The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that helps organizations protect their payment systems from data breaches, fraud, and theft of cardholder data. It resulted from a need to standardize and align the security requirements of the world’s biggest credit card companies: American Express, Discover, JCB, MasterCard, and Visa. Together, the five companies created the Payment Card Industry Security Standards Council (PCI SSC) tasked with supervising the evolution and development of PCI DSS.
While not legally binding and not superseding any county, state, or local laws, the PCI DSS was adopted as a general standard by financial institutions and payment card brands worldwide. This means that compliance is required for any organization that transacts credit or debit card payment processing, whether in person, over the phone, or online.
PCI DSS version 4.0 was released on March 31, 2022. With this latest update, PCI DSS continues to evolve in response to the dynamic cybersecurity landscape, addressing emerging threats and technologies, and enabling innovative methods to combat new threats to customer payment information. Based on the concept of zero trust, PCI DSS 4.0 introduces new requirements such as the mandatory use of automated mechanisms to protect against phishing and web application firewalls. There is a two-year transition period from PCI DSS version 3.2.1, which will be retired on March 31, 2024.
PCI DSS is made up of 12 core compliance requirements and nearly 200 associated security controls. They include both basic security measures such as the use of firewalls, antivirus software, and changing default passwords, and more complex ones that involve the development and maintenance of secure networks, systems, and applications.
Who does PCI DSS apply to?
PCI DSS applies to all entities involved in processing credit card payments, including merchants, processors, acquirers, issuers, e-commerce businesses, and service providers. Organizations that store, process, or transmit card information and/or sensitive authentication data also fall under its purview.
Organizations that outsource their operations to third-party payment processors are responsible for ensuring that credit card data continues to be protected and third parties are PCI DSS compliant.
What type of data does PCI DSS protect?
PCI DSS specifically aims to protect sensitive data – including cardholder information and authentication data – from unauthorized access and breaches. Cardholder data refers to information such as primary account numbers, cardholder names, card expiration dates, and service codes. Authentication data includes full track data (magnetic-stripe data or equivalent on a chip), PINs and PIN blocks, and card verification values (CAV2/CVC2/CVV2/CID).
With increasing online credit card payments and evolving cybersecurity challenges, PCI DSS plays a crucial role in protecting sensitive cardholder information from cybercriminals and hackers.
Storing cardholder data
Under PCI DSS requirement 3.2, any data that falls under the sensitive authentication data category cannot be stored, even if encrypted. All sensitive authentication data received should be rendered unrecoverable when the authorization process is complete.
Primary account numbers can be stored but must be made unreadable everywhere, including on portable digital media, in backup files, and in logs. The PCI SSC recommends key-based encryption, index tokens and pads, one-way hashes, and truncation to achieve unreadability.
However, the PCI SSC warns that, since a hashed and truncated version of the same account number can be used to reconstruct the original number, if a merchant uses both, additional security measures must be put in place to avoid malicious outsiders from correlating the numbers.
Meanwhile, cardholder names, expiration dates, and service codes can be stored and do not need to be made unreadable, but storage must be kept to a minimum, and clear data retention and disposal policies must be put into place.
12 core PCI DSS requirements
PCI DSS provides a baseline of technical and operational requirements designed to protect account data. They are divided into 12 requirements that together encompass nearly 200 security controls:
- Install and maintain network security controls
- Apply secure configurations to all system components
- Protect stored account data
- Protect cardholder data with strong cryptography during transmission over open, public networks
- Protect all systems and networks from malicious software such as malware
- Develop and maintain secure systems and software
- Restrict access to system components and cardholder data by business need
- Identify users and authenticate access to system components
- Restrict physical access to cardholder data
- Log and monitor access to system components and cardholder data
- Test of systems and networks regularly for security vulnerabilities
- Support information security with organizational policies and programs
PCI DSS offers not only a detailed description of each requirement and why it is needed but also how it can be tested and offers guidance on how compliance with it can be achieved. Besides firewalls and antivirus software, organizations looking to avoid noncompliance can also apply strong access control measures and information security policies to limit access to card information.
To protect stored account data, companies can turn to Data Loss Prevention (DLP) solutions. These tools prevent data leakage through DLP policies that identify, monitor, and control the transfer and storage of files containing sensitive information such as personally identifiable information (PII) and account data. DLP tools support regulatory compliance with standards like PCI DSS, but also data protection laws such as GDPR or HIPAA.
PCI DSS Compliance Levels
PCI DSS established four compliance levels for organizations. The level depends on how many card transactions per year a company processes. To fall under the strictest level of PCI DSS compliance Level 1, merchants need to process over 6 million card transactions yearly.
Level 1 organizations need to provide a yearly Report on Compliance (RoC) which involves an audit performed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) certified by the PCI SSC. The auditor submits the RoC to the organization’s acquiring institutions to demonstrate its compliance. They must also undergo an annual network scan by an approved scanning vendor (ASV).
For Levels 2 to 4, merchants can complete a Self-Assessment Questionnaire (SAQ) with multiple versions to accommodate different types of businesses and processing methods. Requirements for these levels, however, may differ depending on the card scheme. MasterCard, for example, requires Level 2 organizations to complete their SAQ with the assistance of a trained QSA or ISA.
It’s crucial for organizations to set and maintain security parameters in their systems to meet the compliance levels specified by PCI DSS. Maintaining compliance involves implementing measures to prevent unauthorized access to cardholder data, regardless of the organization’s size. Regular monitoring of suspicious activity is crucial, especially for organizations processing high volumes of credit transactions.
Penalties
Organizations found to be non-compliant with PCI DSS requirements face fines of up to $100,000/month and increased transaction fees. Worst still, they can have their relationship with their bank permanently terminated and may wind up on the Merchant Alert to Control High-Risk (MATCH) list, which means they would never be allowed to process card payments again. Merchants that suffer a data breach can also be penalized by having their PCI DSS compliance level raised.
Becoming PCI DSS Compliant
Understanding and fulfilling PCI DSS compliance requirements is crucial for any entity handling cardholder data. Regular vulnerability scans and penetration testing are vital components of a comprehensive security strategy under PCI DSS. These proactive measures help identify and mitigate potential weaknesses in the cardholder data environment (CDE), ensuring the security of sensitive data. Implementing a consistent vulnerability management program is key to maintaining PCI DSS compliance.
Using a DLP solution can help your organization become PCI DSS compliant by discovering, monitoring, and controlling where their data is being stored and how it is being used and transferred. Endpoint Protector by CoSoSys is a leading DLP solution that provides multi-OS support across macOS, Windows, and Linux systems. A few ways Endpoint Protector can help your organization become compliant are:
- Monitoring data used by different users to help meet the PCI DSS monitoring and logging requirements.
- Blocking unauthorized transfers to stop data theft or loss of cardholder data.
- Automatically encrypting data transferred to removable media such as USB storage devices.
To learn more, schedule your demo here.
Frequently Asked Questions
Knowing exactly how cardholder data is being processed, stored and transferred is a fundamental requirement for an effective PCI DSS compliance strategy. Requirement 3 of PCI-DSS states that data should only be stored in specific, known locations with limited access to protect credit card information. Organizations must therefore map their data flow and regularly conduct network scans to ensure credit card information has not been saved or forgotten in unpermitted locations by careless employees.
Under requirement 7 of PCI DSS, access to data must be restricted to authorized personnel only. Companies must evaluate which of their employees need access to card data to fulfill their job responsibilities and then use the proper tools and processes to limit access based on business needs.
Data Loss Prevention (DLP) solutions are some of the most useful tools for PCI DSS compliance on the market. Because their policies are applied directly to sensitive data rather than to devices or the whole network, they ensure that cardholder information is identified, logged, and controlled to meet PCI DSS requirements.
DLP tools also offer data discovery tools that can automatically or manually scan networks for credit card information and encrypt or delete it when it is found on unauthorized users’ computers.
Download our free ebook on
GDPR compliance
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.