Introduction
In 2004, all major bankcards—Visa, MasterCard, Discover, and American Express—adopted a single, unified program as the standard for data security. The new standard, called the Payment Card Industry Data Security Standard or PCI, is intended to protect cardholder data—wherever it resides or is transmitted—and requires that merchants and service providers that store, process, or transmit cardholder data meet specific security requirements. Ensuring compliance with the PCI standard is important to organizations for a number of reasons, particularly to protect brand reputation and to avoid fines and additional regulatory scrutiny.
Who Must Be In Compliance?
At the most fundamental level, any company that comes into contact with credit card information must be in compliance with the PCI Data Security Standard.
There are varying levels of compliance standards, however, with specific requirements for merchants and specific requirements for service providers, as well as distinct compliance levels based on the number of transactions processed annually by the merchant or service provider.
For more introductory information about the Payment Card Industry Data Security Standard, download the Ecora whitepaper: Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain Payment Card Industry Compliance.
Meeting the PCI Data Security Standard Requirements
The Payment Card Industry Data Security Standard establishes twelve requirements that companies must follow to ensure the security of credit card data. These requirements span every aspect of an organization’s operation—from business processes to the configuration of the IT infrastructure—and fall into six major control objectives:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Scope of Assessment for PCI Compliance
The PCI Data Security Standard requirements apply to all “system components” or any network component, server, or application that is included in or connected to the cardholder data environment. This means that even remote employees who have access to cardholder data must be in compliance with PCI.
A service provider or merchant may use a third-party provider to manage system components, but because there may be an impact on the security of the cardholder data environment, the infrastructure of the third-party provider must be evaluated either in 1) the PCI audits of the third-party provider’s clients or 2) the third-party provider’s own PCI audit.
For merchants required to undergo an annual on-site review, the scope of compliance validation is focused on any system or system components related to authorization and settlement where cardholder data is stored, processed, or transmitted. Service providers required to undergo an annual onsite review must perform compliance validation on all system components where cardholder data is stored, processed, or transmitted, unless otherwise specified.
During a PCI audit, auditors will typically select a large enough sample of firewalls, routers, wireless access points, databases, etc. to validate findings representative of the entire environment. Importantly, the more standardized the environment and the more clearly defined the configuration standards, the smaller the sample.
PCI Data Security Standard Requirements
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Requirement 3: Protect stored data.
Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security.
While the twelve requirements of the PCI Data Security Standard may appear fairly broad at first glance, each requirement actually include extensive sub-requirements that make ensuring PCI compliance substantially more complex.
