The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2006 by several financial services organizations including Visa, MasterCard, Discover Financial Services, JCB International and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance requirements aim to help companies secure credit and debit card transactions against data theft and fraud.
Tools and Resources Available from PCI SSC:
- Self-Assessment Questionnaires to assist organizations in validating their PCI DSS compliance.
- PIN Transaction Security (PTS) requirements for device vendors and manufacturers and a list of approved PIN transaction devices.
- Payment Application Data Security Standard (PA-DSS) and a list of Validated Payment Applications to help software vendors and others develop secure payment applications.
- Public resources:
- Lists of Qualified Security Assessors (QSAs)
- Payment Application Qualified Security Assessors (PA-QSAs)
- Approved Scanning Vendors (ASVs)
- Internal Security Assessor (ISA) education program
What are the 12 PCI DSS Requirements?
Due to the increase of regulations and standards, relating to information security (such as the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley, ISO 27001 and others) additional emphasis has been placed on compliance and the on-going auditing of security policies and controls.
(From the PCI Data Security Standards Website)
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.
As a merchant, it is your responsibility to become PCI DSS certified. This section discusses the high-level concepts you need to implement to obtain that certification. Many of these concepts revolve around the standards of storing and maintaining cardholder data.
Here are the 12 high-level requirements for being PCI DSS compliant:
Build and Maintain a Secure Network:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data:
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program:
- Use and regularly update Antivirus software or programs.
- Develop and maintain secure systems and applications.
Strong Access Control Measures:
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
Regularly Monitor and Test Networks:
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
Maintain an Information Security Policy:
- Maintain a policy that addresses information security for all personnel
How Can Microsegmentation Assist with PCI DSS Compliance?
Micro-segmentation is a powerful tool that provides unparalleled control over the traffic across your hybrid IT ecosystem. The right approach will be able to isolate and segment all applications, monitoring and routing all traffic, including east-west. By doing this, micro-segmentation can effortlessly check boxes for your PCI DSS compliance requirements.
When it comes to PCI DSS, micro-segmentation can support you in reducing scope. The compliance regulations are very clear. “To be considered out of scope for PCI DSS, a system component must be properly isolated from the cardholder data environment (CDE), such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.”
It is likely that some systems can be physically separated from your CDE or PHI. In the past, firewalls could enforce network zones, as could virtual LANs with strong ACLs. However, more complex architecture such as cloud-based VMs or containers have this made this difficult. Even simple compliance regulations, such as placing a firewall, become a challenge. Additionally, dynamic workloads mean you need granular visibility of where changes are happening within the CDE in real-time. This has encouraged businesses to look for a solution that allows for continuous process or identity level detail and control.
Ensuring that you have rich visibility into the flow of traffic is number one on the list for any auditor. This has two benefits. Firstly, it shows the regulatory board that you have a strong understanding of the data and access in your network. Secondly, it proves that you can automatically detect a threat or breach if the worst happens.
How can you Improve your PCI DSS compliance posture with Guardicore?
Guardicore Centra makes it easier to visualize applications, assess how they communicate with other IT assets, and implement granular segmentation controls. The visibility and control that Centra provides makes it easier to isolate the PCI DSS compliance environment from the rest of the IT infrastructure and minimize the scope of compliance and audit requirements.
FAQ - PCI DSS
Is PCI DSS Compliance Mandatory?
Yes. PCI DSS compliance applies to any organization that stores, processes, and/or transmits cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you are a merchant who accepts or processes credit and payment cards, you must comply with the PCI DSS requirements.
What is the Difference Between PCI DSS and SWIFT Compliance?
The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a global provider of financial messaging services. It is widely used by banks and other financial institutions to send secure messages and orchestrate financial transactions. PCI DSS compliance requirements aim to help companies secure credit and debit card transactions against data theft and fraud.
Additional resources for PCI DSS compliance