Over 2,000 mentors available, including leaders at Amazon, Airbnb, Netflix, and more. Check it out
Published

What is PCI DSS (Payment Card Industry Data Security Standard) – a beginner-friendly guide

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that deal with credit card information maintain a secure environment. The PCI DSS is the global data security standard administered and managed by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).
Andrei Agape

Founder and Security Consultant, Tripla Consult

According to Complyify, “over 30 million companies are subject to PCI compliance through their contracts with payment card brands, banks, and payment service providers” making it “by far the world’s furthest reaching cybersecurity obligation“. [1]

While you may think companies would put alot of emphasis and work to ensure their compliance, according to Brian Pick at goanywhere.com [2], in 2017 “only 29% of companies were still compliant a year after validation” and pcidssguide.com tells us that the fines for non-compliance range from $5,000 to $100,000 a month! [3]

Obviously, one of the first steps for a company to become compliant is to work with an expert that knows everything it takes to ensure the security of their payment card transactions and information. However, I know that this task might feel overwhelming for someone who just started their cybersecurity career, so I prepared this article and a beginner-friendly introductory course in collaboration with my friends at TechpreneursClub.io so feel free to check that one out as well.

The standard

On March 31, 2022 the The PCI Security Standards Council (PCI SSC) issued version 4.0 of the PCI Data Security Standard (PCI DSS). This new version addresses emerging threats better and provides innovative ways to combat them. Both version 3.2.1 and 4.0 are operational between March 2022 to March 2024 as a transition period where organization have time to familiarize themselves with the changes. [4]

The PCI DSS standard is split into 6 sections, each of them having one or more requirements, with a total of 12 requirements so let’s get a brief understanding about what they mean at high level compared to how they are described in the official PDF standard. [5]

Req 1.0 – Install and Maintain Network Security Controls

  • Question: how do we control the traffic between two or more networks using for example firewalls and other similar technologies?
  • Answer: an NSC (Network Security Controls) decides based on policies defined, whether the traffic inside a company’s own networks is allowed to pass or should be rejected
  • Example: the traffic between the cardholder data environment (CDE) and an “untrusted” network (i.e: Internet) where the existence of security controls cannot been verified should be restricted

Req 2.0 – Apply Secure Configurations to All System Components

  • Issue: attackers often use default passwords (such as admin:admin) and other default settings to compromise systems
  • Solution: harden the overall security and change the default passwords, review unsecure configuration, and disable unnecessary services

Req 3.0 – Protect Stored Account Data

  • Assumption: if an intruder gets access to the account data, we have to ensure that the information is encrypted, which makes it unreadable/unusable without the proper cryptographic keys
  • Example: do not store account data unless necessary, truncate cardholder data if full Primary Account Number (PAN) is not needed, and do not send unprotected PANs using e-mails and instant messaging

Req 4.0 – Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public

  • Recommendation: cardholder data and PANs are protected using strong cryptography during transmission over untrusted and public networks
  • Example: transmissions can be protected by encrypting the data before it is transmitted, or by encrypting the session over which the data is transmitted, or both

Req 5.0 – Protect All Systems and Networks from Malicious Software

  • Scenario: malicious actors use malware, viruses, malicious scripts and phishing campaigns in their attempts to gain access to the cardholder data
  • Recommendation: use anti-virus solutions and anti-phishing mechanisms to protect against these attacks and ensure that they are active, maintained, and monitored

Req 6.0 – Develop and Maintain Secure Systems and Software

  • Issue: new vulnerabilities and security weaknesses are constantly discovered in existing software
  • Recommendation: ensure that security patches are applied, public-facing web applications are protected against attacks, and changes to all system components are managed securely

Req 7.0 – Restrict Access to System Components and Cardholder Data by Business Need to Know

  • Recommendation: effective access control rules and definitions must be in place such that unauthorized individuals are prevented from accessing critical information.
  • Example: an user might have “access” for specific data, but it is the “assigned privileges” that defines whether the user can read, edit, and/or delete the information

Req 8.0 – Identify Users and Authenticate Access to System Components

  • Recommendation: we should be able to identify and ensure accountability for actions performed such that actions taken can be traced
  • Solution: identify the person/process and check if they are who they claim to be. This is usually done by requiring an identity (username, ID, application ID, etc.) and an authentication factor (password, token device, biometric element)

Req 9.0 – Restrict Physical Access to Cardholder Data

  • Issue: malicious actors might obtain cardholder data if they have physical access to systems that store, process, and/or transmit this information
  • Solutions: ensure that controls are in place to restrict physical access to the systems in the CDE, that devices are protected from tampering, that unauthorized devices cannot connect to the company’s network from public areas within their facility, etc.

Req 10 – Log and Monitor All Access to System Components and Cardholder Data

  • Summary: defines the importance of logging and monitors
  • Example: the logs must support the detection of suspicious activity and the forensic analysis in case of compromise. Ensure that logs are retained long enough for analysis and that they are protected from destruction and unauthorized modifications

Req 11 – Test Security of Systems and Networks Regularly

  • Issue: modern infrastructures are constantly changing and new vulnerabilities arise all the time
  • Solution: perform penetration testing regularly on the external and internal networks, as well as the wireless access points to ensure the security controls continue to reflect a changing environment. The discovered vulnerabilities and security weaknesses are corrected.

Req 12 – Support Information Security with Organizational Policies and Programs

  • Summary: the organization’s policies should inform their personnel what are the PCI DSS expectations from them. All personnel (full-time, part-time employees, temporary employees, contractors, consultants) should be aware of the sensitivity of cardholder data and their responsibilities for protecting it.

References

[0] https://tripla.dk/2023/02/17/what-is-the-pci-dss-payment-card-industry-data-security-standard-a-beginner-friendly-guide-of-the-12-requirements/

[1] https://complyify.com/pci-dss-compliance/

[2] https://www.goanywhere.com/blog/8-shocking-pci-compliance-statistics

[3] https://www.pcidssguide.com/what-are-the-pci-compliance-fines-and-penalties/

[4] https://www.pcidssguide.com/whats-new-in-pci-dss-v4-0/

[5] https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf

Find an expert mentor

Get the career advice you need to succeed. Find a mentor who can help you with your career goals, on the leading mentorship marketplace.