Understanding PCI DSS Requirements

The PCI Data Security Standard requires twelve PCI DSS requirements. Organized into six groups, they are referred to as “control objectives.”

  • Build and Maintain a Secure Network and Systems
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

FAQ

Understanding PCI DSS Compliance Standards is important to keep your credit card transactions secure.

What is PCI DSS Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is an infosec standard, applying to organizations that process credit card transactions. PCI DSS compliance is a critical part of credit card companies’ security protocol. Card companies mandate it as part of their network agreements. Complying with the PCI DSS standard helps to keep cardholder data safe and reduce fraud. Organizations validate their PCI DSS compliance in quarterly or annual audits. Audit methods differ depending on the total volume of transactions handled. In the event of a security breach, any compromised entity that was not compliant when the breach happened is subject to extra penalties.  

What are some common regulations that businesses must be compliance with?

There are many international regulations that your organization needs to be compliant with besides PCI DSS compliance, including HIPPA, GDPR, NIST, ISO 27001, and Sarbanes-Oxley (SOX).

What are PCI DSS requirements?

Twelve requirements for ensuring a secure network are:

  1. Installing and maintaining firewalls. Firewalls scan network traffic and keep untrusted traffic out of your network perimeter.
  2. Changing default passwords and other default settings. Default passwords are publicly obtainable and can easily be used to gain unauthorized access.
  3. Protecting cardholder data. Protect cardholder data using methods such as encryption, hashing, masking and truncation.
  4. When transmitting over public networks, transmission of cardholder data should be encrypted. Using trusted keys and certificates, as well as strong encryption, reduces the risk of being targeted.
  5. Protecting against malware and updating anti-virus software.
  6. Developing and maintaining secure systems and applications. Vulnerabilities allow bad actors to gain privileged access.
  7. Restricting access to cardholder data to only authorized personnel.
  8. Identifying and authenticating access to system components. Everyone who can access system components should have a unique identification which ensures accountability and tracks who has access to critical systems.
  9. Restricting physical access to cardholder data. Physical access to cardholder data or systems that hold this data must be secure and inaccessible to those who do not have a “need to know.”
  10. Tracking and monitoring who accesses cardholder data.
  11. Regularly testing security systems and processes. There are always new vulnerabilities, which need to be discovered.
  12. Maintaining an information security policy. An example of an infosec policy is set out in the NIST standards and cybersecurity framework as well as ISO 27001 controls.

What is the minimum suggested configuration for a firewall?

According to the PCI Security Standards Council:

  1. Change the default password
  2. Restrict both inbound and outbound traffic to your payment system to the minimum necessary
  3. Avoid “ANY” rules
  4. “DENY ALL” traffic that is not explicitly authorized.
  5. Permit only “established” connections into your network (for example, via packet inspection or packet filtering.)
  6. Turn on isolation detection and intrusion blocking
  7. Turn on notifications
  8. Turn on NAT to hide your internal addresses from the Internet
  9. Install firewall updates and patches as soon as they are available.

Who are involved in PCI DSS assessments?

Many steps are involved in validating PCI DSS compliance. An assessment includes a Qualified Security Assessor (QSA), Internal Security Assessor (ISA), Report on Compliance (ROC), Self-Assessment Questionnaire (SAC).

How AlgoSec Helps with PCI DSS Compliance?

AlgoSec automatically generates pre-populated, audit-ready compliance reports for PCI DSS.   Regulatory Compliance Report

See how AlgoSec can help you meet PCI DSS compliance requirements. Check out these resources.

Check out these resources

blank

Firewalls Ablaze? Put Out Network Security Audit & Compliance Fires

The growing body of regulations and standards forces enterprises to put considerable emphasis on compliance verified by ad hoc and regular auditing of security policies and control...

The firewall audit checklist

Six best practices for simplifying firewall auditing and compliance, and reducing risk.

blank

Regulations and compliance for the data center – A Day in the Life

The company has a hybrid network – multiple firewalls spread across a physical data center, Cisco ACI and Amazon Web Services. Each platform is protected by its own security cont...

Choose a better way to manage your network