The Payment Card Industry Data Security Standard (PCI DSS) are commonly followed by organizations that handle credit card transactions to ensure the security of cardholder data. Since standards and requirements can change over time, it’s essential to refer to the most recent version of the PCI DSS v4.0 standard for the most up-to-date information and to answer the question of, why do I need to be PCI compliant?
PCI DSS v4.0 was updated in April 2022. The description of the updated change from PCI DSS v3.2.1 to PCI DSS v4.0 states:
“For details of PCI DSS changes, see PCI DSS – Summary of Changes from PCI DSS Version 3.2.1 to 4.0. Rearranged, retitled, and expanded information in the “Completing the Self-Assessment Questionnaire” section (previously titled “Before You Begin”). Aligned content in Sections 1 and 3 of Attestation of Compliance (AOC) with PCI DSS v4.0 Report on Compliance AOC. Added PCI DSS v4.0 requirements. Added appendices to support new reporting responses.”
To answer the question ‘Why do I need to be PCI compliant,’ we have broken down the PCI DSS Compliance Guide v4.0 for easy understanding.
4 Continual Steps To Protect Payment Data
There are four ongoing steps to protecting payment account data with PCI DSS:
- Assess — identifying all locations of payment account data, taking an inventory of all IT assets and business processes associated with payment processing, analyzing them for vulnerabilities that could expose payment account data, implementing or updating necessary controls, and undergoing a formal PCI DSS assessment.
- Remediate — identifying and addressing any gaps in security controls, fixing identified vulnerabilities, securely removing any unnecessary payment data storage, and implementing secure business processes.
- Report — documenting assessment and remediation details, and submitting compliance reports to the compliance-accepting entity (typically, an acquiring bank or payment brands).
- Monitor and Maintain — confirming that security controls put in place to secure the payment account data and environment continue to function effectively and properly throughout the year. These “business as usual” processes should be implemented as part of an entity’s overall security strategy to help ensure protection on an ongoing basis.
PCI SSC Standards
The PCI Security Standards improve payment security by introducing a formidable framework of all-encompassing security control prerequisites, evaluation methodologies, and ancillary reference materials. These standards delineate security controls and procedural protocols applicable to entities engaged within the payment ecosystem, while also establishing stringent criteria for developers and solution providers to construct and adeptly oversee payment devices, software, and solutions within the domain of the payment industry, ensuring heightened security.
A brief description of PCI Security Standards (PCI SSC) are provided below
PCI Data Security Standard – An actionable framework for developing a robust payment account data security process, including prevention, detection, and appropriate reaction to security incidents.
PIN Transaction Security (PTS) – Security requirements focused on characteristics and management of devices used in the protection of cardholder PINs (personal identification numbers) and other sensitive payment data.
Software Security Framework – A collection of standards and programs for the secure design, development, and maintenance of existing and future payment software.
Point-to-Point Encryption (P2PE) – A comprehensive set of security requirements for validation of P2PE solutions, to protect payment account data via encryption from where it is captured in the payment terminal until it is decrypted in the solution provider’s environment.
Mobile Standards – Includes the Contactless Payments on COTS (CPoC) and Software-based PIN Entry on COTS (SPoC) standards for mobile payment-acceptance solutions on commercial-off-the-shelf (COTS) devices in a merchant-attended environment.
Other Standards – Other PCI Standards define controls and testing requirements for PIN security, physical and logical card production and provisioning, token service providers, and access security (3-D Secure).
PCI DSS 12 Requirements and Goals
PCI DSS was formulated with the objective of promoting and elevating the security of payment account data while fostering the widespread adoption of uniform data security measures on a global scale. PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data.
[table id=12 /]
PCI DSS Implementation Strategies
PCI DSS implementation strategies vary depending on the company’s level of risk and the requirements of the standard. Here are the 3 different approaches:
Defined Approach: This is the traditional method for implementing and validating PCI DSS. Entities follow the requirements and testing procedures in PCI DSS, implementing security controls to meet those requirements. If an entity already complies with PCI DSS and is comfortable with its approach, there’s no need for change. It’s helpful for those new to PCI DSS or seeking clear guidance.
Compensating Controls: These are an option within the Defined Approach for entities facing documented constraints preventing them from meeting specific requirements. They implement alternative controls to effectively mitigate the associated risks. This is often used for legacy systems or processes that can’t be updated.
Customized Approach: This approach allows entities to meet Customized Approach Objectives in a way that doesn’t strictly adhere to defined requirements, offering flexibility for innovative or tech-savvy approaches. For instance, organizations might combine legacy vulnerability scanning with advanced techniques like User and Entity Behavior Analytics (UEBA) or AI-based methods to detect complex threats in the Cardholder Data Environment (CDE). It’s suited for those embracing modern security solutions.
Prioritizing PCI DSS Milestones
The Prioritized Approach for PCI DSS compliance consists of six milestones. The subsequent table provides a concise overview of the primary objectives for each milestone.
[table id=10 /]
General Changes to PCI DSS Requirements
The list is from the Payment Card Industry Data Security Standard document ‘Summary of Changes from PCI DSS Version 3.2.1 to 4.0’Revision 2 on December 2022
[table id=8 /]
PCI DSS Remediation
Upon the release of PCI DSS v4.0 in March 2022, a fresh reporting option was introduced to record requirements labeled as “In Place with Remediation.” The intent behind this addition was to encourage a persistent focus on security, offering organizations a mechanism to pinpoint areas requiring enhancement on an annual basis.
PCI DSS Requirement 2: Apply Secure Configurations to All System Components focuses on ensuring that organizations change default passwords and other security parameters before deploying new systems or devices into their network. It emphasizes the need for strong, unique passwords and secure configurations to protect cardholder data. Additionally, organizations must maintain an inventory of all system components and conduct regular vulnerability assessments to identify and address security weaknesses.
You can find the entire document for the PCI DSS Summary of Changes from v3.2.1 to v4.0 – Dec 2022 here.