PCI DSS Compliance: Guide to the Payment Card Industry Standard

The Payment Card Industry Data Security Standard (PCI DSS) requires companies who process transactions from providers such as Visa, MasterCard and American Express to meet certain cybersecurity targets. PCI DSS compliance is divided into 12 major chapters, touching on everything from malware protection to data encryption and access control. Everything you need to know about PCI DSS Compliance in 2023!

What Is PCI DSS?

PCI DSS is the common cybersecurity standard established by major credit and debit card companies. It was first established in 2004 by JCB, Visa, Discover, MasterCard and American Express as a way to unify their previous, proprietary standards and help protect sensitive card data such as the card holder’s name, credit card number, expiration date, verification code and PIN.

The rise of online and ecommerce transactions around the time had, unfortunately, led to a similar increase in fraud and theft. Consequently, all major players agreed on the need for increased security wherever card data was processed or stored. Since this first iteration, the members of PCI’s Security Standards Council (SSC) have continued to update the document with new and revised requirements.

As of today, PCI DSS consists of 12 major chapters:

  • Network Security Controls

  • Secure Configurations

  • Protecting Stored Data

  • Protecting Data During Transmission

  • Malware Protection

  • Secure Software and Systems

  • Restrict Access to Data

  • Identify and Authenticate Users

  • Restrict Physical Access

  • Log and Monitor Access

  • Organizational Policies

Of course, these sections only represent overarching goals that organizations have to meet, with each chapter divided into a wide range of specific criteria and demands. All in all, there are roughly 250 different requirements included in PCI DSS, though not all of them are applicable to all organizations.

Is PCI DSS Mandatory?

PCI DSS compliance is not technically mandatory, but it is required in order to process payments from issuers such as Visa and Mastercard. Since virtually all credit card companies are PCI members, there is simply no way around PCI DSS compliance for merchants, vendors and service providers who want to meet customer expectations and support card payments.

What Data Does PCI DSS Cover?

PCI applies to card data such as the credit card number, card holder and security code. This information is collectively referred to as account data, which is further divided into two categories: cardholder data (CHD) and sensitive authentication data (SAD). IT systems used to store or process this data are known as the cardholder data environment (CHD). Certain PCI requirements apply exclusively to cardholder data or authentication data, such as the rule that authentication data cannot be stored after a transaction has been completed.

Cardholder Data (CHD)

  • Primary Account Number (PAN)

  • Cardholder Name

  • Service Code

  • Expiration Date

Sensitive Authentication Data (SAD)

  • Magnetic Track Data

  • Chip Data

  • CVV or CVC Code

  • PIN

Who Is Required to Comply With PCI DSS?

All entities that store, process or transmit at least one of the forms of data covered by PCI DSS are required to comply with the security standard. However, a company or vendor that processes payments exclusively through third-party payment services or approved devices (such as point-of-sale terminals and scanners) can effectively outsource certain PCI requirements.

For example, an online store that forwards customers to a compliant payment service during checkout and does not itself store or process account data does not fall under the payment card industry’s third requirement: Protect Stored Account Data. However, they are still responsible for protecting their web server from attacks and manipulation, since hackers that break into your server could redirect customers to fraudulent sites.

A miniature shopping cart in front of a laptop screen, ecommerce concept
Some PCI requirements do not apply if your business processes payments through third-party services only. Adobe Stock, (c) Mymemo

The PCI Document Library provides official information and self-assessment questionaires for various payment setups, such as terminals with or without an internet connection, payment applications, virtual terminals or third-party websites. The specific compliance requirements for each of these technical implementations can be found in separate documents.

PCI DSS: The 4 Merchant Levels

PCI DSS not only differentiates between the way payments are processed, but also the number of total transactions per year. Shops, merchants, vendors etc. are divided into 4 levels based on their yearly transactions. An organization’s PCI level does not affect the required safety measures, merely the assessment process: While small businesses only have to submit a self-assessment questionnaire (SAQ), companies that process a large amount of card payments need to verify their PCI DSS compliance through an external review by a qualified security assessor (QSA).

PCI DSS Level Overview

PCI DSS LevelNumber of TransactionsAssessment Process
Level 1More than 6 million transactions per yearAttestation of compliance (AOC) and on-site audit by qualified security assessor (QSA)
Level 2Between 1 million and 6 million transactions per yearSelf-assesment questionnaire, attestation of compliance (AOC), external audit in the case of SAQ A, A-EP or D
Level 3Between 20,000 and 1 million transactions per yearSelf-assessment questionnaire, attestation of compliance (AOC)
Level 4Fewer than 20,000 transactions per yearSelf-assessment questionnaire

Note: Although PCI DSS establishes common security requirements, credit card companies may follow different procedures when it comes to compliance assessment. You can find more information on the website of individual issuers such as Visa and MasterCard.

PCI DSS 4.0: What’s New?

PCI DSS 4.0, published in March 2022, is the latest version of the security standard, bringing with it a number of changes. The main focus of the new and updated requirements is on data encryption and cryptography, assigning roles and responsibilities as well as access control and authentication.

For example, multi-factor authentication is now required for all accounts with access to the cardholder data environment (CDE). Additionally, organizations must conduct access reviews every six months in order to prevent privilege creep and outdated permissions. You can find more information in the official Summary of Changes.

PCI DSS 4.0 Timeline

The publication of PCI DSS 4.0 in March 2022 marks the beginning of a two year transition period until the previous iteration PCI DSS 3.2.1 is officially retired on March 31 2024. During the two year transition, organizations can use either PCI DSS 4.0 or 3.2.1 for compliance assessments depending on their preference. More information on the PCI DSS 4.0 timeline.

Note: Some of the new requirements included in PCI DSS 4.0 are future-dated and only become active in March of 2025. Until that point, criteria marked with this provision are included as a recommendation and voluntary best practice.

White paper

Access Governance Best Practices for Microsoft Environments

Everything you need to know about implementing access control best practices in Active Directory, from implementation tips to common mistakes.

PCI DSS Compliance: Requirements Explained!

The full text of the Data Security Standard is available for download on the website of the Security Standards Council (SSC). The document library includes the standard itself, as well as guidelines for implementation, self-assessment questionnaires and templates for written statements such as the attestation of compliance (AOC).

At roughly 400 pages in length, PCI DSS can appear overwhelmingly complex at first glance. To help you get started, we’ve compiled a summary of the key requirements outlined in each of the 12 PCI DSS chapters.

1

Maintain Network Security Controls

The first section of PCI DSS concerns the installation and maintenance of network security controls (NSC), i.e. firewalls and similar safety measures. The overarching goal of this chapter is to restrict incoming and outgoing network traffic to secure, necessary and authorized connections.

In order to achieve this, organizations are required to configure network security controls following established IT best practices, review the configuration every six months and create a network diagram that details devices within the PCI DSS scope and the data flow of protected information between them. Additionally, organizations must implement anti-spoofing measures and monitor network settings for unauthorized changes.

2

Apply Secure Configurations to All System Components

To prevent attackers from exploiting default passwords and known weaknesses, this requirement demands organizations securely configure all system components (also known as hardening). This includes removing unused default accounts, changing default passwords and deactivating unnecessary features. Another requirement is to isolate key functions that require different levels of security from one another, for example by separating web servers from application and database servers.

3

Protect Stored Account Data

In order to safeguard critical information, PCI DSS generally requires organizations to keep both the amount of data and duration of storage to the minimum needed for legal and business purposes. Sensitive authentication data (SAD) cannot be stored after a transaction has been successfully authorized. Stored cardholder data must be protected using encryption and strict access controls. In particular, the primary account number (PAN) must be masked when displayed, showing only bank identification and the last four digits of the account. The full PAN is only available to personnel with a legitimate need.

A server with inbound and outbound network traffic secured via padlock.
Card holder and authentication data must be protected both during transmission and when stored. Adobe Stock, (c) xiaoliangge
4

Protect Cardholder Data with Strong Cryptography During Transmission

The use of strong encryption is mandated not only for stored data, but also during the transmission of information over open, public networks. The specific requirements outlined in this section cover the management of cryptographic keys and certificates, as well as the use of secure protocols. For more details on encryption standards, the Security Standards Council refers to publications such as NIST 800-57 and ISO/IEC 18033.

5

Protect All Systems and Networks from Malicious Software

To protect against malicious software, PCI DSS mandates the use of anti-malware solutions on all at-risk devices. Requirements for implementing malware protection include automatic updates to combat the latest threats, as well as either continuous surveillance or regular automated scans. How often malware scans must be performed on a given device depends on the results of the targeted risk analysis required by section 12. Removable storage media such as flash drives must likewise be scanned before use.

Audit logs of past malware scans must be kept for at least 12 months. To protect employees from phishing attempts, businesses must also implement phishing detection measures.

6

Develop and Maintain Secure Systems and Software

The requirements for secure software development apply mainly to organizations that use custom or self-developed software. However, this chapter also lays out criteria for vulnerability management, such as maintaining an inventory of all currently used software products, applying security patches and staying up to date on new threats like zero day vulnerabilities.

7

Restrict Access to System Components and Cardholder Data

In order to prevent the theft or misuse of cardholder data, access to protected information as well as any systems which impact the security of the CDE must be strictly limited. PCI DSS defines appropriate access in terms of business need to know and least privilege, two concepts that are often used interchangably, but here refer to two separate ideas:

  • Need to know: Users can only access systems and data needed for their job.

  • Least Privilege: Users are given the lowest level of access required for their job (read, write, modify etc.)

To put it more simply, the idea behind this requirement is that accounts should only be given access rights that are strictly necessary in order to perform their intended role. This applies not only to user accounts, but also to service, device and system accounts. Additionally, organizations must pay attention to segregation of duties to prevent a single user from holding permissions that could lead to abuse or conflicts of interest. The easiest way to assign appropriate access to users across various positions and departments is through a model known as role-based access control, which defines standard privileges for various roles within an organization.

Since the tasks and responsibilities of users are constantly changing, the only way to ensure that least privilege access is maintained long-term is through regular access reviews. The payment card industry requires businesses to review all user accounts and permissions every six months. Inappropriate access, such as outdated permissions and orphaned accounts, must be addressed during this process.

8

Identify Users and Authenticate Access to System Components

Before access is granted, users must verify their identity. In order to attribute actions to specific individuals, each user must be assigned a unique ID. The use of shared accounts is only permissable in a few, limited cases. Any accounts with access to the cardholder data environment must be secured using multi-factor authentication (MFA). To prevent fraudulent logins, accounts must be locked down after a maximum of ten failed login attempts. A session timeout of 15 minutes is required to prevent device misuse.

Protecting accounts requires managing the entire user lifecycle, from creation to deletion. To qualify for PCI DSS compliance, accounts can only be created or updated by authorized users, with all changes being documented for admin review. When an employee leaves your organization, access must be revoked immediately. Inactive accounts, such as unused accounts of current employees, must be deleted within 90 days.

Why tenfold?

What makes tenfold the leading IAM solution for mid-market organizations?

9

Restrict Physical Access to Cardholder Data

Aside from logical access to car holder data, PCI DSS also requires compliant organizations to limit physical access to records and IT systems. Here, the standard differentiates between sensitive areas such as server rooms and the cardholder data environment on the whole. Among the requirements put forth in this chapter are access restrictions, video monitoring systems, safeguards for network access points, and the safe storage and destruction of physical media and records. Further, payment devices must be periodically inspected to prevent tampering through card skimmers and similar devices.

10

Log and Monitor All Access to System Components and Cardholder Data

In order to detect suspicious activity and support forensic analysis, audit logs must be enabled for all relevant systems. To protect against tampering, audit logs must be stored safely and under strictly limited access. Events that should be captured, logged and monitored include:

  • User logins (both successful and failed)

  • Cardholder data being accessed

  • The creation of new accounts

  • Changes to existing accounts

  • Audit logs being accessed

Since rigorous tracking produces an enormous amount of data, the SSC recommends the use of an automated security information & event management (SIEM) solution to assist with log analysis and the detection of anomalies and significant changes. Regardless of method, organizations must review security events daily. The same applies to the logs of components that 1) store, process or transmit protected data, 2) perform critical functions or 3) perform security functions.

11

Test Security of Systems and Networks Regularly

Since both researchers and attackers continuously discover new weaknesses and exploits, PCI DSS mandates regular security checks in the form of vulnerability scans and penetration tests. External and internal vulnerability scans must be conducted every three months as well as following significant changes to your IT environment. The scan is repeated until all vulnerabilites with a CVSS score of 4.0 or higher have been resolved. Vulnerabiliites that fall below this threshold must be documented and addressed in a timeframe appropriate to the targeted risk analysis of chapter 12.

Internal scans can be conducted by qualified members of your own staff, as long as you take steps to avoid conflicts of interest. For example, a system should not be tested by the same employee who is responsible for its ongoing operation and maintenance. External scans can only be performed by approved scanning vendors (ASV). Internal and external penetration tests must be conducted every 12 months following the same criteria.

Compliant businesses are further required to implement intrusion detection for their own network and tamper detection for payment sites.

12

Support Information Security with Organizational Policies

PCI DSS compliance is a complex endeavor that requires not only technical security measures, but also staff awareness, training and cooperation. To this end, companies are required to maintain an information security policy that communicates objectives and responsibilites to their own staff, as well as vendors and business partners. To guard against insider threats, companies must screen also screen staff before hiring. Background checks must, of course, follow local privacy and employment laws.

The information security policy must be reviewed every 12 months and updated as necessary in regards to scope, the inventory of software and hardware products, as well as agreements with third-party service providers (TPSP). This includes checking whether TPSPs are still PCI-compliant themselves. Additionally, organizations must prepare emergency plans and prodedures in order to adequately respond to attacks and data breaches.

The organizational requirements of PCI DSS closely mirror the demands of security standards such as ISO 27001 or the NIST cybersecurity framework. A company that has completed a similar certification can therefore focus on implementing PCI-specific requirements such as yearly reviews of the PCI status of third-party services.

Lock on laptop keyboard, cybersecurity concept
PCI-compliant user management? No problem with tenfold IAM! Adobe Stock, (c) thodonal

PCI DSS: Enforcing Need-to-Know Access

The steps required to achieve PCI DSS compliance depend on your organizations IT infrastructure and role of card data in your daily operations. Businesses that process payments exclusively through compliant external services and devices will have an easier time meeting requirements of the Security Standards Council than companies that store cardholder data on their own servers.

However, it’s important to note that PCI DSS compliance can never be fully outsourced. Not only is a merchant or vendor still responsible for managing agreements with third-party services and tracking their provider’s compliance status: They must also secure their own network against data breaches. Even systems that do not store or process credit card data can still fall under the scope of PCI DSS. This is due to the fact that attacks on your company’s IT can indirectly affect the safety of card information โ€“ for example if attackers steal login data or security logs.

As a result, organizations still need to meet the security requirements of payment card industry in any parts of their network that can impact the security of cardholder data or devices with access to the cardholder data environment. Requirements such as secure configuration, malware protection and user and access management.

How can tenfold Help You Achieve PCI DSS Compliance?

The payment card industry’s goal with PCI DSS is to make sure credit card data doesn’t fall into wrong hands despite its widespread use for both online and offline payments. In IT systems, the question of who can view or edit sensitive data is governed through access rights that determine which users hold which permissions for which assets. In other words, when it comes to preventing unauthorized access from within and without, identity and access management plays a fundamental role. There’s a reason why PCI DSS requires organizations to implement strong access control measures.

However, without a dedicated IAM solution, enforcing appropriate access for large groups of users is a nigh impossible task. Accounts and permissions must be individually updated as employees join, switch roles or leave. Privileges must be painstakingly documented and regularly reviewed in order to ensure that all access rights meet the least privilege/need to know standard.

The good news? tenfold can do all of that for you! By offering automated user management, permission reporting and access reviews, tenfold guarantees appropriate access for all users across all systems. Maximum security, minimal effort.

PCI DSS Requirements covered by tenfold

7 – Access Control

Restrict Access by Business Need to Know

With tenfold, maintaining need-to-know access is a walk in the park: by establishing default permissions for users in different positions and departments, tenfold automatically assigns the right level of access to every employee. For example, if a user switches departments, tenfold‘s user lifecycle management adds all necessary permissions while removing any privileges that are no longer required.

tenfold also allows you to automate the access reviews required for PCI DSS compliance. Our IAM solution follows the SSC’s recommended approach of assigning data owners, who are responsible for answering self-service requests and reviewing any permissions for assets under their control. tenfold automatically notifies data owners of upcoming reviews and compiles all pending items into a single list. All data owners have to do is check the appropriate box to confirm or revoke permissions.

8 – User Management

Identify Users and Authenticate Access

By providing a central, automated platform for managing accounts in all connected systems, tenfold makes it easy to control the entire user lifecycle. When employees leave your organization, their accounts and permissions are automatically deleted. tenfold‘s dashboard also highlights inactive accounts, allowing you to easily remove them. In addition to that, tenfold‘s detailed permission reporting tracks all changes made to user accounts and access rights, making it easy to prove during audits that changes were made by authorized users.

tenfold supports multi-factor authentication for our IAM platform. To enable MFA for other applications, please refer to the settings provided by the target system itself.

9 – Physical Access

Restrict Physical Access to Cardholder Data

Limiting in-person access to IT systems, network access points and written records is primarily a question of of physical barriers and staff policy. However, organizations who provide physical access via key cards or tokens can often use tenfold to both assign and track these methods of identification. This would allow you to, for example, maintain a digital record of which digital key unlocks which areas.

An example of using tenfold for physical access control would be our PKE plugin.

Restrict Access by Business Need to Know

With tenfold, maintaining need-to-know access is a walk in the park: by establishing default permissions for users in different positions and departments, tenfold automatically assigns the right level of access to every employee. For example, if a user switches departments, tenfold‘s user lifecycle management adds all necessary permissions while removing any privileges that are no longer required.

tenfold also allows you to automate the access reviews required for PCI DSS compliance. Our IAM solution follows the SSC’s recommended approach of assigning data owners, who are responsible for answering self-service requests and reviewing any permissions for assets under their control. tenfold automatically notifies data owners of upcoming reviews and compiles all pending items into a single list. All data owners have to do is check the appropriate box to confirm or revoke permissions.

tenfold: Efficiency, Security & Compliance

As a central platform for identity and access management, tenfold helps organizations automate account creation and deletion, user provisioning, permission reporting, access reviews and much more! Thanks to its deep integration with Microsoft and third-party systems, as well as a user-friendly self-service interface, tenfold not only lowers your IT workload, but ensures that sensitive data remains safe from prying eyes.

tenfold will help you both achieve PCI DSS compliance and prepare for assessment audits thanks to its detailed reporting and comprehensive change tracking. Not convinced yet? Check out our demo video for a tour of tenfold‘s most important features. Or sign up for a free trial to experience our intuitive IAM solution firsthand and learn more about the advantages of tenfold.

Free Trial

Our No-Code Solution Makes IAM Easy.
Start Your Free Trial Today!

About the Author: Joe Kรถller

Joe Kรถller is tenfoldโ€™s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.