CyberArk Glossary >

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of security practices designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. It was developed by the Payment Card Industry Security Standards Council (PCI SSC) – a global forum founded by major credit card companies like Visa, MasterCard, American Express, Discover and JCB.

The main goal of PCI DSS is to protect cardholder data and prevent credit card fraud while helping businesses minimize the risk of data breaches, fraud and identity theft. Any business that accepts major payment cards and stores, processes or electronically transmits cardholder data must follow its guidelines.

Security requirements for PCI DSS

PCI DSS is intended to help organizations defend against devastating cyberattacks by securing network and system infrastructure and preventing unauthorized data access and disclosure. The most recent version of this global standard, PCI DSS Version 4.0, defines six principal goals and twelve high-level requirements that organizations must adhere to.

Goals Requirements
Build and maintain secure network and systems 1. Install and maintain network security controls
2. Apply secure configurations to all system components
Protect account data 3. Protect stored account data
4. Protect cardholder data with strong cryptography during transmission over open public networks
Maintain a vulnerability management program 5. Protect all systems and networks from malicious software
6. Develop and maintain secure systems and software
Implement strong access control measures 7. Restrict access to system components and cardholder data by business need to know
8. Identify users and authenticate access to system component
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Log and monitor all access to system components and cardholder data
11. Test the security of systems and networks regularly
Maintain an information security policy 12. Support information security with organizational policies and programs

PCI DSS compliance levels

Based on the volume of credit and debit card transactions a business processes across all its eCommerce and brick-and-mortar outlets, PCI DSS compliance requirements are divided into four merchant levels:

Level 1 Level 2 Level 3 Level 4
Build and maintain secure network and systems More than 6 million card transactions a year. Between 1 million to 6 million card transactions a year Fewer than 20000 card transactions a year.

Benefits of PCI DSS compliance

By complying with PCI DSS requirements, businesses can effectively secure the personal information of cardholders, prevent data breaches and build stakeholder trust as a security-first organization. Some of the other important benefits include:

  •  Avoiding fines levied by card companies: Steer clear of hefty penalties ranging from $5,000 to $100,000 a month depending on the severity and duration of non-compliance.
  •  Enhanced operational efficiency: Improve data security to significantly alleviate IT burden, allowing businesses to function with greater flexibility and peace of mind.
  •  Elevate overall compliance readiness: Increase chances of complying with other major regulations, such as General Data Protection Regulation (GDPR) and International Organization for Standardization (ISO) 27001.

Role of identity security in enabling PCI DSS compliance

Three of the six principal goals of PCI DSS require organizations to prioritize identity security in order to achieve them. This makes identity security critical for organizations that process credit card transactions and are required to store privileged information of their cardholders.

The following table highlights those three key goals and the identity security controls organizations need to accomplish them:

PCI DSS Goals PCI DSS Requirements Identity Security Controls
Build and maintain secure network and systems Avoid using vendor-supplied defaults for system passwords and other security paraments.
  • Policy-led vaulting and rotation of all credentials used by all kinds of identities – humans, machines, endpoints, applications and service accounts.
  • Automatic discovery and onboarding of privileged identities and mapping to their respective entitlements to prevent risks stemming from overprivileged identities.
Implementing strong access control measures Restrict access to cardholder data in a way that enables business to have just what they need.
  • Least privilege access and segregation of duties (SOD) for all identities across endpoints, data centers and multi-cloud infrastructure.
  • Native access to cloud workloads and services powering customer-facing apps using Zero Standing Privileges (ZSP) to enhance user experience without compromising security.
Identify and authenticate access to system components.
  • Unified governance, authentication and orchestration of secure access for all identities.
  • Adaptive multi-factor authentication (MFA) for continuous and dynamic authentication for all identities based on real-time threat intelligence drawn from user behavior history.
Regularly monitor and test networks Track and monitor all access to network resources and high-risk cardholder data.
  • Session recording and monitoring for all user sessions within high-risk environments containing cardholder data.
  • Centralized audit trails of all user activities for faster incident response and meeting compliance.

 

Regularly test security systems and processes to weed out potential vulnerabilities.
  • Periodic Red Team testing and review of all security systems and processes to identity potential gaps and deploy tailored solutions for operational continuity.

It’s evident that PCI DSS compliance requires comprehensive identity security and privileged access management (PAM) controls across cardholder environments. Organizations must ensure their efforts extend to all systems that store, process or transmit cardholder data, whether they live on-premises or in the cloud.

Learn more:

ALTRE VOCI DEL GLOSSARIO