The Payment Card Industry Data Security Standard (PCI DSS) is a global security standard for organizations that handle payment card data. Developed by the Payment Card Industry Security Standards Council (PCI SSC), PCI DSS establishes a framework of security requirements and best practices to safeguard the payment card industry and customer information. Taking these actions help reduce the risk of data breaches and fraud, and furthermore will allow for organizations to maintain trust with their customers.
There are several main requirements of the PCI Data Security Standard that dictate the necessary security controls to safeguard the payment card industry ecosystem. These requirements outline security measures that can be applied at organizational, network, system, and asset levels.
The network security controls outlined in this requirement emphasize the importance of robust security measures. These controls provide best practices for firewall and router configurations, designing a secure network, monitoring, and updating vendor-supplied defaults to more secure settings. By making these adjustments, an organization can help protect payment card data from unauthorized access.
The protect cardholder data requirement defines safeguards for protecting stored and transmitted cardholder data. This includes creating retention policies to only store cardholder data for a necessary period of time and making use of encryption.
Maintaining a vulnerability management program is a very essential part of any secure environment. This requirement outlines security measures such as deploying antivirus software, ensuring that protective software is up-to-date, and maintaining protocols to perform periodic antivirus scans and generate audit logs. With these essential steps, vulnerabilities can be managed proactively, and risks that could lead to the compromise of payment card data can be mitigated.
Implementing strong access control measures helps organizations enforce strict access to systems that store, process, or transmit cardholder data. The control measures under this requirement recommend restricting access to a need-to-know basis, ensuring that each user with access has a unique and traceable ID, and maintaining physical security.
Organizations who are regularly monitoring and evaluating their networks show that they are performing their due diligence in protecting systems that handle payment card data. In order to successfully comply with this requirement, processes should be in place for internal and external penetration testing, vulnerability scanning, intrusion detection, audit trails for all system components including user access, actions taken by users, and more.
Maintaining an information security policy sets the structure and tone of an organization’s security culture. Although an information security policy should align with business goals and objectives, it is important that this policy covers many different facets of information security regarding cardholder data. This includes implementing risk assessment processes, defining responsibilities of staff, imposing a security awareness training program, and more.
The PCI Data Security Standard applied to all organizations who manage payment card data, whether that data is stored, processed, or transmitted in some way. This includes data about the cardholders themselves, and data pertaining to their payment methods. Those who directly oversee cardholder data must perform a scoping process to identify their vendors, merchants, or other parties who could potentially have access to their payment card data. Subsequently, these third parties will either be included within the scope of a PCI DSS assessment, or access to the data should be mitigated.
Egis IT Security serves organizations within the Indianapolis metropolitan area and across the country to help them stay up to date on PCI DSS requirements. Egis is dedicated to helping others understand and implement the necessary security controls for their business. With our extensive expertise and years of experience, Egis can offer tailored solutions to help your organization align with industry standards, allowing you to focus on your business. Some of what we can offer to assist your organization in becoming compliant with the PCI Data Security Standard include:
