The world is going cashless. The Federal Reserve Bank of San Francisco reported that cash was used in just 18% of all U.S. transactions in 2022. And that number will continue to decline. The widespread use of credit and debit cards, plus the rise of digital wallets and contactless payments, have reshaped the financial landscape in many wonderful ways — increasing flexibility as well as financial protection. However, it’s also increased the levels of fraud.
Personally identifiable information (PII) — any data that can be used to uncover a person’s identity — is the most frequent target of cyber attacks. Cardholder data is PII for anyone with a credit or debit card, and is highly valuable to bad actors, as it can contain account numbers, pin numbers, expiration dates and more. Threat actors like ransomware gangs love to hold such data hostage, often releasing it to the dark web to further financial fraud, and any organization that holds such data is at risk of a data breach — including retail, technology, business and, of course, financial services. To combat this growing threat, the Payment Card Industry Data Security Standard (PCI DSS) was created to protect cardholder data.
So, what is PCI DSS, how does it ensure cardholder data security, and how can organizations maintain compliance to better protect themselves and their customers’ data?
What Is PCI DSS?
Created in 2004, the Payment Card Industry Data Security Standard — commonly known as PCI DSS — is a set of regulations designed to ensure the protection of cardholder data.
It is overseen by the PCI Security Standards Council (SSC), which is run by the five largest credit card companies — American Express, Discover Financial Services, JCB International, Mastercard, and Visa. This council regularly evaluates and updates the regulations, with the most recent version (v4.0) released in March of 2022 to address emerging threats and technologies and enable innovative methods to combat new threats.
While PCI DSS is not federal law, the major credit card companies do require compliance with their vendors, as well as anyone who stores, processes, or transmits cardholder data, and some states do have PCI DSS language written into their laws.
In addition, compliance and security go hand in hand, as maintaining compliance automatically means your organization has certain security controls and procedures in place to protect against cyber threats.
The Goals of the PCI Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) has a set of six core goals or objectives, each with their own specific requirements:
- Build and maintain a secure network
- Protect stored cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Achieving compliance with PCI DSS and obtaining these six core goals requires any organization who transmits, stores, or processes cardholder data to adopt 12 requirements central to protecting the data.
The 12 PCI DSS Requirements
There are 12 specific requirements for achieving compliance, each aligning to one of the core goals of the PCI Data Security Standard.
Goal: Build and Maintain a Secure Network
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Install and maintain a firewall configuration to protect cardholder data
It would be difficult to find a risk assessment that didn’t recommend firewalls. Hardware, software, and web application firewalls should all be investigated to assess the right approach.
In addition, the firewall must be set up and configured properly as well as regularly maintained. This last element is critically important — if the firewall is not maintained, the network can be compromised.
Four Basic Firewall Configuration Best Practices:
- Use VPNs: Set up virtual private networks (VPNs) for remote access
- Set inbound/outbound rules: Decide what traffic comes in and out of your network
- Add or close switch ports: Segment different networks with switch ports (e.g., Internet, office, EMR)
- Create security settings: Set security settings for each switch port, particularly if you’re using segmentation
Goal: Protect Stored Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Data encryption provides an additional layer of security for sensitive information if threat actors successfully access your organization’s systems. This makes the data much more difficult to steal, hold for ransom, or use in committing fraud.
PCI DSS requires that cardholder data and personally identifiable information (PII) are encrypted both in storage and when in transit over public or private networks.
Goal: Maintain a Vulnerability Management Program
- Protect all systems against malware and regularly update antivirus software or programs
- Develop and maintain secure systems and applications
Goal: Implement Strong Access Control Measures
- Restrict access to cardholder data by business need– to– know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
Goal: Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Goal: Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel
While those requirements may feel in-depth, they also align with other security frameworks (such as the NIST Cybersecurity framework) and lay out a holistic, organization-level approach to cybersecurity that focuses on identity and access management (IAM) , as well as monitoring and detection procedures.
Why Does PCI DSS Matter?
Non-compliance increases both breach risks and costs. In 2023, over 350 million people had their PII leaked or stolen due to a data breach. These breaches proved incredibly costly for victims, with the Federal Trade Commission reporting $10 billion in losses due to fraud.
But the victims of a data breach are not the only ones faced with high costs after a successful data breach. According to the IBM Cost of a Data Breach Report 2023, “Organizations with a high level of noncompliance with regulations showed an average cost of USD 5.05 million, which exceeded the average cost of a data breach by USD 560,000, a difference of 12.6%.”
According to a survey conducted by Arctic Wolf , 32% of organizations currently follow the PCI DSS compliance standard. This highlights how prevalent financial information is across organizations and industries, and how beneficial these compliance requirements are when it comes to security.
Following a compliance framework not only makes building out a cybersecurity strategy simpler, but it can also make the difference between a stopped threat and a major breach.
How Arctic Wolf Helps with PCI DSS Requirements
While compliance requirements are beneficial for business and security operations, they are not always easy to implement. Headcount, budget, and current business goals all impact how compliance requirements are reached, and unfortunately, many organizations treat compliance like a static checklist, not a part of their overall security journey, which weakens the protections those requirements can provide.
An external security operations partner, like Arctic Wolf, can help organizations of all sizes meet compliance requirements by implementing security solutions that align with frameworks like PCI DSS. Here’s how:
- Simplify PCI-DSS compliance with customized reporting
- Monitor access to card holder data on-premises and in the cloud
- Provide real-time alerts based on business risks posed by payment card data
- Perform continuous vulnerability scanning of internal and external networks, and endpoints
- Implement secure configuration policies based on security controls benchmarks, such as CIS
- Identify and prioritize vulnerabilities based on threat exposure, assets, and severity
- Audit system access, authentication, and other security controls to detect policy violations
- Automatically detect and scan new devices as they enter the network
- Create, assign, track, and verify remediation tasks
- Demonstrate compliance and communicate progress with reports, analytics, and live dashboards from the Arctic Wolf Concierge Security® Team
Learn more about how Arctic Wolf helps organizations achieve compliance with PCI DSS as well as other regulatory frameworks.
Take a deep dive into the various information security and data protection requirements with our Cybersecurity Compliance Guide.
