PCI DSS

Who needs to comply with PCI DSS?

The goal of the PCI Data Security Standard (PCI DSS) is to protect cardholder data (CHD) and sensitive authentication data (SAD) wherever it is processed, stored or transmitted. Maintaining payment security is required for all organizations that store, process or transmit cardholder data.

The PCI Security standards include technical and operational requirements for:

Organizations accepting or processing payment transactions
Software developers and manufacturers of applications and devices used in those transactions

PCI 3.2.1, which was released in May 2018, is the current version that covered organizations have to adhere to.

Validation of compliance is performed annually or quarterly, by a method suited to the organization’s merchant level designation, which is a function of the annual volume of credit card transactions handled.

Summary of PCI Merchant Levels and Audit and Reporting Requirements

The table below offers an overview of the PCI merchant levels, the common payment architectures typically used at each level, and the corresponding PCI audit and reporting requirements. Note: There are some subtle differences in merchant level benchmarks across credit card companies, so readers are advised to consult with their PCI advisory and QSA partners to get an accurate assessment of the requirements that apply to their organization.

Merchant Level	Volume of Credit Card Transactions Per Year	Common Payment Architecture	PCI Audit and Reporting Requirements
LEVEL 1	More than 6 million total transactions across all global regions	Ecommerce Card not present Card-present	Annual Report on Compliance (ROC) through a Qualified Security Assessor (QSA) Quarterly network scans by an Approved Scanning Vendor (ASV) Attestation of Compliance Form
LEVEL 2	1 million to 6 million across all global regions	Ecommerce Card not present Card-present	Annual Self-Assessment Questionnaire (SAQ) (internal audit) Quarterly network scan by an ASV Attestation of Compliance Form
LEVEL 3	20,000 to 1 million across global regions	Ecommerce only	Annual SAQ Quarterly network scan by an ASV Attestation of Compliance Form
LEVEL 4	Less than 20,000 OR 1 million through all channels BUT Less than 20,000 card transactions	Ecommerce only Card present Ecommerce	Annual SAQ Quarterly network scan by an ASV Attestation of Compliance Form

‍

12 Requirements for PCI DSS

PCI DSS 3.2.1 includes 6 objectives, 12 requirements, 78 base requirements, and over 400 test procedures. The table below summarizes the PCI DSS objectives and the related requirements. For details on the sub-requirements and testing, readers should review the PCI DSS reference guide.

PCI DSS OBJECTIVES	Requirements
BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS	1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
PROTECT CARDHOLDER DATA	3. Protect stored cardholder data 4. Encryption transmission of cardholder data across open, public networks
MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM	5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications
IMPLEMENT STRONG ACCESS CONTROL MEASURES	7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data
REGULARLY MONITOR AND TEST NETWORKS	10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
MAINTAIN AN INFORMATION SECURITY POLICY	12. Maintain a policy that addresses information security for all personnel

‍

Potential Risks Due to PCI Non-Compliance

PCI DSS has been around for more than 12 years, but many organizations continue to face critical adverse findings during audits. A handful of organizations also continue to report that it experienced a data breach even after recently passing a PCI audit. The key takeaway here is that compliance doesn’t necessarily mean the data and applications are secure. Compliance should be viewed as the baseline; and organizations should also focus on identifying and mitigating threat vectors that aren’t necessarily covered by its compliance mandates.

These are the most common PCI compliance challenges:

Need to manage the scope and control the cost of PCI audits. The PCI Security Council published a guide for scoping and network segmentation. The document offers a framework to help covered organizations identify the CDE (cardholder data environment) components, PCI-connected and PCI-security impacting systems, and out-of-scope components. Unfortunately, executing the scoping and segmenting framework is challenging for many organizations because of the increasingly dynamic and complex nature of data center environments and payment architectures. Relying on static, point-in-time data and network flow maps to populate and maintain the PCI component inventory combined with inconsistent IT change and firewall change management practices lead to scoping and segmentation errors, which in turn, result in PCI assessment failures and higher audit costs.
Inability to continuously maintain its PCI security compliance and segmentation posture. The PCI Security standards require organizations to continuously maintain its PCI segmentation posture and ensure that it is continuously compliant with PCI requirements and base requirements. Dynamic and complex data center and payment architectures combined with misalignments across security processes and IT operations lead to security and control gaps. As a result of IT practices, PCI-components often end up co-mingling with non-PCI components within the same zone, VLAN, or subnet, and without additional controls to restrict traffic to the CDE. In some cases, the disconnect between IT change management, resource provisioning, and firewall change management processes result in the incorrect inventory of in-scope PCI-connected systems and misconfigured firewall rules. Poor vulnerability management and patch management processes also prevent an organization from continuously maintaining its PCI security posture.The Verizon Payment Security Report provides a detailed review of the payment security trends and the critical security challenges that organizations continue to experience. Verizon has been publishing this report annually since 2010. In the 2020 report, the authors conclude that the following PCI requirements have the worst control gaps:
Req 11. Test security systems and processes
Req 5. Protect against malicious software
Req 10. Track and monitor access
Req 12. Security management
Req 8. Authenticate access
Req 1. Install and maintain a firewall configuration
Having flat networks. Surprisingly, many organizations today continue to have flat networks because these are simple to architect and easy to operate and maintain. However, a flat network means that everything in the environment (including non-PCI connected and non-CDE components) are in-scope for PCI leading to higher PCI audit costs. A flat network also means that if a bad actor is able to successfully compromise a single host, it can then easily traverse the network and access the payment applications and cardholder database.
Need to secure transition to remote work operating model. As organizations transition to an all-remote work operating model, they need to evaluate how these changes affect the scope of their PCI environment, and what additional controls they have to implement to control legitimate traffic to the CDE. Examples include securing legitimate remote access of authorized admins to payment applications from worker laptops, securing remote customer support and billing, and on-site, contactless, securing authorized connections between internet-facing contactless kiosks and the data center applications.

What are PCI Data Security Standard’s Common Implementation challenges?

Real-time visibility into the workloads, users, devices, and its connections and flows are important for:

Ensuring that the scope of the PCI environment is up-to-date and accurate, which in turn means that segmentation and firewall rules are correctly applied.
Providing valuable inputs to the mandated quarterly internal vulnerability scans and using this information to map the potential lateral attack pathways associated with vulnerabilities.
Continuously monitoring the PCI environment for changes in workloads, devices, users, connections, and failed attempts to connect which could be indicators of a potential attack.
Identifying changes in the attack surface and threat vectors that are not necessarily covered by PCI compliance requirements.

Real-time Visibility’s Importance in Effective PCI DSS Compliance

Real-time visibility helps ensure the accuracy of the PCI scope by continuously monitoring all the connections of the CDE, PCI-connected, and PCI security-impacting systems, all of which are in scope for PCI. An organization can then apply host-based micro-segmentation to enforce the applicable firewall rules to restrict inbound and outbound traffic to the PCI environment only to those that are “allowed” or “legitimate”. (Requirement 1)
Continuously maintaining effective and accurate segmentation of the PCI environment helps control the PCI audit costs.
Eliminating misconfigured and out-of-date firewall rules mitigates a covered organization’s exposure to a potential data breach.
Take advantage of the integration with IT automation tools (like Chef, Puppet, and Ansible, Terraform) to ensure that segmentation policies are provisioned, at the same time as workload resource provisioning and release to production environment.
Real-time visibility helps the organization assess the changes to the PCI scope as an organization transitions to remote work. It helps the organization identify critical control gaps and potential attack vectors. Organizations can then apply host-based micro-segmentation to restrict peer-to-peer connections from at-home devices to the remote user’s laptops, and to control user to data center application connections.
Control connections between authorized PCI workloads, users, and devices that are scattered across multiple VLANs, zones and subnets, and keep up with IT operations changes, without re-architecting the networking environment.
In cloud-native and greenfield environments, organizations can take advantage of the integration with container orchestration platforms to provision “segmentation policies” at the birth of a workload.
In addition to directly meeting PCI compliance requirements, an organization can apply micro-segmentation to reduce its attack surface, obstruct lateral movement, and contain the rapid propagation of ransomware.

Using Host-Based Micro-Segmentation to Address Your PCI Compliance and Cybersecurity Challenges

Real-time visibility helps ensure the accuracy of the PCI scope by continuously monitoring all the connections of the CDE, PCI-connected, and PCI security-impacting systems, all of which are in scope for PCI. An organization can then apply host-based micro-segmentation to enforce the applicable firewall rules to restrict inbound and outbound traffic to the PCI environment only to those that are “allowed” or “legitimate”. (Requirement 1)
Continuously maintaining effective and accurate segmentation of the PCI environment helps control the PCI audit costs.
Eliminating misconfigured and out-of-date firewall rules mitigates a covered organization’s exposure to a potential data breach.
Take advantage of the integration with IT automation tools (like Chef, Puppet, and Ansible, Terraform) to ensure that segmentation policies are provisioned, at the same time as workload resource provisioning and release to production environment.
Real-time visibility helps the organization assess the changes to the PCI scope as an organization transitions to remote work. It helps the organization identify critical control gaps and potential attack vectors. Organizations can then apply host-based micro-segmentation to restrict peer-to-peer connections from at-home devices to the remote user’s laptops, and to control user to data center application connections.
Control connections between authorized PCI workloads, users, and devices that are scattered across multiple VLANs, zones and subnets, and keep up with IT operations changes, without re-architecting the networking environment.
In cloud-native and greenfield environments, organizations can take advantage of the integration with container orchestration platforms to provision “segmentation policies” at the birth of a workload.
In addition to directly meeting PCI compliance requirements, an organization can apply micro-segmentation to reduce its attack surface, obstruct lateral movement, and contain the rapid propagation of ransomware.

‍

Learn more

Start now to implement steps to become PCI compliant and protect your customers and your company.

Learn more about how micro-segmentation can help reduce your PCI DSS scope and achieve compliance with our white paper, "Three Steps to Effectively Segment Your PCI Compliance."

‍

back to glossary