The Payment Card Industry Data Security Standard has evolved to reflect the increasingly vulnerable state of security in the industry. Consequently, the Payment Card Industry Security Standards Council has added several new requirements for service providers that store, process, and/or transmit cardholder data. Complying with a growing number of requirements can be a headache. Start by following this checklist to learn how to simplify compliance within your organization.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) was created by American Express, Discover, JCB International, MasterCard, and Visa Inc. in 2004.
The founding members formed the PCI Security Standards Council (PCI SSC) in 2006 to manage and promote the PCI standards to protect cardholder data for hundreds of millions of people across the globe.
While the Council is a global forum that unites industry stakeholders to develop and adopt data security standards, each founding member is responsible for enforcing their respective data security compliance programs.
Why Do You Need PCI DSS?
Customers need to know that their sensitive information is safe with your business.
Breaches. Data Theft. Fraud.
Cybercriminals live by those words, and they’re living large too. Ransomware is the fastest growing type of cybercrime, according to Cybersecurity Ventures:
- Cyber crime damages will cost the world $6 trillion annually by 2021.
- Global ransomware damage costs are predicted to reach $20 billion by 2021.
- A business will fall victim to a ransomware attack every 11 seconds by 2021.
PCI Noncompliance. Fines. Lawsuits.
The cost of noncompliance goes far beyond breached data and ransomware attacks.
Noncompliance could cost your business significant fines from payment card issuers and regulatory bodies, lawsuits from customers, reputational damage, and potentially knock your business off the market entirely.
PCI-Compliant. Protected. Trusted.
Ensuring your business is PCI-compliant is critical. It can protect your payment systems from breaches, prevent data theft, avoid severe legal repercussions, and maintain your customers’ trust.
It can ultimately sustain a respectable reputation that will benefit your business for years to come.
Security Controls and Processes for PCI DSS Requirements
The current set of PCI standards has evolved to reflect the vulnerable state of security in the payment card industry.
It has several new sub-requirements for all service providers that store, process or transmit cardholder data–including software developers and manufacturers of devices and applications used in those transactions.
The PCI DSS defines 12 Requirements that are distributed between six goals:
What are the 12 Requirements?
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public network
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
What are the six goals?
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Adhering to these security controls and processes help protect your customers’ sensitive data, such as the primary account number (PAN) printed on payment cards, data stored on magnetic strips or chips, and personal identification numbers entered by the cardholder.
Types of data on payment card
The PCI DSS defines a Three Step Process for adhering to its requirements:
1. Assess: Identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data.
2. Remediate: Fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes.
3. Report: Documenting assessment and remediation details and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider).
The PCI DSS Security Compliance Checklist
Phase One is where your business creates a strategic plan to implement security controls and commits to becoming PCI DSS compliant. It involves planning, leadership commitment, setting up basic infrastructures such as firewall, anti-malware, password management, data storage and encryption, identity management, and more.
Phase Two involves monitoring those security controls to include vulnerability scanning, security configurations, user behavior, intrusion detection, and incident response.
PCI Compliance with Arctic Wolf Security Operations–Around the Clock
Arctic Wolf® Managed Detection and Response provides continuous monitoring of your critical infrastructure for threat detection and management.
Arctic Wolf® Managed Risk provides risk-based vulnerability assessment.
Concierge Security® Team is always on the clock, always alert, monitoring your enterprise 24x7.
Arctic Wolf evaluates your security configurations, performs vulnerability scans and related patching recommendations, logs all your security events for analysis and forensic investigation, monitors network activity to detect known and zero-day attacks, and implements incident response principles.
Arctic Wolf Redefines the Economics of Data Security
Our designated Concierge Security Team, proprietary cloud-based SIEM, 24x7 monitoring, incident response, vulnerability scans, and tailored escalation and ticketing processes provide end-to-end security monitoring and vulnerability assessment.