The Ultimate Guide to

Payment Card Industry Data Security Standard (PCI DSS)

What is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to help all organizations who handle credit card transactions maintain a secure environment. The standard was developed by the PCI Security Standards Council, an independent body founded by major card brands including Visa, MasterCard, and Discover.

Protecting Cardholder Data

According to the Federal Trade Commission, credit card fraud continues to be one of the fastest forms of identity theft. Reports of credit card fraud jumped by 107% from Q1 2019 to Q2 2020. To put this rapid growth in perspective, the number of card fraud reports between Q1 2017 and Q1 2019 grew by only 27%. Using funds recovered in fraud cases, the FTC returned $483 million to victims of fraud and identity theft in 2020, an increase of 108% from 2019’s $232.2 million.

Consumers today are aware of the risks when they share their cardholder information with businesses, and they’re wary of transacting with businesses that don’t take information security seriously. By implementing the Payment Card Industry Data Security Standard—a baseline of technical and operational requirements designed to protect cardholders data, you can shield your organization from embarrassing data breaches, loss of sensitive cardholder information, and loss of consumer trust. Becoming compliant with the data security standard established by the Payment Card Industry Security Standards Council is essential today to your company’s long-term success.

PCI DSS Requirements

The latest version of the standard (v 3.2.1), published in May 2018, contains 12 broad requirements across 6 areas:

PCI Data Security Standards — High-Level Overview

source: PCI Security Standards Council

Build and Maintain a Secure Network and System
  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
  • Protect all systems against malware and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  • Restrict access to cardholder data on a need to know basis
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
Maintain an Information Security Policy
  • Maintain a policy that addresses information security for all personnel

What Are Common Control Failures?

The most common failures occur when the PCI DSS controls are exploited because they aren’t put in place or they have been poorly implemented. Hackers take advantage of an organization’s failure to store sensitive authentication data (SAD) after authorization, inadequately coded web applications, or a lack of logging and monitoring controls. In addition, poor scoping decisions can commonly result in cardholder data being breached through weakness in the network not adhering to the standard.

How does PCI DSS fit into your overall compliance program?

While PCI DSS is more specific to cardholder data protection, the controls needed to safeguard the program are similar to those used by other infosecurity standards and certifications. For example, access control and employee training are common controls that overlap across frameworks. This means that if you already adhere to another information security framework (e.g., ISO 27001, NIST CSF, SOC 2 Type 2), you may already have done a lot of the work needed for PCI DSS compliance.

If you’ve already implemented an information security framework in the Hyperproof platform and you’re looking to meet PCI requirements, the Hyperproof platform will recommend which existing controls you can leverage to fulfill PCI requirements, making it significantly easier and faster to complete the standard. Conversely, the controls you implemented for PCI DSS can be reused to meet the requirements of other information security standards and frameworks.

Note that PCI DSS does not supersede local or regional laws, government regulations, or other legal requirements.

What is the Process to become PCI DSS Compliant?

There are three main stages to becoming compliant with the standard.

1. Assess

Identify cardholder data and record all information technology assets and business processes for processing the card payments. Analyze the assets and processes for vulnerabilities.

2. Remediate

Fix any vulnerabilities you found in step one and permanently eliminate cardholder data, unless keeping it is absolutely essential.

3. Report

Validation of PCI DSS compliance is completed by the individual payment brands and any acquiring banks.

Get in-depth information on the steps to PCI DSS Compliance with our guide

Which PCI DSS Compliance Validation Level is Right for me?

There are multiple compliance validation levels for PCI DSS, and the compliance validation level you must adhere to is determined by the individual payment brands you work with.

Generally, those with low transaction volumes (around 50,000 card transactions per year) will adhere to a lower validation threshold. These organizations must perform annual self-assessments, submit those assessments to senior management for certification, have quarterly network scans done by approved scanning vendors, and submit all reports to their acquiring bank.

General Tips and Strategies for Implementing PCI DSS

Below are some general tips for starting your PCI DSS compliance effort. These tips are designed to help you limit risks, limit the scope of your compliance effort, and keep costs contained.

Limit the Cardholder Data You Store

The best step you can take to protect cardholder data is to not store any cardholder data you do not need, and to isolate the data you do need to well-defined and controlled central locations.

Never Store Sensitive Authentication Data After Authorization

Sensitive authentication data includes the full track contents of the magnetic stripe or equivalent data on a chip, card verification codes and values, PINs, and PIN blocks. This data should NEVER be stored after authorization.

Ask your POS Vendor About the Security of Your System

If your business uses POS in retail locations, you need to ensure that your POS vendor has sufficient security measures. For instance, ask them whether default settings and passwords have been changed on systems and databases that are part of your POS system. Ask them whether your POS software is storing sensitive authentication data, such as track data or PIN blocks (this is prohibited), and if “yes”, how quickly they can delete this data.

Isolate Cardholder Data You Do Need and Consolidate It

You can limit the scope of a PCI DSS assessment by consolidating data storage in a defined environment and isolating the data through the use of proper network segmentation. For instance, by making sure that the cardholder data is stored on its own network segment, rather than the same network segment your employees use to receive emails and browse the internet, you can put PCI DSS controls on a portion of your network instead of the entire network.

Compensating Controls

If your organization does not have the exact control specified by the PCI DSS but has other controls in place that meet the PCI DSS definition of compensating controls, your organization can use such controls instead. However, they need to be documented appropriately.

Maintain PCI DSS Controls Over Time

It’s not enough to set up the security controls just to pass a one-time assessment. To effectively secure these systems and payment data, your organization should continuously monitor and enforce the use of controls specified in the PCI Data Security Standard (more on this below).

A few additional tips for tackling common security concerns from the PCI Security Standards Council

  • Buy and use only approved PIN entry devices at your points-of-sale.
  • Buy and use only validated payment software at your POS or website shopping cart.
  • Use a firewall on your network and PCs.
  • Make sure your wireless router is password-protected and uses encryption.
  • Use strong passwords. Be sure to change default passwords on hardware and software – most are unsafe.
  • Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
  • Teach your employees about security and protecting cardholder data.

Hyperproof for PCI DSS Compliance

Hyperproof’s compliance operations software solution helps organizations understand the requirements of PCI Data Security Standard, create tailored controls for their business, streamline and automate the evidence management process and monitor their security controls to ensure ongoing effectiveness. Plus, our PCI DSS framework template will get you up and running quickly.


A pre-built template to help you implement controls quickly and correctly

Automated and efficient evidence collection tools to document your efforts toward PCI DSS compliance

Frictionless collaboration between compliance teams and their auditor

The ability to reuse evidence across multiple frameworks and controls

Control assignments to program participants so you can keep team members on track

Dashboards to gauge progress, monitor controls, and view audit preparedness posture

Hyperproof also partners with professional service firms with proven track records and deep expertise in helping organizations get PCI DSS assessment-ready. Our partners help customers design their information security compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader