromised).
Activity on the network needs to be closely monitored to identify potential security breaches (and what specific databases have been compromised) as quickly as possible. Frequent testing, on the other hand, helps to verify the effectiveness of cybersecurity policies, procedures, and tools—and can help identify security gaps so they can be closed.
There needs to be a documented information security policy in the organization that employees can reference. The standards document says to:
If you’ve come across the term “Written Information Security Policy” (WISP) in some of our other articles, the concept is largely the same—just with some specific requirements added in for PCI DSS compliance. In addition to simply having a WISP, PCI DSS requires companies to implement a risk assessment process that is conducted at least annually to identify critical assets, threats, and vulnerabilities.
The above description heavily abridges the content of the data security standard. There are many specific requirements that could each be the subject of their own dedicated article. Considering the expense and difficulty involved, why should your company follow PCI DSS compliance requirements?
There are a few reasons:
PCI DSS compliance can be an incredibly complicated task. If you need help meeting compliance requirements like PCI DSS, reach out to the ideaBOX team today. We’re here to help you protect your business and meet your cybersecurity goals!