PCI DSS

Framework

PCI DSS Compliance Simplified

Recommendations to Help You Build, Manage, and Report Your PCI DSS Compliance

Understanding PCI DSS

he PCI Security Standards Council (PCI SSC) has created more than 250 technical and operational requirements to protect credit card data known as Payment Card Industry Data Security Standards (PCI DSS).

PCI DSS standards form a comprehensive cybersecurity framework and outline best practices your organization should implement to protect sensitive cardholder data from being stolen and misused by attackers.

If your organization accepts, stores, processes, or transmits credit card information, you are subject to compliance.

Whether you’re new to PCI compliance or you’re wanting to streamline and mature your existing framework and procedures, you’ll find this page a great resource for all of your PCI DSS needs.

What is PCI Compliance?

Meeting or exceeding PCI DSS shows your customers, partners, and insurers that you have a robust program to protect cardholder data.

Your organization can emphasize how well you meet these compliance standards by completing an assessment from an independent qualified security assessor (QSA) who can certify that your organization’s existing security procedures meet framework requirements. An approved scanning vendor (ASV) can validate if your vulnerability scan practices meet PCI scan requirements.

If you successfully meet those requirements, your organization can receive an Attestation of Compliance report, which you must review each year.

If you are not required to submit a Report on Compliance (ROC), you can complete a self-assessment questionnaire to self-assess how well you’re meeting compliance standards.

Failing to meet PCI compliance standards can have a range of negative consequences including significant financial penalties, potential risk of data breaches, and damage to your brand and reputation.

Understanding PCI Compliance

When cyber criminals began targeting credit card data in the late 1990s, industry professionals quickly understood they needed to work together to create standards to help protect this sensitive data from would-be attackers. From there, the idea of a credit card security framework was borne.

The first version of the PCI DSS framework unveiled in 2001 was representative of cybersecurity frameworks used by a variety of companies in the credit card industry. The most recent version, represents a unification of the industry’s technical and operational requirements to protect cardholder data.

There are 12 core requirements and 251 sub-controls that comprise PCI DSS, including:

Firewall configurations
Changing vendor-supplied defaults
Protection of stored data
Data transmission encryption
Use of anti-virus software
Developing and maintaining secure systems
Data access restrictions
Identification & authentication requirements
Physical access restrictions
Data access tracking and monitoring
Tests of security systems
Creating and maintain a security policy

Should Your Organization Be PCI Compliant?

Regardless of industry, if your organization accepts, stores, processes, or transmits credit card information, you are subject to PCI compliance. Based on the industry you’re in, here are a few ways a cybersecurity and compliance platform can help you manage your PCI DSS compliance framework:

Retail

Maintain your professional reputation while keeping your clients’ financial data secure.

Healthcare

Cyber-attacks on the healthcare industry are on the rise, so provide your patients with peace of mind with PCI-compliant data security standards.

Nonprofits

Nonprofit agencies process thousands of credit cards per year, so it’s crucial to include PCI DSS compliance standards in your overall security program.

Energy & Utilities

Demonstrate that your company maintains the highest standards for financial data security.

Dining, Travel, & Leisure

Protect your brand and reputation by ensuring you’re protecting your customers’ credit card information.

Internet & Technology Providers

Receive and maintain credit card data with confidence while protecting your brand and company reputation.

Financial Services & Insurance

As heavily-regulated sectors, it's imperative you demonstrate that you have the right security protocols in place.

Professional Services

Safeguard your clients' credit card information and protect your brand and reputation.

Other Industries

Include PCI DSS compliance as your part of insurance plans and protection against data theft.

Framework

Simplify Your PCI DSS Compliance with Apptega

You can easily build, manage, and report your PCI DSS compliance procedures and overall cybersecurity program within a cybersecurity management software solution like Apptega. Say goodbye to complex GRCs, spreadsheets, and word processing documents and say hello to a single program that will enable you to map all your cybersecurity frameworks in one place.

Start a Free Trial

Understanding PCI DSS Controls

The PCI Security Standards Council was formed in 2006, representing credit card industry leaders American Express, MasterCard, Discover, Visa, and JCB International. Together, they draw on industry expertise and best practices to develop standards to protect sensitive credit card data. PCI DSS represents those standards and creates a framework organizations can implement to protect cardholder information.

This framework represents 251 requirements organized into 12 core areas. These 12 requirements are “controls.” To achieve compliance you must demonstrate you meet these requirements and successfully pass an assessment from a qualified security assessor. Download the PCI DSS compliance guide for a quick look at those 12 controls and what they mean for compliant organizations.

Build and Maintain a Secure Network

Firewall Configurations
Install and maintain a firewall configuration to protect all cardholder dataSystem Defaults
Management
Ensure vendor-supplied defaults are changed and unnecessary default accounts are disabled before installing systems on your network

Protect Cardholder Data

Stored Cardholder Data Protection
Use industry-accepted algorithms to encrypt stored cardholder data and limit data retention time.
‍Encrypt Cardholder Data
Incorporate encrypted transmissions for sending cardholders’ primary account numbers (PAN) over public and open networks.

Create and Maintain a Vulnerability Management Program

Anti-virus Software
Use and regularly update anti-virus software or programs, including use on all systems vulnerable to malware, breaches, compromise, or attacks. Make sure your point-of-sale (POS) and other third-party vendors also employ updated anti-virus software.Secure Systems and Applications
Keep your systems and applications updated with the latest patches and security fixes so hackers cannot penetrate security vulnerabilities.

Implement Strong Access Control Measures

Restrict Access to Cardholder Data
Maintain a need-to-know policy for cardholder data, including a role-based access control (RBAC) system.
‍ID Management
Make sure every person with computer access has a unique, complex, and detailed ID.
‍Restrict Access to Cardholder Data
Restrict physical access to cardholder data. Don’t keep sensitive files in the open, and always maintain a current list of authorized payment device users.

Regularly Monitor and Test Networks

Track and Monitor Networks
Track and monitor all access to network resources and cardholder data. For example, install log management technologies to monitor access and review logs daily.
‍Test Security Systems
Regularly test security systems and processes. For example, plan penetration tests and conduct ongoing vulnerability scans.

Maintain an Information Security Policy

Information Security Policy
Keep updated documentation of your policies and procedures. They can be used as evidence for compliance proof. Your policy should address information security for employees and contractors.

Steps for PCI DSS Compliance

While the Payment Card Industry Security Standards Council manages PCI standards, each credit card company has leeway to enforce its own compliance measures. While the payment card company’s requirements should guide your compliance procedures, here are some basic steps, as outlined by PCI SSC, you can take toward compliance.

Determine Scope
Determine which of your devices, systems, components, and networks are in scope for PCI DSS
Assess Compliance
Assess compliance by completing the testing steps determined for each PCI DSS requirement
Complete Reports
Complete (or have your assessor complete) required reports, including documenting all controls
Complete AOC
Complete an Attestation of Compliance (AOC)
Submit Self-assessment
Submit your self-assessment questionnaire, AOC, report on compliance, ASV scan report, and other documents to your acquirer or payment brand requestor
Remediate Gaps
If gaps are discovered, implement actions to remediate requirements and then complete an updated report

While there is no “certification period” for a SOC 1 report, user entities generally accept a report for the previous year. After that, it’s best practice to undergo an updated assessment to ensure controls are still effective, especially as the service organization’s environment changes.

How to Map PCI DSS to the NIST Cybersecurity Framework

Many organizations in a variety of industries rely on the National Institute of Technology’s (NIST) Cybersecurity Framework to develop their cybersecurity programs and then mature them over time. The NIST framework provides a solid foundation for cybersecurity, and coupled with PCI DSS, they share common goals—to protect sensitive data and improve data security.

Mapping Made Simple

If you already have the NIST Cybersecurity Framework in place, you may be curious to know if you can map PCI DSS to it? The answer is, yes! Aligning the two can help you align your organization’s overall cybersecurity and compliance objectives and create a better understanding the effectiveness of your security procedures.

Apptega's Intelligent Framework Mapping, known as Harmony, allows you to automatically crosswalk and consolidate all shared controls, sub controls, resources and activities across multiple frameworks within your program. With this powerful capability, you can significantly improve efficiency and reduce overhead.

The PCI Security Standards Council created an in-depth guide that outlines how to map PCI DSS v3.2.1 to NIST’s Cybersecurity Framework v1.1.

PCI DSS Merchant Compliance Levels

All PCI merchants are classified into one of four compliance levels. These levels are based on credit or debit card transaction volume during a 12-month period. This includes the transaction volume for all credit, debit, and prepaid transactions.

Merchant Level 1

Any merchant—regardless of acceptance channel—processing more than 6 million credit or debit card transactions per year. Level 1 merchants should conduct an annual internal audit and each quarter should have an ASV conduct a PCI scan.

Merchant Level 2

Any merchant—regardless of acceptance channel—processing 1-6 million transactions per year. Level 2 merchants should do a self-assessment questionnaire each year and could be subject to a quarterly ASV PCI scan.

Merchant Level 3

Any merchant processing 20,000 to 1 million ecommerce transactions per year. Level 3 merchants should do an annual self-assessment and may be required to have quarterly ASV PCI scans.

Merchant Level 4

Any merchant processing fewer than 20,000 ecommerce transactions per year and all other merchants—regardless of acceptance channel—processing up to 1 million transactions per year. Level 4 merchants should conduct an annual self-assessment questionnaire and may need to have a quarterly ASV PCI scan.

PCI DSS FAQs

What is PCI DSS?

PCI DSS is an abbreviation for Payment Card Industry Data Security Standards. These standards are technical and operational requirements established by the PCI Standards Council (PCI SSC) to protect cardholder data. Any organization that accepts stores, processes, or transmits credit card information must meet PCI DSS standards. There are also requirements that directly affect software and app developers (Payment Application Data Security Standard (PA-DSS)), as well as those that create devices used for credit card transactions (PIN Transaction Security (PTS) requirements).PCI DSS sets six core goals achieved through 12 individual requirements. While PCI SSC sets the security standards, each credit card brand determines compliance, validation levels, and enforcement. PCI DSS compliance is assessed by qualified security assessors (QSAs). Approved scanning vendors (ASVs) validate PCI DSS vulnerability scan requirements. The first version of PCI DSS debuted in 2001, representing best practices and frameworks in use by the industry’s major credit card companies. The most current version is v3.2.1.

What is PCI SSC?

PCI SCC is an abbreviation for the Payment Card Industry Security Standards Council. In 2006, American Express, Discover, MasterCard, Visa, and JCB International united to found the council. As a result, each credit card company includes PCI DSS in their individual data security compliance requirements. PCI SSC guides creation of PCI DSS with a mission to “enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.” Learn more about PCI SSC at https://www.pcisecuritystandards.org/about_us.

What is cardholder data?

Cardholder data, according to PCI SSC, is at a minimum the full primary account number (PAN) of a credit card or the full PAN along with any of these: cardholder name, expiration date, or service code. PCI SSC also requires protection of security-related information including sensitive authentication data such as the magnetic stripe data, chip data, PINs, PIN blocks, card validation codes, card validation values, and more.

What does it mean to be PCI DSS compliant?

To be PCI DSS compliant, any organization that accepts, stores, processes, or transmits credit card data must follow and adhere to all of the Payment Card Industry Data Security Standards, including its six goals, 12 core requirements, all of its base requirements, and hundreds of test procedures.

Who is subject to PCI DSS compliance?

Any organization, regardless of size or industry, that accepts, stores, transmits, or processes cardholder data is subject to PCI DSS compliance.

If my organization uses third-party payment processors, do they have to be PCI DSS compliant?

Yes. As with many cybersecurity standards, if your organization uses third-party processors, PCI DSS applies to each of them. Utilizing third-party processors that are PCI DSS compliant helps reduce your risks for an potential data breach. While you should always ensure third-party compliance, don’t stop there. Always look down your supply chain. Do your vendors use other vendors that may access you cardholder data? If yes, you will want to make sure they’re compliant too to help reduce your risks and exposures.

What’s the purpose of PCI DSS?

The primary purpose of PCI DSS is to protect sensitive cardholder data and reduce the likelihood of a data breach and risks associated with the loss of credit card information. Payment Card Industry Data Security Standards outline how you can prevent potential attacks or breaches, how these attacks can be detected within your systems, and what you should do in the event of a breach. In addition to reducing risks, being PCI DSS compliant builds trust with your customers, key stakeholders, and vendors. It demonstrates that you are taking proactive and industry-approved actions to keep their sensitive data safe.