From credit cards to online shopping, people use electronic payment methods more than ever. To secure transactions and protect cardholder data (CD), merchants and financial institutions need to secure cardholder data environments (CDE). The Payment Card Industry Data Security Standard (PCI DSS) is one of the most prescriptive and detailed security compliance mandates. Understanding the 12 PCI DSS compliance requirements can help companies protect sensitive CD that they collect, store, transmit, and process.

Increased use of digital payments

People used digital payment methods and online shopping before the COVID-19 pandemic. However, the global health emergency changed how people made purchases, increasing their reliance on digital payment technologies.

For example, research conducted by the Federal Reserve Bank of San Francisco (FRB), the study found:

  • Cash use decreased by seven percentage points from 2019-2020
  • 72% of US consumers reported making in-person payments, down from 91% in 2019
  • Total value of not-in-person spending at grocery stores, dining establishments, and general merchandise stores doubled from $110 in 2019 to $212 in 2020

Further supporting the FRB’s data, research from American Express found that 58% of consumers who used contactless payments to protect themselves from COVID are more likely to use them now.

Digital transactions are going to remain a primary payment process. To ensure continued security, merchants and financial institutions need to take another look at PCI DSS to make sure they meet all compliance requirements.

Who is the Payment Card Industry Security Standards Council (PCI SSC)?

In 2006, 5 payment card companies (American Express, Discover, JCB International, MasterCard and Visa) founded PCI SSC to develop and drive adoption of data security standards. Since then, the organization has expanded to include Founding Members, Strategic Members, a Board of Advisors, Management Committee, Strategic Regional Members, Affiliate Members, and Participating Organizations.

According to their website, PCI DSS sets out to enhance payment account security by developing standards and supporting services, including education, awareness, and implementation. To meet this mission, PCI SSC consists of four strategic pillars:

  • Increase industry participation and knowledge
  • Evolve security standards and validation
  • Secure emerging payment channels
  • Increase standards’ alignment and consistency

Unlike laws set out by governmental legislative bodies, PCI DSS is not a law. Additionally, since the PCI SSC is not a governmental agency, the standard does not fall under traditional regulatory compliance requirements.

On the other hand, PCI DSS is more than a traditional industry standard, like ISO 27000 series. While organizations can choose to be certified to an industry standard, noncompliance has no penalties or fines.

What are the fines and penalties for PCI noncompliance?

At their discretion, the payment brands can choose to fine acquiring banks anywhere from $5000 to $100,000 per month for PCI compliance violations. Generally, banks that need to pay this fine pass them along to the merchant.

For example, according to the NetDiligence 2020 Cyber Claims Study fines assessed over the five-year period ranged from $21,000 to $4.2 million, with an average fine of $13 million and a median fine of $297,000.

PCI DSS fines typically include:

  • Assessed penalties
  • Costs for card brand-ordered assessments
  • Forensic investigations
  • Card replacement costs

Additionally, a bank may decide to end its relationship with the merchant or increase transaction fees.

What types of data does PCI DSS cover?

PCI DSS covers two different types of payment information: Cardholder Data and Sensitive Authentication Data (SAD).

Cardholder data consists of:

  • Primary Account Number (PAN)
  • Cardholder name
  • Expiration date
  • Service code

Sensitive authentication data consists of:

  • Full track data (whether magnetic-stripe or chip)
  • CAV2/CVC2/CVV2/CID
  • PINs/PIN blocks

According to PCI DSS, the PAN decides the protection level required. Environments that store, process, or transmit PAN along with any of the other cardholder data types or even contain both types must be PCI DSS compliant.

Additionally, sensitive authentication data must never be stored.

Understanding PCI scope

Before getting to the compliance requirements, PCI DSS starts by explaining the system components that fall within its scope.

It defines the CDE as the people, processes, and technologies that store, process, or transmit CD or sensitive authentication data. Meanwhile, system components consist of a smaller category of technologies, including network devices, servers, computing devices, and applications.

Some examples include:

  • Security services: authentication servers, internal firewalls, or name resolution/web redirection servers
  • Virtualization components: virtual machines, virtual appliances, hypervisors
  • Network components: firewalls, switches, routers, wireless access points, network appliances
  • Servers: web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS)
  • Applications: both internally designed and commercial-off-the-shelf, as well as in the cloud

Network segmentation

Network segmentation is a cornerstone of PCI compliance. By isolating the CDE from the rest of the organization’s network, companies can reduce:

  • Assessment scope
  • Assessment cost
  • Challenges implementing and maintaining controls
  • Risk

Some ways that organizations can segment their networks logically or physically include:

  • Internal network firewalls
  • Routers with strong access control lists

Third-party service providers/outsourcing

Any PCI scope needs to consider third-parties who:

  • Store, process, or transmit cardholder data on their behalf
  • Manage components like routers, firewalls, databases, physical security, and/or servers

A security vulnerability arising from any of these service providers can negatively impact the organization’s CDE security. As part of this review, PCI requires one of two risk management strategies:

  • Annual assessment: require the third party to provide a copy of its annual assessment and supporting documentation
  • Multiple, on-demand assessments: engage in assessment with third parties who do not provide their own

Generally, third parties choose to do their own assessments then provide the documentation to their customers because it saves money by going through the process only once.

Business-as-Usual (BAU) processes

Without saying it in so many words, PCI DSS suggests that best practices mean creating a culture of security. Calling it BAU, the standard gives five examples, including:

  • Monitoring security controls
  • Putting security control detection and response processes in place
  • Change management processes
  • Reviewing the impact organizational changes have on compliance
  • Engaging in periodic reviews and communication to confirm continued compliance

Compensating controls

According to PCI, when a company is unable to meet a requirement as stated, it may use a compensating control. The compensating control must:

  • Meet the original requirement’s intent and rigor
  • Provide similar defense against risk
  • Be “above and beyond” other PCI requirements

What are the 12 PCI DSS compliance requirements?

Although PCI DSS traces back to the early 2000s, it was updated most recently in May 2018. Version 3.2.1 included updates that addressed the impact of technology changes, including changes to approved technologies for Point of Service (PoS) Point of Interaction (PoI).

The twelve compliance requirements fall into six categories:

  • Build and maintain a secure network and systems
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

Although these six categories might seem manageable, the “Detailed PCI DSS Requirements and Security Assessment Procedures” section of the standard is 95 pages long. Buried within each of the twelve requirements are multiple subparts, and many subparts consist of more subparts.

For example, “Requirement 1: Install and maintain a firewall configuration to protect cardholder data” consists of five subparts, and three of those contain additional subparts.”

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Installing and maintaining an appropriate firewalls configuration is the foundation of segregating networks. These devices control traffic allowed between internal and external networks so should be used appropriately to limit access to the CDE.

Requirement 1 requires that organizations:

1. Establish and implement configurations, including:

    • Incorporating formal approval and testing processes as well as configuration change management
    • Using a current network diagram identifying all connections between CDE and other networks, including wireless
    • Ensuring diagram shows all CD data flows across systems and networks
    • Requiring a firewall at each internet connection as well as between demilitarized zones (DMZs) and internal network
    • Describing groups, roles, and responsibilities for managing network components
    • Documenting reasons for the use of all services, protocols, and ports
    • Reviewing firewall and router rulesets at least every 6 months
    • Building configuration restricting connections between external networks and CDE system component

2. Restrict inbound and outbound traffic, including

  • Securing and synchronizing router configurations
  • Installing perimeter firewalls between wireless networks and CDE that either deny all access or permit limited, authorized traffic between the two environments

3. Prohibit direct public access between the internet and any CDE system component, including:

  • Implementing a DMZ that limits inbound traffic
  • Limiting inbound traffic to specified IP addresses within the DMZ
  • Implementing anti-spoofing measures
  • Refusing unauthorized outbound traffic from the CDE to the internet
  • Permitting only “established” network connections
  • Segregating CD system components from the DMZ and other untrusted networks
  • Obscuring IP addresses and routing information from unauthorized parties

4. Ensure that all portable devices used to access both the internet and CDE have firewalls installed

5. Document and share with affected parties all firewall security policies and operational procedures

Requirement 2: Do not use vendor-supplied defaults for system passwords or other security parameters

Since most default passwords are easy to locate or already well known, threat actors use them to gain unauthorized access to compromise systems.

1. Before installing a system on the network, remove all vendor-supplied defaults and disable unnecessary default accounts. Additionally, companies should:

  • Change all defaults for wireless environments that connect to or transmit CD

2. Harden systems according to industry-accepted standards, including:

  • Limiting servers to one primary function each
  • Only enabling necessary services
  • Implementing additional security services as necessary
  • Configuring security parameters to prevent misuse
  • Removing unnecessary functionalities

3. Use strong cryptography to encrypt non-console administrative access

4. Maintain an inventory for in-scope system components

5. Document and distribute security policies and operational procedures for managing  vendor defaults

6. Verify that hosting providers limit access between multiple clients on a shared server

Requirement 3: Protect stored cardholder data

If malicious actors gain unauthorized access to CD or the CDE, companies need to prevent the access from compromising the data. This section focuses on different ways to mitigate stored data risks.

1. Establish limitations around storing and disposing of data

2. Do not store sensitive authentication data after authentication, even if encrypted, including:

  • Full content of any track
  • Card verification code or value
  • PIN or encrypted PIN block

3. Mask PAN when displayed

4. Make PAN unreadable across storage locations, including:

  • Separately managing logical access if disk encryption is used

5. Protect keys by documenting and implementing procedures, including:

  • Limiting who manages cryptographic keys
  • Service Providers Only: Documenting cryptographic architecture
  • Storing secret and privates keys in separate, secure, and encrypted locations to prevent misuse
  • Limiting the locations storing cryptographic keys

6. Document and implement key-management processes and procedures, including:

  • Generating strong cryptographic keys
  • Securing key distribution
  • Securing key storage
  • Ensuring a defined period for changing keys
  • Retiring or replacing keys that have weaknesses or may be compromised
  • Placing security protocols around manual key-management operations
  • Preventing unauthorized key substitutions
  • Documenting key custodians understand their responsibilities

7. Document and distribute security policies and operational procedures for stored CD

Requirement 4: Encrypt transmission of cardholder data across open, public networks

By encrypting CD during transmission across the internet, organizations prevent malicious actors from using the data, even if they access it.

1. Use trusted keys/certificates, secure transport protocols, and proper encryption, including for:

  • Wireless networks transmitting CD or connected to CDE

2. Never send unencrypted PAN using email, instant messaging, text, or chat

3. Document and distribute security policies and operational procedures for encryption

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

To mitigate risks from malware, like ransomware, organizations should be using anti-virus software and other supplementary controls that enhance protections.

1. Install anti-virus software on systems and devices commonly targeted by malware, while also reviewing:

  • Detection, removal, and protection capabilities against known malware
  • Systems and devices not commonly considered targets to determine any status changes

2. Keep anti-virus solutions current by performing periodic scans and reviewing audit logs

3. Keep anti-virus solutions running and prevent users from disabling it

4. Document and distribute security policies and operational procedures for protecting against malware

Requirement 6: Develop and maintain secure systems and applications

Regularly installing security patch updates helps mitigate risks arising from newly discovered vulnerabilities.

1. Identify and rate each security vulnerability’s risk

2. Regularly install security updates, and install all critical security patches within one month

3. Ensure that the software-development lifecycle incorporates security best practices, including:

  • Removing any test or development credential before making the application available to customers
  • Implementing code reviews to reduce security vulnerabilities before making the application available to customers

4. Establish change control processes to prevent inadvertent or deliberate tampering with security features, including:

  • Separating access controls between development/test and production environments
  • Establishing separation of duties between development/test and production environments
  • Never using live PANs for testing or development
  • Establishing and documenting change control procedures, change impact, change approval, functionality, and backout procedures
  • Ensuring the implementation of all relevant PCI DSS requirements after completing significant changes

5. Annually train developers and develop secure coding guidelines to mitigate common vulnerabilities like:

  • Injection flaws
  • Buffer overflows
  • Insecure cryptographic storage
  • Insecure communications
  • Improper error handling
  • Improper access controls
  • Cross-site request forgery
  • Broken authentication and session management

6. Review public-facing web applications using manual or automated tools annually and after any changes

7. Document and distribute security policies and operational procedures for developing and maintaining secure systems and applications

Requirement 7: Restrict access to cardholder data by business need to know

Limiting user access according to the principle of least privilege mitigates access risk.

1. Provide access to system components and CD for only those who need access to complete job functions, including:

  • Defining access according to roles, like user or administrator
  • Restricting privileged user IDs according to need
  • Assigning access based on job classification and function
  • Requiring access request approval documentation

2. Setting system components’ access to deny all, unless specifically allowed, including:

  • Covering all system components
  • Assigning privileges to individuals according to job
  • Using default “deny-all” settings

3. Document and distribute security policies and operational procedures for restricting access

Requirement 8: Identify and authenticate access to system components

To ensure that the right users are accessing systems, organizations need to assign unique IDs and require strong passwords. This practice also enables accountability for resource access and usage.

  1. Establish and implement user identification management policies and procedures by:
    • Assigning all users a unique ID
    • Controlling changes to IDs, credentials, and other identifiers
    • Immediately revoking access upon employment termination
    • Removing/disabling inactive users within 90 days
    • Managing third-party access and use
    • Locking users out of systems after 6 unsuccessful login attempts
    • Setting user lockout time to at least 30 minutes or until administrator resets
    • Timing-out sessions after 15 minutes of inactivity
  2. Require authentication using at least something users know, something they have, or something they are, as well as:
    • Encrypting all authentication credentials
    • Verifying users before making authentication credential changes
    • Requiring passwords to be a least 7 characters long with both numbers and letters
    • Changing passwords every 90 days
    • Refusing reuse of the 4 most recent passwords
    • Supplying first-time passwords and requiring immediate changes on initial login
  3. Use multi-factor authentication (MFA) for administrative access and all remote CDE access, including:
    • Using MFA for all administrative user access to the CDE, except for application or system accounts
    • Using MFA for all remote network access
  4. Document and communicate all authentication policies and procedures
  5. Ensure that no generic IDs exist, that system administrators and other critical functions never share user IDs, and that no shared or generic user IDs are used to administer any system components
    • Service Providers Only: Use a unique authentication credential for each customer
  6. Do not share MFA authentication mechanisms across multiple accounts and set physical or logical controls to ensure only the intended account uses the MFA mechanism
  7. Restrict database access as follows:
    • Using stored procedures instead of direct end-user access
    • Granting only database administrators the ability to directly access or query databases, and
    • Requiring that applications are the only ones who can use application IDs, not individual users
  8. Document and distribute security policies and operational procedures for identification and authentication

Requirement 9: Restrict physical access to cardholder data

Limiting physical access to devices, systems, or data, including paper copies, containing CD mitigates risk. “Onsite personnel” includes all full-time, part-time, and temporary workforce members as well as contractors or consultants on location. Visitors are onsite personnel guests or anyone entering the site for less than a day.

1. Limit and monitor physical access by:

  • Using video cameras and/or access control mechanisms
  • Restricting access to publicly accessible network jacks using physical and/or logical controls
  • Restricting physical access networking and communications hardware

2. Establish and implement procedures to tell onsite personnel and visitors apart, including:

3. Control physical access to sensitive areas according to a person’s job function

4. Establish and implement procedures to identify and authorize visitors, including:

  • Having someone escort them in areas processing or maintaining CD
  • Providing badges for easy identification
  • Requiring visitors to return badges
  • Maintain a visitor log as a physical audit trail

5. Physically secure all media, including:

  • Storing backups in a secure location
  • Controlling internal and external media distribution by classifying sensitive media, using trackable delivery methods, and ensuring management oversight.

6. Control media storage and accessibility with proper inventory logs reviewed at least annually

7. Appropriately destroy media so that it cannot be reconstructed and make sure to make electronic media unrecoverable

8. Protect devices from physical tampering by:

  • Maintaining an updated device inventory
  • Inspecting device surface for tampering
  • Training personal to detect attempted tampering or device replacement

9. Document and distribute security policies and operational procedures for restricting physical access

Requirement 10: Track and monitor all access to network resources and cardholder data

Collecting system logs helps organizations track user activities and are critical to preventing, detecting, or minimizing the impact of a data security incident.

1. Implement audit trails to track user access to system components

2. Automate audit trails to reconstruct:

  • Individual user access to CD
  • Activity by administrator or root account privileges
  • Audit trail access
  • Unsuccessful login attempts
  • Any access and identification changes to accounts with root or administrative privileges as well as new account creation and privilege elevation
  • Starting, stopping, or pausing audit logs
  • Creating and deleting system-level objects, like database tables or stored procedures

3. Record the following for all system components:

  • User ID
  • Event type
  • Date and type
  • Success or failure
  • Event origin
  • Affected data, system component, or resource name/identity

4. Synchronize time across all critical system clocks compare log files as part of forensic investigations, with specific attention paid to:

  • Ensuring consistent time
  • Protecting time data
  • Using industry-accepted time sources

5. Secure audit trails to prevent alteration by:

  • Limiting who can view them
  • Protecting from unauthorized changes
  • Backing them up in a location that makes them difficult to alter
  • Using a secure, centralized internal log server or media device for external-facing technologies
  • Generating alerts when changes are made to existing data

6. Review logs and security events for anomalies or suspicious activity, with:

  • Daily review of security events, critical system components, security technologies, and system components that store, process, or transmit CD and/or SAD
  • Periodic review of other system logs
  • Exception and anomaly reviews

7. Retain audit trail history for at least one year

8. Service Providers Only: Implement processes for detecting and reporting critical security control system failures

  • Service Providers Only: Respond to critical security control failures in a timely manner 

9. Document and distribute security policies and operational procedures for monitoring all access to network resources

Requirement 11: Regularly test security systems and processes.

Continuously monitoring security controls mitigates risk as malicious actors evolve their methodologies and security researchers discover new vulnerabilities.

1. Test for, detect, and identify all wireless access points at least quarterly, including:

  • Maintaining an authorized wireless access point inventory that includes the reason for having them
  • Implementing incident responses procedures in case an unauthorized wireless access point is detected

2. Run internal and external vulnerability scans at least quarterly, to:

  • Address internal “high risk” vulnerabilities
  • Review external vulnerabilities
  • Scan after making significant changes

3. Engage in penetration testing to identify exploitable vulnerabilities, including:

  • External penetration tests annually or after making significant changes
  • Internal penetration test annually or after making significant changes
  • Repeat tests to verify remediation activities
  • Segmentation control testing to verify its effectiveness
  • Service Providers Only: Confirm segmentation controls every six months or after making significant changes

4. Use intrusion detection and/or intrusion prevention to detect potential compromise by monitoring network traffic

5. Implement change-detection solutions to monitor file integrity and processes for responding to alerts

6. Document and distribute security policies and operational procedures for security monitoring and testing

Requirement 12: Maintain a policy that addresses information security for all personnel

The security policy acts as the written set of processes and practices that define information security responsibilities.

  1. Establish, publish, maintain, and distribute the security policy while also ensuring review at least annually or after making changes to the environment.
  2. Perform a formal, documented cybersecurity risk assessment that identifies critical assets, threats, and vulnerabilities at least annually or after making significant changes to the environment
  3. Establish policies for how to use critical technologies, including:
    • Approval requests
    • Authentication processes
    • Personnel authorized to use critical devices
    • Methods for determining device owners
    • Acceptable uses
    • Acceptable networks
    • Company-approved products
    • Remote session termination from inactivity
    • Just-in-time remote session activation/termination for vendor and business partners
    • Prohibition of copying, moving, and storing CD on local hard drives or removable media
  4. Clearly define personnel information security responsibilities
    • Service Providers Only: Executive leadership establishes responsibilities and accountability
  5. Assign responsibility for:
    • Establishing, documenting, and distributing the policies and procedures
    • Monitoring and analyzing security alerts
    • Establishing, documenting, and distributing incident response and escalation procedures
    • Administering user accounts
    • Monitoring and controlling data access
  6. Implement cyber awareness training, that includes:
    • When hired and then at least annually after that
    • Annual policy review attestation
  7. Implement employment candidate screening policy
  8. Implement service provider management policies and procedures
  9. Maintain service provider list service description
  10. Implement third-party vendor risk management and due diligence processes, including:
    • Annual review of service provider PCI DSS compliance
    • Information about how the company and service provider share PCI DSS compliance responsibilities
  11. Service Providers Only: Written acknowledgment to customers regarding responsibilities under PCI DSS
  12. Implement an incident response plan that includes:
    • Plans for responding to a system breach incorporating:
      • Roles, responsibilities, communication, and contact strategies
      • Incident response procedures
      • Business recovery and continuity procedures
      • Data backup processes
      • Breach notification requirements
      • Responsibility and responses for all critical system components
      • Procedures from the payment brands
    • Reviewing and testing plan
    • Designating personnel responsible 24/7
    • Training for staff
    • Alerts that require a response
    • Process for modifying and evolving the plan
  13. Service Providers Only: Review personnel at least quarterly to ensure they are following the policy
  14. Service Providers Only: Maintain personnel review documentation

Meet PCI Compliance Requirements with Alert Logic

Managing PCI DSS compliance is challenging for any organization because they include practices, processes, and technology requirements. Alert Logic MDR eases many of the administrative and technical burdens associated with PCI DSS by providing:

  • Cybersecurity professionals who ensure 24/7 monitoring and incident responses across on-premises and cloud environments.
  • Assessment, detection, and alerting capabilities that reduce operational and technology burdens associated with security controls like access and encryption.
  • Intrusion Detection Systems (IDS) that continuously monitor environments to identify potential threats like brute force attacks, command and control exploits, and lateral movement with privilege escalation.
  • Risk and threat mitigation solutions like automated log management and web application monitoring tools that can improve key cybersecurity metrics like Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).

Request your free MDR demo today and learn how Alert Logic can get you PCI compliant faster.

Antonio Sanchez
About the Author
Antonio Sanchez
Antonio Sanchez is Fortra’s Principal Evangelist. He has over 20 years of experience in the IT industry focusing on cyber security, information management, and disaster recovery solutions to help organizations of all sizes manage threats and improve their security posture.

Related Post

February 6, 2024

MDR vs SOC

Ready to protect your company with Alert Logic MDR?