The Ultimate Guide to
Payment Card Industry Data Security Standard (PCI DSS)
What is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to help all organizations who handle credit card transactions maintain a secure environment. The standard was developed by the PCI Security Standards Council, an independent body founded by major card brands including Visa, MasterCard, and Discover.
Protecting Cardholder Data
According to the Federal Trade Commission, credit card fraud continues to be one of the fastest forms of identity theft. Reports of credit card fraud jumped by 107% from Q1 2019 to Q2 2020. To put this rapid growth in perspective, the number of card fraud reports between Q1 2017 and Q1 2019 grew by only 27%. Using funds recovered in fraud cases, the FTC returned $483 million to victims of fraud and identity theft in 2020, an increase of 108% from 2019’s $232.2 million.
Consumers today are aware of the risks when they share their cardholder information with businesses, and they’re wary of transacting with businesses that don’t take information security seriously. By implementing the Payment Card Industry Data Security Standard—a baseline of technical and operational requirements designed to protect cardholders data, you can shield your organization from embarrassing data breaches, loss of sensitive cardholder information, and loss of consumer trust. Becoming compliant with the data security standard established by the Payment Card Industry Security Standards Council is essential today to your company’s long-term success.
PCI DSS Requirements
The latest version of the standard (v 3.2.1), published in May 2018, contains 12 broad requirements across 6 areas:
PCI Data Security Standards — High-Level Overview
source: PCI Security Standards Council
Build and Maintain a Secure Network and System
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
What Are Common Control Failures?
The most common failures occur when the PCI DSS controls are exploited because they aren’t put in place or they have been poorly implemented. Hackers take advantage of an organization’s failure to store sensitive authentication data (SAD) after authorization, inadequately coded web applications, or a lack of logging and monitoring controls. In addition, poor scoping decisions can commonly result in cardholder data being breached through weakness in the network not adhering to the standard.
How does PCI DSS fit into your overall compliance program?
While PCI DSS is more specific to cardholder data protection, the controls needed to safeguard the program are similar to those used by other infosecurity standards and certifications. For example, access control and employee training are common controls that overlap across frameworks. This means that if you already adhere to another information security framework (e.g., ISO 27001, NIST CSF, SOC 2 Type 2), you may already have done a lot of the work needed for PCI DSS compliance.
If you’ve already implemented an information security framework in the Hyperproof platform and you’re looking to meet PCI requirements, the Hyperproof platform will recommend which existing controls you can leverage to fulfill PCI requirements, making it significantly easier and faster to complete the standard. Conversely, the controls you implemented for PCI DSS can be reused to meet the requirements of other information security standards and frameworks.
Note that PCI DSS does not supersede local or regional laws, government regulations, or other legal requirements.
What is the Process to become PCI DSS Compliant?
There are three main stages to becoming compliant with the standard.
Identify cardholder data and record all information technology assets and business processes for processing the card payments. Analyze the assets and processes for vulnerabilities.
Fix any vulnerabilities you found in step one and permanently eliminate cardholder data, unless keeping it is absolutely essential.
Validation of PCI DSS compliance is completed by the individual payment brands and any acquiring banks.
Which PCI DSS Compliance Validation Level is Right for me?
There are multiple compliance validation levels for PCI DSS, and the compliance validation level you must adhere to is determined by the individual payment brands you work with.
Generally, those with low transaction volumes (around 50,000 card transactions per year) will adhere to a lower validation threshold. These organizations must perform annual self-assessments, submit those assessments to senior management for certification, have quarterly network scans done by approved scanning vendors, and submit all reports to their acquiring bank.
General Tips and Strategies for Implementing PCI DSS
Below are some general tips for starting your PCI DSS compliance effort. These tips are designed to help you limit risks, limit the scope of your compliance effort, and keep costs contained.
The best step you can take to protect cardholder data is to not store any cardholder data you do not need, and to isolate the data you do need to well-defined and controlled central locations.
Sensitive authentication data includes the full track contents of the magnetic stripe or equivalent data on a chip, card verification codes and values, PINs, and PIN blocks. This data should NEVER be stored after authorization.
If your business uses POS in retail locations, you need to ensure that your POS vendor has sufficient security measures. For instance, ask them whether default settings and passwords have been changed on systems and databases that are part of your POS system. Ask them whether your POS software is storing sensitive authentication data, such as track data or PIN blocks (this is prohibited), and if “yes”, how quickly they can delete this data.
You can limit the scope of a PCI DSS assessment by consolidating data storage in a defined environment and isolating the data through the use of proper network segmentation. For instance, by making sure that the cardholder data is stored on its own network segment, rather than the same network segment your employees use to receive emails and browse the internet, you can put PCI DSS controls on a portion of your network instead of the entire network.
If your organization does not have the exact control specified by the PCI DSS but has other controls in place that meet the PCI DSS definition of compensating controls, your organization can use such controls instead. However, they need to be documented appropriately.
It’s not enough to set up the security controls just to pass a one-time assessment. To effectively secure these systems and payment data, your organization should continuously monitor and enforce the use of controls specified in the PCI Data Security Standard (more on this below).
Hyperproof for PCI DSS Compliance
Hyperproof’s compliance operations software solution helps organizations understand the requirements of PCI Data Security Standard, create tailored controls for their business, streamline and automate the evidence management process and monitor their security controls to ensure ongoing effectiveness. Plus, our PCI DSS framework template will get you up and running quickly.
Hyperproof also partners with professional service firms with proven track records and deep expertise in helping organizations get PCI DSS assessment-ready. Our partners help customers design their information security compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.