What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a framework developed by the Payment Card Industry Security Standards Council (PCI SSC) to help secure and protect all payment card account data.
Launched on September 7, 2006, PCI DSS defines baseline technical, physical, and operational security controls necessary for protecting payment card account data.
The standards apply to any organization that stores, processes, or transmits cardholder data (CHD), including merchants, payment processors, issuers, acquirers, service providers or any other entity within the payment card ecosystem.
In addition to securing data itself, PCI DSS security requirements also apply to all system components included in or connected to the cardholder data environment (CDE). This includes people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.
What is payment card data?
PCI DSS defines two categories of payment account data:
- Cardholder data (CHD) that includes primary account number (PAN), cardholder name, expiration date, and service code; and
- Sensitive authentication data (SAD) that includes full track data (magnetic-stripe data or equivalent on a chip), card security code (CAV2/CVC2/CVV2/CID), and PINs/PIN blocks.
Is PCI compliance required by law?
No. PCI DSS is not reviewed or enforced by any government agency, nor is it enforced by the PCI SSC. Rather, compliance is determined by individual payment brands and acquirers based on the terms of the contract or agreement signed by the merchant or service provider with the card network.
However, while compliance with PCI DSS is not a legal matter, failure to comply with PCI DSS can result in significant fines as well as restrictions on use of payment platforms in the future.
The 12 PCI Compliance Requirements
PCI DSS defines 12 requirements designed to address six objectives:
Requirement 1: Implement and Maintain Firewalls
A firewall is a security measure that protects cardholder data and other assets from unauthorized access. This requirement also offers guidance regarding building and maintaining a secure network and systems, as well as testing network connections and restricting network access.
Requirement 2: Set Proper Password Protections
Many devices, such as servers, routers, modems, point-of-sale (POS) systems, and other endpoints, are delivered to customers with a default username, password, and configuration settings. PCI DSS dictates that organizations maintain a list of password-protected devices and that they take additional steps to protect the security of these endpoints. This includes changing the default password and updating security parameters provided by the technology vendor.
Requirement 3: Protect Stored Cardholder Data
This requirement is considered to be among the most significant in PCI DSS. It dictates that organizations must do the following:
- Outline all cardholder data that will be stored as well as its location and retention period
- Encrypt all cardholder data using an approved encryption method
- Develop a clear encryption key management process
- Conduct regular reviews and assessments to ensure no unencrypted data exists
- Comply with PCI DSS rules for how customer account numbers are displayed
- Develop a specific policy for securely disposing of data
Requirement 4: Encrypt Transmission of CDH across Open Networks
PCI DSS also stipulates that all transmission of cardholder data across open or public networks must be encrypted. This helps protect data from being compromised in the event it is intercepted by cybercriminals while in transit.
Requirement 4 also states that sensitive data, such as account numbers, should not be sent to unknown locations.
Requirement 5: Protect Systems Against Malware and Regularly Update Anti-Virus Software or Solutions
PCI DSS requires companies to deploy antivirus software from a reputable cybersecurity provider on all systems commonly affected by malicious software. This applies to all endpoints — even those that may not be used to process or store cardholder data since malware attacks can originate and spread from any device.
Organizations must also ensure that the antivirus software is active, up to date, and fully operational by conducting regular scans.
Requirement 6: Develop and Maintain Secure Systems and Applications
This requirement is focused on defining and implementing the underlying policies and processes that enable the organization to quickly identify and assess the risk of security vulnerabilities within the data environment; it also dictates actions that must be taken to remediate such risks. A core component of this requirement is limiting potential vulnerabilities by deploying critical patches and updates to all systems, applications and endpoints.
According to this requirement, organizations should also incorporate security requirements in all phases of the development process.
Requirement 7: Restrict Cardholder Data Access on a “Need-to-Know” Basis
Requirement seven focuses on role-based access control (RBAC), a mechanism that defines which users have access to certain resources (in this case cardholder data) based on permissions defined for the roles they are assigned to. To limit the risk of data exposure, access to cardholder data (CHD) should be defined as narrowly as possible.
As part of this requirement, organizations must create a list that specifies which individuals within the organization need access to sensitive data. This list should specify each role, the definition of that role, and data resources needed to carry out activity related to that role. This list should be formally documented; it must also be reviewed and updated regularly.
Requirement 8: Identify and Authenticate Access to Systems with Unique IDs
In this requirement, the PCI SSC outlines that any person who has access to cardholder data must be granted unique, personalized credentials in order to access that data. Companies must also implement methods by which they can authenticate the user attempting to access the data and confirm that they have the required privileges to do so.
Using unique IDs (or preventing account sharing between several users) not only limits exposure, but also helps the organization trace the chain of events when a breach occurs. This makes it easier to respond and contain a data breach, as well as determine its origin and progression.
This requirement also states that two-factor authentication is required for any user to access cardholder data remotely.
Requirement 9: Restrict Physical Access to Cardholder Data
Requirement 9 focuses on physical security of cardholder data. According to this standard, all hard copies of CHD (such as paper files or hard drives) must be retained in a secure physical location. Access should be granted only to those with the necessary privileges; an access log should be maintained.
Additional security measures related to this requirement include:
- Installation of video cameras and/or electronic access controls at the physical location
- Retention of access logs and recordings for at least 90 days
- Development of access protocols that allow the organization to authenticate authorized users
- Application of additional security measures to all portable assets that contains CHD
Requirement 10: Track and Monitor All Access to Network Resources and CHD
One of the most common examples of non-compliance of PCI DSS relates to failure to keep proper records and supporting documentation for when sensitive data is accessed and who did so.
According to this requirement, any action pertaining to CHD or PANs should be logged using a time-stamped tracking tool from a reputable software provider. These logs should then be sent to a centralized server where they are reviewed daily for anomalous behavior or suspicious activity.
Implementation of a security information and event management (SIEM) — a set of tools and services that help organizations manage data logs and analyze such data to recognize potential security threats and vulnerabilities before a breach occurs — can help organizations manage this particular PCI DSS requirement.
Requirement 11: Regularly Test Security Systems and Processes
This requirement focuses on testing the software applications, security measures, or other tools outlined in the previous ten standards to ensure overall compliance.
Specific requirements include but are not limited to:
- Conducting quarterly scans of all wireless access points
- Conducting quarterly vulnerability scans
- Conducting annual application and network penetration testing on all external IPs and domains
- Conducting regular web traffic and file monitoring
Requirement 12: Maintain a Policy that Addresses Information Security for All Personnel
The final PCI DSS requirement focuses on creating an overarching information security policy for employees or other stakeholders. This standard explicitly documents all security-related rules, including those related to technology use, data flows, data storage, data use, personal responsibility, and more.
This policy must be reviewed annually; it must also be distributed to all relevant parties, who must then review and acknowledge receipt of the policy.
Other measures included in requirement 12 relate to risk assessments, user awareness training, background checks, and incident management.
CrowdStrike and PCI Compliance
PCI compliance can be a complex and potentially time-consuming task for companies that lack expertise in data security. For this reason, it is often helpful to engage a reputable cybersecurity partner to help the organization take steps to comply with these requirements and automate much of the related activity.
Another benefit of partnering with a cybersecurity solution provider to address core PCI requirements is that they can help clients maximize any security investments so that the company is not only compliant with PCI DSS but also leveraging acquired tools, technologies, and services to protect the organization more broadly.
Since 2016, the CrowdStrike Falcon® platform has been independently validated to assist organizations and businesses with compliance with PCI DSS requirements. The validation was provided in a report by Coalfire, a leading assessor for global PCI and other compliance standards across the financial, government, industry, and healthcare industries.
Coalfire has determined that CrowdStrike Falcon®, with its powerful unified combination of next-generation antivirus and endpoint detection and response (EDR) capability, addresses five PCI DSS requirements across three different objectives, namely:
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data
- Requirement 11: Regularly Test Security Systems and Processes
For more information about how CrowdStrike can help your organization address critical PCI DSS requirements, please download our whitepaper, CrowdStrike Falcon Platform and Comparison with PCI DSS V3.2.