PCI DSS - definition & overview

PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security standards designed to ensure the secure handling, processing and storage of credit card information to prevent data breaches and protect cardholder data. The PCI DSS was developed collaboratively by major credit card companies, including Visa, MasterCard, American Express, Discover and JCB, to establish consistent security measures across the payment card industry.

PCI DSS consists of twelve high-level requirements, each with multiple sub-requirements. These requirements outline various security measures and controls that organizations must implement to protect cardholder data and ensure the security of payment card transactions. The twelve main requirements are as follows:

1. Install and maintain a firewall configuration to protect cardholder data

   • Establish a formal process for testing and approval before new network connections are established.

   • Do not use vendor-supplied defaults for system passwords and other security parameters.
     

2. Do not use vendor-supplied defaults for system passwords and other security parameters:

   • Always change vendor-supplied default passwords and remove or disable unnecessary default accounts.
     

3. Protect cardholder data:

   • Keep cardholder data storage to a minimum by implementing data retention and disposal policies.

   • Do not store sensitive authentication data after authorization.

   • Mask the PAN (Primary Account Number) when displayed.
     

4. Encrypt transmission of cardholder data across open, public networks:

   • Use strong cryptography and security protocols to protect cardholder data during transmission.
     

5. Use and regularly update anti-virus software or programs:

   • Ensure anti-virus software is installed on all systems commonly affected by malicious software.
     

6. Develop and maintain secure systems and applications:

   • Ensure that all system components are protected against known vulnerabilities by applying security patches promptly.

   • Ensure that all custom application code is reviewed for common vulnerabilities.
     

7. Restrict access to cardholder data by businesses on a need-to-know basis:

   • Limit access to system components and cardholder data to only those individuals whose job requires such access.

   • Establish a role-based access control system.
     

8. Identify and authenticate access to system components:

   • Assign a unique ID to each person with computer access.

   • Use a strong authentication factor for remote access to the network.
     

9. Restrict physical access to cardholder data:

   • Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data.

   • Develop procedures to verify visitor identity and authorization.
     

10. Track and monitor all access to network resources and cardholder data:

    • Implement logging mechanisms and regularly review logs for all system components to identify suspicious activity.
      

11. Regularly test security systems and processes:

    • Test security controls and processes regularly, including vulnerability scans, penetration tests and security assessments.

    • Maintain a policy that addresses information security for all personnel:
      

12. Establish, publish, maintain and disseminate a security policy and procedures to all relevant personnel.

These requirements include specific sub-requirements and guidance on implementing the necessary security measures. Organizations must carefully assess their environment and processes, implement the required controls and regularly review and update their security practices to ensure compliance with the PCI DSS.

Meeting PCI DSS compliance requirements involves a comprehensive and ongoing process to ensure the security of credit card data and payment card transactions. Here's an overview of the steps an organization typically takes to achieve and maintain PCI DSS compliance:

Assessment: The organization begins by assessing its current environment, systems and processes that handle credit card data. This includes identifying all systems storing, processing, or transmitting cardholder data.

Scope definition: The organization determines the scope of its PCI DSS compliance efforts, focusing on the systems, networks and processes that interact with cardholder data. Limiting the scope helps streamline compliance efforts.

Gap analysis: Conduct a gap analysis to identify areas where the organization's security measures fall short of PCI DSS requirements. This helps identify vulnerabilities and areas for improvement.

Security controls implementation: Implement the necessary security controls and measures to address the gaps identified in the gap analysis.

Data encryption: Cardholder data must be encrypted in transit and at rest. Implement encryption mechanisms to protect sensitive data from unauthorized access.

Access controls: Implement strong access controls, including unique user IDs, password policies and role-based access, to ensure that only authorized personnel can access cardholder data.

Regular testing and monitoring: Regularly test security systems and processes to identify vulnerabilities and weaknesses. Implement continuous monitoring for security incident response and detection.

Vulnerability management: Establish a process for identifying and addressing security vulnerabilities promptly. This may involve regular security scans, patches and updates.

Security policies and procedures: Develop and document security policies and procedures that outline how the organization handles cardholder data, responds to security incidents and ensures ongoing compliance.

Training and awareness: Train employees on security best practices, data handling and their roles and responsibilities in maintaining PCI DSS compliance.

Regular assessments and audits: Conduct regular internal assessments and, depending on the organization's compliance level, engage with a qualified security assessor (QSA) to perform on-site audits and validate compliance.

Report submission: Depending on the organization's compliance level and validation method, submit required compliance reports (e.g., Self-Assessment Questionnaires and Compliance attestations) to the appropriate payment card brands and acquirers.

Ongoing monitoring and maintenance: PCI DSS compliance is an ongoing effort. Continuously monitor systems, conduct regular assessments and update security measures to adapt to evolving threats and technologies.

Attestation of Compliance (AOC): Upon completing assessments and validation, your organization may receive an Attestation of Compliance (AOC) that confirms your compliance with PCI DSS requirements.

PCI DSS certification involves regular assessments and updates to maintain compliance. It's recommended to work closely with your acquiring bank, payment card brands and relevant service providers to ensure you follow the correct processes and meet all requirements for certification.

The frequency of PCI DSS audits varies based on the level of compliance and the specific requirements of the payment card brands and acquirers. There are generally two types of audits: internal and external assessments performed by Qualified Security Assessors (QSAs) or Approved Scanning Vendors (ASVs).

Internal assessments
Level 4 merchants are those processing fewer than 20,000 Visa or Mastercard e-commerce transactions annually or up to 1 million transactions for other card brands. They are typically required to complete an annual self-assessment questionnaire (SAQ) and conduct quarterly network vulnerability scans by an ASV.

External assessments
Level 1 merchants are those processing over 6 million Visa or Mastercard transactions annually, or merchants who have suffered a data breach in the past are classified as Level 1 merchants. They are required to undergo an annual on-site assessment performed by a QSA.

Level 2 and 3 merchants process between 20,000 and 6 million Visa or Mastercard e-commerce transactions annually. They must undergo an annual self-assessment questionnaire (SAQ) and may also be required to perform network vulnerability scans.

Service providers that handle cardholder data are also subject to PCI DSS compliance and assessments, with similar classification levels determining the frequency and type of assessments required.

It's important to note that compliance is an ongoing process, not just a yearly event. Merchants and service providers should continuously monitor and maintain their security controls, conduct regular assessments and keep their systems and processes up to date to maintain PCI DSS compliance and minimize the risk of security breaches. Always consult with payment card brands, acquiring banks, or relevant payment processing partners to ensure you know the specific compliance requirements and assessment schedules that apply to your organization.

Centralized log management can help. Learn more in our guide.

The PCI Security Standards Council (PCI SSC or PCI Council) is a global organization that develops and manages the Payment Card Industry Data Security Standard (PCI DSS) and other security standards for the payment card industry. The council was established in 2006 by major credit card companies to promote the security of credit card transactions and protect cardholder data from data breaches and cyber threats.

The PCI SSC is crucial in setting and maintaining security standards that help organizations secure payment card data and maintain a PCI DSS-compliant environment for card payments. Here's what the PCI SSC does:

Development and maintenance of standards
The PCI SSC is responsible for developing and updating the PCI DSS, a comprehensive set of security requirements and controls for handling, processing and transmitting credit card data. The council also develops related standards, such as the Payment Application Data Security Standard (PA-DSS) and the Point-to-Point Encryption (P2PE) standard.

Education and training
The PCI SSC provides education and training resources to help organizations understand and implement PCI DSS requirements. This includes training materials, guidance documents and resources to assist merchants, service providers and other stakeholders in achieving and maintaining compliance.

Certification programs
The PCI SSC oversees certification programs for individuals and organizations involved in payment card security, such as Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). These certified professionals and entities are qualified to assess and validate compliance with PCI DSS requirements.

Collaboration and stakeholder engagement:
The council fosters collaboration among payment card industry stakeholders, including merchants, payment processors, financial institutions, technology vendors and security experts. This collaborative approach helps ensure the standards remain relevant and effective in addressing evolving cybersecurity challenges.

Promotion of security best practices:
The PCI SSC promotes best practices for securing payment card data and raises awareness about the importance of protecting cardholder information. The council helps organizations implement effective security measures by providing guidelines and resources.

Enforcement and compliance
While the PCI SSC does not directly enforce compliance, it plays a role in establishing the PCI security standard and guidelines that organizations must follow. Payment card brands and acquiring banks often require merchants and service providers to comply with the PCI DSS standard as a condition for processing credit card transactions.

Overall, the PCI SSC plays a central role in shaping the security landscape of the payment card industry, helping to safeguard sensitive cardholder data, reduce the risk of data breaches, and maintain the trust and confidence of consumers and businesses in payment card transactions.

Companies generate data exponentially, and protecting cardholder data and maintaining PCI compliance requirements can be overwhelming. Sumo Logic alleviates these challenges with a cloud-native data monitoring, analysis, and retention solution that enables cost-effective, rapid PCI readiness for your cloud and on-premises environments.

With the PCI Compliance App for Sumo Logic, you can meet evolving PCI requirements without the data hassle or the burden of self-policing.

• Simplify audits: Easily meet your audit requirements with scheduled and ad-hoc log searches.

• Maintain compliance: Rapidly discover and visualize data patterns to demonstrate PCI requirements.

• Monitor in real-time: Proactively monitor all infrastructures for indicators of security breaches.
  

Learn more about how Sumo Logic helps companies meet the PCI data security standard.