The Payment Card Industry Data Security Standard (PCI DSS) outlines requirements for enhancing payment card data security. This standard is designed to ensure that all entities accepting, processing, storing, or transmitting credit card information maintain a secure environment.
PCI DSS includes 12 primary requirements, grouped into six control objectives to safeguard payment card information:
Build and Maintain a Secure Network: Install firewalls and avoid vendor-supplied defaults.
Protect Cardholder Data: Encrypt stored data and transmissions.
Maintain a Vulnerability Management Program: Protect systems against malware and use secure applications.
Implement Strong Access Control Measures: Limit access to sensitive data based on business needs.
Regularly Monitor and Test Networks: Track network activity and security systems.
Maintain an Information Security Policy: Document and maintain a formal security policy for employees and contractors.
To protect cardholder data, establish a secure network by configuring firewalls to restrict unauthorized access to network resources.
1.1: Establish firewall and router configuration standards that address the following:
1.1.1: A formal process for firewall and router configurations that restricts connections to cardholder data environments.
1.1.6: Network documentation detailing current configurations.
1.2: Restrict inbound and outbound traffic, and allow only necessary services and protocols.
Implementation Context: Routinely review firewall configurations to ensure compliance with the firewall standards.
Stakeholders: Network Security, IT Compliance
Prevent unauthorized access to systems by changing default settings such as passwords and configurations on network devices and systems handling cardholder data.
2.1: Always change vendor-supplied defaults before installing a system on the network.
2.2: Develop configuration standards for all system components to address security vulnerabilities and ensure configurations are consistent across systems.
Implementation Context: Perform regular scans to identify configurations using default settings.
Stakeholders: IT Security, Compliance
Protecting stored cardholder data is essential to prevent unauthorized access and breaches. This requirement focuses on securing data at rest using encryption, masking, truncation, and secure key management practices.
3.1: Establish a data retention policy to limit the duration of stored cardholder data.
3.2: Do not store sensitive authentication data, such as CVV or PIN, after authorization.
3.3: Mask PAN when displayed, showing only the last four digits, to minimize exposure.
3.4: Encrypt stored cardholder data using strong cryptography and secure key management practices.
3.5: Secure cryptographic keys to prevent unauthorized access.
Organizations must implement strict data storage policies, apply encryption to stored data, and use secure key management to control access. Data retention policies should limit storage duration, while encryption keys should be regularly rotated and stored securely.
Stakeholders: Data Security, Compliance, IT Security
This requirement mandates that organizations use encryption protocols to secure cardholder data in transit across open, public networks, protecting it from interception and unauthorized access.
4.1: Use strong cryptography, such as TLS or IPsec, to encrypt cardholder data during transmission.
4.2: Do not use email or other non-secure methods to transmit cardholder data unless encrypted.
Implement secure transmission protocols for all connections involving cardholder data. Ensure that all wireless and external network traffic uses encryption to protect data from being intercepted.
Stakeholders: Network Security, IT Compliance
To safeguard systems from malware threats, this requirement emphasizes the installation, regular updates, and active monitoring of anti-virus software on all systems within the cardholder data environment.
5.1: Install anti-virus software on all systems commonly affected by malware.
5.2: Ensure that anti-virus programs are capable of generating audit logs and are configured to actively monitor systems.
5.3: Update anti-virus programs and definitions regularly to protect against new threats.
Organizations should deploy robust anti-malware solutions, enable real-time scanning, and update malware definitions frequently. Additionally, they should generate alerts and audit logs for suspicious activity.
Stakeholders: IT Security, Compliance
This requirement focuses on developing and maintaining secure applications and systems to protect against known vulnerabilities, applying patches and conducting security testing.
6.1: Establish a process to identify security vulnerabilities, using reputable sources.
6.2: Ensure all system components and software are protected from known vulnerabilities through the application of security patches within an appropriate timeframe.
6.3: Develop applications based on secure coding guidelines, with consideration for common threats.
Maintain an inventory of systems and applications, apply patches promptly, and conduct regular vulnerability assessments. Implement secure coding practices and conduct code reviews.
Stakeholders: Application Security, Compliance, IT Operations
Access to cardholder data must be restricted to personnel with a legitimate business need to ensure minimal exposure to sensitive data.
7.1: Limit access to cardholder data to only those individuals whose job responsibilities require it.
7.2: Implement role-based access controls and grant the least privilege necessary for the task.
Define and implement access control policies based on the principle of least privilege, and review permissions regularly to ensure that access levels align with job requirements.
Stakeholders: Access Control, Compliance, HR
Strong authentication measures must be implemented to verify the identity of users accessing systems with cardholder data, reducing the risk of unauthorized access.
8.1: Assign a unique ID to each person with computer access.
8.2: Implement multi-factor authentication (MFA) for all remote access to the cardholder data environment.
8.3: Enforce secure password practices, such as minimum length, complexity, and expiration.
Implement MFA for remote access, assign unique IDs to all users, and enforce strict password policies, with periodic reviews of access permissions.
Stakeholders: IT Security, Compliance, HR
Physical access to systems containing cardholder data must be strictly controlled to prevent unauthorized access. This includes protecting data centers, server rooms, and other sensitive areas from unapproved physical entry.
9.1: Use physical access controls such as locks, cameras, and alarms to secure areas storing cardholder data.
9.2: Implement badge-based or biometric access controls to restrict entry to authorized personnel only.
9.3: Monitor and log physical access to sensitive areas and conduct regular reviews.
9.4: Protect devices that capture payment card data from tampering and substitution.
Install physical security controls like badge readers, cameras, and security personnel where appropriate. Log all access to sensitive areas and review logs regularly. Use tamper-evident seals on devices to prevent unauthorized alterations.
Stakeholders: Facilities Management, IT Security, Compliance
Maintaining audit trails and logging access to cardholder data and related resources ensures that any unauthorized or suspicious activities can be identified and investigated promptly.
10.1: Establish logging mechanisms that capture user activities, especially access to critical systems and cardholder data.
10.2: Implement automated log management to ensure logs are reviewed and retained according to policy.
10.3: Review logs for unusual or unauthorized activities on a regular basis and in response to security incidents.
Configure logging for all access points to cardholder data and sensitive resources. Use a Security Information and Event Management (SIEM) solution for centralized logging, automated alerts, and regular log reviews. Ensure logs are retained securely for at least one year.
Stakeholders: IT Security, Compliance, SOC Team
Regular testing of security systems and processes helps to identify vulnerabilities and ensure that security controls are functioning as expected. Regular vulnerability assessments and penetration tests should be conducted.
11.1: Implement regular vulnerability scans and ensure findings are addressed.
11.2: Conduct penetration testing annually or after significant system changes.
11.3: Use intrusion detection or prevention tools to monitor network traffic and alert security teams of potential threats.
11.4: Test for unauthorized wireless access points and address any vulnerabilities.
Conduct routine vulnerability scans and penetration tests to evaluate the security posture. Deploy and configure intrusion detection or prevention systems (IDS/IPS) for real-time threat detection and response. Regularly test wireless networks for unauthorized access points and mitigate any detected vulnerabilities.
Stakeholders: IT Security, Compliance, SOC Team
A comprehensive security policy that applies to all employees and contractors establishes the organization’s commitment to safeguarding cardholder data and provides guidance on roles, responsibilities, and security practices.
12.1: Establish, publish, maintain, and disseminate a security policy that addresses information security.
12.2: Assign security responsibilities to designated personnel within the organization.
12.3: Implement an acceptable use policy for employee access to system resources.
12.4: Develop and maintain a security awareness program to educate personnel on security risks and responsibilities.
12.5: Perform background checks on employees before granting access to sensitive data.
12.6: Establish an incident response plan to respond to security events and conduct regular testing of the plan.
Define a clear security policy covering all aspects of data protection, access control, and user responsibilities. Conduct regular security awareness training for all employees, especially those handling cardholder data. Assign dedicated personnel for security oversight, and implement incident response and acceptable use policies.
Stakeholders: IT Security, Compliance, HR, All Employees