Quick Guide: 12 Requirements of PCI DSS Compliance

Since 2005, over 8.4 billion consumer records have been compromised from more than 73,000 data breaches in the U.S. To protect the integrity of the card payment system, the payment card network (Mastercard, Visa, American Express, etc.) developed a security framework to secure end-to-end transactions through payment cared industry (PCI) compliance requirements.

If your business accepts, stores, transmits or processes payment card data, you are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). While PCI compliance isn’t a legal requirement, non-compliance can lead to hefty fines issued by card networks. So how can you be sure to meet the PCI compliance requirements? It starts with understanding what this security standard involves.

What Is PCI DSS Compliance?

PCI DSS compliance means adhering to a set of security requirements designed for organizations that handle credit card information. Launched on September 7, 2006, PCI DSS oversees payment card industry security standards to improve the security of cardholder data throughout the transaction process.

Rather than being government-regulated, PCI compliance is administered and managed by an independent body established by Mastercard, Visa, American Express, JCB and Discover.

Who Requires PCI DSS Compliance?

Any business — regardless of size or the number of transactions handled — that stores, processes or transmits cardholder data is required to comply with PCI DSS. This includes:

  • Merchants: Businesses that accept credit, debit or prepaid card payment
  • Payment processors: Organizations that handle transactions on behalf of merchants
  • Acquirers: Bank or financial institutions that partner with merchants to process credit card transactions
  • Service providers: Entities that manage payment card data or provide services related to payment processing

The PCI DSS security standard applies to all payment channels, including online payments, in-person transactions, phone orders and mail orders.

promo banner for a case study about IT risk, including management of PCI DSS

The 12 Requirements of PCI Compliance

The PCI compliance requirements involve technical and operational guidelines to protect cardholder data at all times. Let’s explore each requirement in detail.

1. Install and Maintain Network Security Controls

Malicious actors no longer require physical access to cardholder data to steal it. To that end, PCI DSS requirement 1 calls for organizations to maintain secure networks. It outlines the network security controls for firewalls and routers that businesses should implement to prevent unauthorized access.

Your organization is required to standardize firewall and router configurations so that you can:

  • Apply consistent security measures across your network.
  • Easily test and validate changes without compromising security.
  • Properly control traffic to ascertain that only trusted sources have access to your network.
  • Easily manage and audit the configuration, making it easier to identify security gaps.

This PCI DSS control expects you to review firewall and router configurations every six months. Based on the reviews, you should restrict all untrusted traffic except when the specific communication protocol is necessary for processing cardholder data. It’s also mandatory to block internet access to any part of the cardholder’s data environment.

What’s more, any mobile device or computer stakeholders use to access your network must have properly configured firewall software installed.

2. Apply Secure Configurations to All System Components

One of the easiest vulnerabilities hackers exploit is default system and security passwords. Many systems come with default configurations:

  • Routers
  • Firewalls
  • Servers
  • Applications
  • Computer

Routers, for example, often come with “admin” as the default username and password for easy setup. However, 86% of users never change these credentials, giving attackers an easy in to compromise an organization’s network.

PCI DSS requirement 2.1 requires your organization to change vendor-supplied defaults for system passwords and security parameters before you add a new item to your established system. It also expects you to keep an inventory of all devices and software that require passwords or other security to access.

3. Protect Stored Account Data

The third PCI DSS requirement aims to protect sensitive cardholder data, such as primary account numbers, PINs and CVV codes.

First, the requirement restricts the storage of cardholder data unless it’s necessary for regulatory, legal or business needs. When you have to store data, you must keep the retention time to the bare minimum. You are expected to delete unnecessary data at least every quarter. Never store sensitive data — even if encrypted — beyond what’s necessary to complete a transaction.

For stored account data, your organization must use specific algorithms to encrypt card data. You must also encrypt the encryption keys for the algorithms.

This PCI DSS requirement also stipulates how to display the primary account number. You should reveal only the first six and last four digits.

4. Protect Cardholder Data With Strong Cryptography During Transmission Over Open, Public Networks

Cyber attackers can intercept cardholder data in transit across open or public networks like the Internet, WiFi or cellular networks. To protect data in transit, the fourth PCI DSS control requires organizations to encrypt the data before transmission and decrypt it only upon reaching the intended destination.

Organizations are required to use strong cryptography during transmission. PCI DSS offers recommendations such as:

  • Transport Layer Security (TLS) version 1.2 or higher
  • Secure Shell (SSH)
  • Internet Protocol Security (IPSec)

Because PCI DSS emphasizes using the latest industry standards to secure data in transit, it necessitates cryptography like IEEE 802.11i for wireless networks. Beyond encryption, the fourth requirement expects businesses to share cardholder data only with known and trusted recipients.

5. Protect All Systems and Networks From Malicious Software

Malicious software is still one of the biggest threats facing businesses. In a recent incident, hackers managed to pull the largest malware attack in history, stealing over $1.5 billion in just a few hours. To mitigate such threats, PCI DSS requires organizations to take a proactive approach to detecting, preventing and responding to malware.

The first step toward managing the threat of malware is deploying antivirus software for all devices that interact with or store primary account numbers. Because many malware attacks originate from seemingly innocuous online activities, the fifth PCI DSS requirement calls for anti-virus deployment to go beyond core systems like primary servers. You are required to protect other commonly used devices, such as:

  • Laptops
  • Workstations
  • Mobile devices
  • Point-of-sale (POS) systems

You have to keep the virus definitions and detection mechanisms up to date. It’s also necessary to run regular scans, monitor for anomalies and keep auditable logs to make it easier to detect and respond to security incidents.

person holding white POS machine
Photographer: Clay Banks | Source: Unsplash

6. Develop and Maintain Secure Systems and Software

As part of vulnerability management, the sixth requirement mandates that organizations secure their software and follow development best practices. In most cases, maintaining secure systems involves deploying software updates as soon as they’re available to patch security vulnerabilities. If you’re a software vendor, you must ensure merchants know of the updates and can access and execute them easily.

On top of deploying critical patches on time, the sixth requirement also requires your organization to establish processes to identify and classify vulnerabilities in your system. If your company is developing software, you are required to integrate security practices into your software development lifecycle from the start. All these measures will help your organization reduce the risk of malicious actors exploiting a vulnerability.

7. Restrict Access to System Components and Cardholder Data by Business Need to Know

Eighty-three percent of organizations experience at least one insider attack. In recognition of the real danger stemming from organizations’ digital infrastructure, PCI DSS requires organizations to restrict access to cardholder data.

While the aim is to only allow authorized access, unauthorized access isn’t limited to malicious actors. Your employees, executives, third-party vendors and stakeholders shouldn’t be able to access cardholder data if they don’t need it to execute their current roles—and even then, the access should be the very minimum necessary to perform their jobs.

PCI DSS requires you to deploy role-based access control to your system and cardholder data so you don’t expose sensitive data unnecessarily. Your system must also be able to assess each request based on circumstances, not just who is making the access request. After granting access, your system should terminate access immediately or change roles to reduce insider threats.

8. Identify Users and Authenticate Access to System Components

After setting role-based access control, the next step is to assign every authorized user a unique identifier. You need to know exactly who’s accessing cardholder data so that you can trace back an activity to a known user or immediately flag unauthorized access.

For remote and admin access, PCI DSS requires authorized users to set strong passwords that are at least 12 characters long and have complexity rules (uppercase, lowercase, numbers and symbols). Multi-factor authentication is also required to access the cardholder data environment.

To reduce the risk of unauthorized access, the eighth PCI DSS requirement expects businesses to put guardrails around user sessions, including:

  • Session timeouts
  • Account lockouts after several failed login attempts
  • Password reuse limits

9. Restrict Physical Access to Cardholder Data

While it’s obvious for many businesses today to protect sensitive data against digital threats, unauthorized physical access is still a serious threat. Up to 60% of organizations report having encountered physical breaches.

The ninth requirement mandates organizations to implement control measures to limit physical access that might expose sensitive data to unauthorized employees, vendors, contractors, guests or consultants.

You must adopt on-site access control that monitors, logs and restricts movement within an installation. That might include setting up procedures to control entry points to systems storing cardholder data using solutions like keycards, biometric scanners or security codes. In some cases, it could also mean hiring security personnel to identify unauthorized individuals and ensure restricted areas remain secure.

You also have to secure media like hard drives or USBs with cardholder data and maintain backup at a site other than the primary location. This section of PCI DSS also requires you to develop secure disposal procedures for paper and electronic media in a way that makes recovery impossible.

10. Log and Monitor All Access to System Components and Cardholder Data

All activities involving primary account numbers and cardholder data require a log entry. Because access points are connected via wireless and physical networks, tracking and reviewing logs helps detect suspicious activity.

Organizations should capture every login attempt and monitor access in real time. The logs must be easily accessible for PCI audit requirements and investigation in case of an incident. PCI DSS also requires you to keep audit trails for at least one year to make it easier to reconstruct events. Most organizations use security information and event management (SIEM) systems to automate the collection, storage and analysis of log data.

promo banner for article about how to conduct an IT risk assessment

11. Test Security Systems and Networks Regularly

Your current security controls will eventually become outdated, not only because attackers are actively looking for vulnerabilities in your system but also due to research advancements and the introduction of new code. PCI DSS requires organizations to test their security systems and networks to ensure they continue to protect cardholder data and aren’t susceptible to emerging threats.

You must conduct internal and external vulnerability scans at least every quarter to identify vulnerabilities in your systems and processes. The scans are also necessary if you have made a significant change in your network.

Other regular tests you are expected to run include:

  • Penetration testing
  • Prevention system testing
  • Intrusion detection system testing

After performing the tests, you should generate detailed reports about the vulnerabilities or weaknesses and your plan to address them.

12. Support Information Security With Organizational Policies and Programs

While PCI DSS requirements center around protecting cardholder data, the final control shifts attention to formalizing an organization-wide commitment to security. This benefits you in more than compliance. After all, organizations that invest in security awareness training can achieve an ROI of over 500%, considering the costs avoided from potential internal security breaches.

More importantly, deploying security controls alone isn’t enough. A long-term commitment requires you to involve every stakeholder. The 12th PCI DSS requirement demands that you have at least one agent or a team — depending on the scope — responsible for:

  • Defining security protocols
  • Publishing your security programs to the relevant department
  • Maintaining and updating your policies regularly
  • Enforcing compliance with your organization’s security policies
  • Communicating the roles and responsibilities of every stakeholder in maintaining information security

The personnel responsible for creating awareness campaigns must also screen prospective contractors and employees to prevent internal data breaches.

Simplify, Automate and Manage PCI DSS Compliance With Onspring

While compliance with PCI DSS requirements is an ongoing process, it doesn’t have to drain your time or resources. With Onspring, you can reduce manual effort and simplify compliance management.

From tracking security controls to documenting policies and managing audits, our platform automates most repetitive tasks in PCI compliance requirements. In turn, you can protect cardholder data, respond to issues faster and maintain continuous compliance. Schedule a demo today to see how Onspring simplifies PCI DSS compliance.

Share This Story. Choose Your Platform.

Related Posts