What is PCI Compliance?

In today’s digital age, ensuring the security of sensitive payment data is paramount, and PCI compliance provides a robust framework to safeguard businesses, service providers, and customers. By adhering to PCI (Payment Card Industry) standards, organizations can significantly reduce the risk of data breaches, fraud, and financial losses as well as prevent fines. PCI compliance encompasses a comprehensive set of security requirements, best practices, and guidelines designed to protect payment card data throughout its lifecycle.

What are the Highlights?

1. Build and Maintain a Secure Network:
   • Install and maintain a firewall configuration to protect cardholder data.
   • Do not use vendor-supplied defaults for system passwords and other security parameters.
2. Protect Cardholder Data:
   • Protect stored cardholder data through encryption.
   • Mask PAN (Primary Account Number) when displayed to minimize exposure.
   • Limit the storage of cardholder data to what is necessary for business operations.
3. Maintain a Vulnerability Management Program:
   • Use and regularly update antivirus software or programs.
   • Develop and maintain secure systems and applications by applying patches and security updates.
4. Implement Strong Access Control Measures:
   • Restrict access to cardholder data on a need-to-know basis.
   • Assign a unique ID to each person with computer access.
   • Restrict physical access to cardholder data.
5. Regularly Monitor and Test Networks:
   • Track and monitor all access to network resources and cardholder data.
   • Regularly test security systems and processes.
6. Maintain an Information Security Policy:
   • Maintain a policy that addresses information security for all personnel.

What are the Requirements?

PCI DSS 3.2.1 and 4.0 consist of a total of 12 requirements, which are as follows:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update antivirus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need to know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for all personnel.

It’s important to note that these requirements are part of the broader framework for securing cardholder data and maintaining a secure payment environment. Organizations that handle or support the infrastructure of cardholder data are required to comply with these requirements to ensure the protection of sensitive information and to meet the PCI DSS compliance standards. Compliance is just the first minimum step for data security and standards should be upheld at a minimum to the standard.

PCI DSS v3.2.1: 524 Requirement Questions

PCI DSS v4.0: 690 Requirement Questions

Are all these Requirements Necessary?

PCI DSS is not always encompassing all requirements dependent on the solution leveraged and the infrastructure constructed. Some entities do not store credit card information, whereas others outsource or tokenize cards to reduce scope. Entities leveraging different technologies such as Point to Point Encryption will enjoy the benefits of reduced scope. Always contact a PCI DSS professional QSA for additional information on what requirements would not be in scope and how your business may reduce the number of requirements for compliance.

Is Everything a Level 1 Report on Compliance?

The short answer is no, there are wonderful self-assessment questionaries that merchants and service providers may complete to self-attest that their business is accepting payment cards in a compliant fashion. The applicability of these SAQs is dependent on the technology leveraged and business processes performed during operation. A short list of SAQ’s are as follows:

1. SAQ A: For merchants who have outsourced all card processing functions and do not store, process, or transmit cardholder data electronically.
2. SAQ A-EP: For e-commerce merchants who do not store cardholder data but have a website that redirects customers to a third-party payment processor.
3. SAQ B: For merchants who process cardholder data via standalone point-of-sale (POS) terminals and do not store cardholder data electronically.
4. SAQ C: For merchants who process cardholder data through payment application systems and do not store cardholder data electronically.
5. SAQ D: For merchants who store, process, or transmit cardholder data electronically and do not fall into the other SAQ categories.

How is PCI DSS Useful?

As stated, PCI DSS is a minimum standard to adhere to when storing, processing, or transmitting cardholder data OR being a service provider that supports those functions. Protecting cardholder data via their standards will enable merchants to interact with additional merchant processors and give customers confidence that their data is secure within the merchant environment. Service providers that provide hosting environments, endpoint management, or software development to merchants will not need to be included in the merchant’s PCI DSS assessment with proper attestation.

What to do Next?

Speak with a MegaplanIT representative to see if PCI DSS compliance is the correct fit for your business. Despite being developed for the Payment Card Industry, the Data Security Standard is a solid and robust framework for managing any type of sensitive data within an infrastructure. Considerations for PII, ePHI, classified, or restricted data may be handled with the same due diligence and care of cardholder primary account numbers. We understand the importance of maintaining a secure and compliant environment, especially when it comes to handling sensitive data. Our team of experienced professionals is well-versed in the intricacies of information security governance and can guide you through the entire process.