The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of security practices designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. It was developed by the Payment Card Industry Security Standards Council (PCI SSC) – a global forum founded by major credit card companies like Visa, MasterCard, American Express, Discover and JCB.
The main goal of PCI DSS is to protect cardholder data and prevent credit card fraud while helping businesses minimize the risk of data breaches, fraud and identity theft. Any business that accepts major payment cards and stores, processes or electronically transmits cardholder data must follow its guidelines.
Security requirements for PCI DSS
PCI DSS is intended to help organizations defend against devastating cyberattacks by securing network and system infrastructure and preventing unauthorized data access and disclosure. The most recent version of this global standard, PCI DSS Version 4.0, defines six principal goals and twelve high-level requirements that organizations must adhere to.
Goals | Requirements |
Build and maintain secure network and systems | 1. Install and maintain network security controls 2. Apply secure configurations to all system components |
Protect account data | 3. Protect stored account data 4. Protect cardholder data with strong cryptography during transmission over open public networks |
Maintain a vulnerability management program | 5. Protect all systems and networks from malicious software 6. Develop and maintain secure systems and software |
Implement strong access control measures | 7. Restrict access to system components and cardholder data by business need to know 8. Identify users and authenticate access to system component 9. Restrict physical access to cardholder data |
Regularly monitor and test networks | 10. Log and monitor all access to system components and cardholder data 11. Test the security of systems and networks regularly |
Maintain an information security policy | 12. Support information security with organizational policies and programs |
PCI DSS compliance levels
Based on the volume of credit and debit card transactions a business processes across all its eCommerce and brick-and-mortar outlets, PCI DSS compliance requirements are divided into four merchant levels:
Level 1 | Level 2 | Level 3 | Level 4 |
Build and maintain secure network and systems | More than 6 million card transactions a year. | Between 1 million to 6 million card transactions a year | Fewer than 20000 card transactions a year. |
Benefits of PCI DSS compliance
By complying with PCI DSS requirements, businesses can effectively secure the personal information of cardholders, prevent data breaches and build stakeholder trust as a security-first organization. Some of the other important benefits include:
- Avoiding fines levied by card companies: Steer clear of hefty penalties ranging from $5,000 to $100,000 a month depending on the severity and duration of non-compliance.
- Enhanced operational efficiency: Improve data security to significantly alleviate IT burden, allowing businesses to function with greater flexibility and peace of mind.
- Elevate overall compliance readiness: Increase chances of complying with other major regulations, such as General Data Protection Regulation (GDPR) and International Organization for Standardization (ISO) 27001.
Role of identity security in enabling PCI DSS compliance
Three of the six principal goals of PCI DSS require organizations to prioritize identity security in order to achieve them. This makes identity security critical for organizations that process credit card transactions and are required to store privileged information of their cardholders.
The following table highlights those three key goals and the identity security controls organizations need to accomplish them:
PCI DSS Goals | PCI DSS Requirements | Identity Security Controls |
Build and maintain secure network and systems | Avoid using vendor-supplied defaults for system passwords and other security paraments. |
|
Implementing strong access control measures | Restrict access to cardholder data in a way that enables business to have just what they need. |
|
Identify and authenticate access to system components. |
|
|
Regularly monitor and test networks | Track and monitor all access to network resources and high-risk cardholder data. |
|
Regularly test security systems and processes to weed out potential vulnerabilities. |
|
It’s evident that PCI DSS compliance requires comprehensive identity security and privileged access management (PAM) controls across cardholder environments. Organizations must ensure their efforts extend to all systems that store, process or transmit cardholder data, whether they live on-premises or in the cloud.