PCI DSS establishes baseline technical and operational requirements for improving payment card account data security. PCI DSS only applies to:
- Cardholder data environment (CDE): system components, people, and processes that store, process, and transmit cardholder data and/or sensitive authentication data, and
- System components that have unrestricted connectivity to them.
In March 2022, the PCI Security Standards Council (PCI SSC) updated PCI DSS to ensure that the standard remains current with emerging threats, technologies, and changes in the payment industry.
Who is the PCI Security Standards Council (PCI SSC)?
In 2006, American Express, Discover, JCB International, MasterCard, and Visa founded the PCI SSC to own, govern, and execute their shared mission of building a data security standard.
Today, the expanded PCI SSC acts as a global forum to develop standards and support services that improve payment account data security. It provides security standards and resources to help secure payments with:
- Global payment security standards
- Validation and listing of products and solutions that meet its requirements
- Training, testing, and qualifying people and organizations
- Offering no-cost best practices and payment security resources
Who needs to comply with PCI DSS?
All entities involved in payment card account processing should comply with PCI DSS, including any of the following:
- Merchants, like an online store accepting payment cards for purchases or a service accepting payment cards for monthly subscription billing
- Processors, like payment service providers that an online retailer uses for handling payment card transactions on their behalf
- Acquirers, like financial institutions that process payment card transactions for merchants
- Issuers, like banks that issue payment cards or perform, facilitate, or support those services
- Other service providers, like firewalls or intrusion detection system(IDS) providers, provide services that control or could impact CHD and SAD data security
What data does PCI DSS cover?
PCI DSS focuses on two types of account data:
- Cardholder data, including Primary Account Number (PAN), cardholder name, expiration date, service code
- Sensitive Authentication Data (SAD), including full track data, card verification code, PINs/PIN blocks
What are the consequences for PCI DSS violations?
While the PCI SSC has no punitive capabilities, payment card brands can levy fines up to $500,000 per security breach incident when they find a merchant failed to comply with the standard.
While every payment processor defines its own range, they typically assess the following fines based on period of non-compliance:
- 1-3 months: $5000/month - $10,000/month
- 4-6 months: $25,000/month - $50,000/month
- 7+ months: $50,000/month - $100,000/month
What are the principal PCI DSS requirements?
PCI DSS set out 12 principal requirements across 6 categories.
Build and maintain a security network and systems
Network security controls (NSCs) implement and enforce logical or physical network segments. They monitor incoming and outgoing network traffic to create trust boundaries.
Requirement 1: Install and maintain network security controls
The subsections within this requirement include:
- 1.1 Processes and mechanisms for installing and maintaining network security controls are defined and understood.
- 1.2 Network security controls (NSCs) are configured and maintained.
- 1.3 Network access to and from the cardholder data environment is restricted.
- 1.4 Network connections between trusted and untrusted networks are controlled.
- 1.5 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.
Requirement 2: Apply secure configurations to all system components
The subsections within this requirement include:
- Define and ensure understanding of processes and mechanisms for applying secure configurations to all system components
- Securely configure and manage system components
- Securely configure and manage wireless environments
Protect account data
Data protection helps mitigate risks arising from intruders circumventing other security controls and typically includes:
- Encryption
- Truncation
- Masking
- Hashing
Requirement 3: Protect stored account data
The subsections within this requirement include:
- Define and ensure understanding of processes and mechanisms for protecting stored account data
- Store the minimum amount of account data necessary
- Do not store SAD after authorization
- Restrict access to full PAN display and ability to cardholder data
- Store PAN securely
Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks
The subsections within this requirement include:
- Define and document processes and mechanisms for using strong cryptography to protect cardholder data transmitted over open, public networks
- Protect PAN with strong cryptography during transmission
Maintain a vulnerability management program
Intruders often use software, hardware, and firmware vulnerabilities to gain unauthorized access to systems, networks, devices, and data. Additionally, they can use known security vulnerabilities to deploy malicious software (malware) that further their data exfiltration capabilities.
Requirement 5: Protect all systems and networks from malicious software
The subsections within this requirement include:
- Define and ensure understanding of processes and mechanisms for protecting all systems and networks from malware
- Prevent, detect, and address malware
- Implement, maintain, and monitor anti-malware mechanisms and processes
- Protect users against phishing attacks
Requirement 6: Develop and maintain secure systems and software
The subsections within this requirement include:
- Define and ensure understanding of processes and mechanisms for developing and maintaining secure systems and software
- Securely develop bespoke and custom software
- Identify and address security vulnerabilities
- Protect public-facing web applications against attacks
- Secure manage changes to all system components
Implement strong access control measures
Ensuring that only authorized personnel, systems, and processes can access critical data requires creating rules that define access and privileges that allow for performing specific actions or functions.
Requirement 7: Restrict access to system components and cardholder data by business need to know
The subsections within this requirement include:
- Define and ensure understanding of processes and mechanisms for restricting access to system components and cardholder data based on a business need to know
- Appropriately define and assign access to system components and data
- Use access control systems for managing access to system components and data
Requirement 8: Identify users and authenticate access to system components
The subsections within this requirement include:
- Define and ensure understanding of processes and mechanisms for identifying users and authenticating access to system components
- Strictly manage user identification and related user and administrator accounts throughout the account life cycle
- Implement multi-factor authentication to secure CDE access
- Configure MFA systems to prevent misuse
- Strictly manage the use of application, system account, and associated authentication factors
Requirement 9: Restrict physical access to cardholder data
The subsections within this requirement include:
- Define and ensure understanding of processes and mechanisms for restricting physical access to cardholder data
- Manage physical access controls for facilities and systems containing cardholder data
- Authorize and manage physical access for personnel and visitors
- Secure store, access, distribute, and destroy media with cardholder data
- Protect Point of Interaction (POI) devices from tampering and unauthorized substitution
Regularly monitor and test networks
Logging mechanisms and tracking user activities enable documentation to support controls that are working as intended. Meanwhile, third-party audits and testing provide independent review of an organization's PCI DSS compliance program.
Requirement 10: Log and monitor all access to system components and cardholder data
The subsections within this requirement include:
- Define and ensure understanding of processes and mechanisms for logging and monitoring all access to system components and cardholder data
- Implement audit logging to support anomaly and suspicious activity detection and forensic analysis
- Protect audit logs from destruction and unauthorized changes
- Review audit logs to identify anomalies and suspicious activities
- Retain audit log history and make it available for analysis
- Use time-synchronization mechanisms for consistent time settings across all systems
- Promptly detect, report, and respond to critical security control system failures
Maintain an information security policy
The information security policy is the foundation of an organization’s approach to and communication of its security program.
Requirement 12: Support information security with organizational policies and programs
The subsections within this requirement include:
- Govern and provide direction for protecting information assets with a known, current, and comprehensive information security policy
- Define and implement acceptable use policies for end-user technologies
- Formally identify, evaluate, and manage CDE risks
- Manage PCI DSS compliance
- Document and validate PCI DSS scope
- Engage in ongoing security awareness education
- Screen personnel to reduce insider threat risks
- Manage third-party service provider risks to information assets and relationships
- Immediately respond to suspected and confirmed security incidents that could impact the CDE
