What is PCI DSS?
A beginner's guide to PCI DSS
The PCI DSS (Payment Card Industry Data Security Standard) is a set of information security standards for any organization that handles and accepts branded credit cards from the major credit card networks- American Express, Discover Financial Services, JCB International, MasterCard, and Visa. PCI DSS has been around since 2006 and covered organizations are currently required to comply with PCI DSS 3.2.1. PCI DSS 4.0 is currently under the RFC (request for comments) phase, as of the publication of this document, and is expected to be completed in mid-2021. According to the PCI Council, PCI DSS 3.2.1 will remain active for 18 months once all PCI DSS 4 materials are released.
The PCI Standard is mandated by the card networks but administered by the Payment Card Industry Security Standards Council. PCI DSS is intended to improve payment security and eliminate credit card fraud throughout the entire transaction process.
Understanding the Role of Real-time Visibility and
Micro-segmentation in PCI DSS Programs
Who needs to comply with PCI DSS?
The goal of the PCI Data Security Standard (PCI DSS) is to protect cardholder data (CHD) and sensitive authentication data (SAD) wherever it is processed, stored or transmitted. Maintaining payment security is required for all organizations that store, process or transmit cardholder data.
The PCI Security standards include technical and operational requirements for:
-
Organizations accepting or processing payment transactions
-
Software developers and manufacturers of applications and devices used in those transactions
PCI 3.2.1, which was released in May 2018, is the current version that covered organizations have to adhere to.
Validation of compliance is performed annually or quarterly, by a method suited to the organization’s Merchant Level designation, which in turn, is a function of the annual volume of credit card transactions handled.
Summary of Merchant Levels and PCI Audit and Reporting Requirements.
The table below offers an overview of the PCI merchant levels, the common payment architectures typically used at each level, and the corresponding PCI audit and reporting requirements. Note: There are some subtle differences in merchant level benchmarks across the credit card companies, so readers are advised to consult with their PCI advisory and QSA partners to get an accurate assessment of the requirements that apply to their organization.
| Merchant Level | Volume of Credit Card Transactions Per Year | Common Payment Architecture | PCI Audit and Reporting Requirements |
|---|---|---|---|
| Level 1 | More than 6 million total transactions across all global regions |
|
|
| Level 2 |
1 million to 6 million across all global regions |
|
|
| Level 3 | 20,000 to 1 million across global regions |
|
|
| Level 4 |
Less than 20,000 OR 1 million through all channels BUT Less than 20,000 card transactions |
|
|
What are the requirements of PCI DSS?
PCI DSS 3.2.1 includes 6 objectives, 12 requirements, 78 base requirements, and over 400 test procedures. The table below summarizes the PCI DSS objectives and the related requirements. For details on the sub-requirements and testing, readers should review the PCI DSS reference guide.
| PCI DSS Objectives | Requirements |
| Build and Maintain a Secure Network and Systems |
1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
| Protect Cardholder Data |
3. Protect stored cardholder data 4. Encryption transmission of cardholder data across open, public networks |
| Maintain a Vulnerability Management Program |
5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications |
| Implement Strong Access Control Measures |
7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks |
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
| Maintain an Information Security Policy | 12. Maintain a policy that addresses information security for all personnel |
What are the most common security challenges that organizations face in their PCI DSS programs?
PCI DSS has been around for more than 12 years, but many organizations continue to face critical adverse findings during audits. A handful of organizations also continue to report that it experienced a data breach even after recently passing a PCI audit. The key takeaway here is that compliance doesn’t necessarily mean the data and applications are secure. Compliance should be viewed as the baseline; and organizations should also focus on identifying and mitigating threat vectors that aren’t necessarily covered by its compliance mandates.
These are the most common PCI compliance challenges:
-
Need to manage the scope and control the cost of PCI audits. The PCI Security Council published a guide for scoping and network segmentation. The document offers a framework to help covered organizations identify the CDE (cardholder data environment) components, PCI-connected and PCI-security impacting systems, and out-of-scope components. Unfortunately, executing the scoping and segmenting framework is challenging for many organizations because of the increasingly dynamic and complex nature of data center environments and payment architectures. Relying on static, point-in-time data and network flow maps to populate and maintain the PCI component inventory combined with inconsistent IT change and firewall change management practices lead to scoping and segmentation errors, which in turn, result in PCI assessment failures and higher audit costs.
-
Inability to continuously maintain its PCI security compliance and segmentation posture. The PCI Security standards require organizations to continuously maintain its PCI segmentation posture and ensure that it is continuously compliant with PCI requirements and base requirements. Dynamic and complex data center and payment architectures combined with misalignments across security processes and IT operations lead to security and control gaps. As a result of IT practices, PCI-components often end up co-mingling with non-PCI components within the same zone, VLAN, or subnet, and without additional controls to restrict traffic to the CDE. In some cases, the disconnect between IT change management, resource provisioning, and firewall change management processes result in the incorrect inventory of in-scope PCI-connected systems and misconfigured firewall rules. Poor vulnerability management and patch management processes also prevent an organization from continuously maintaining its PCI security posture.
The Verizon Payment Security Report provides a detailed review of the payment security trends and the critical security challenges that organizations continue to experience. Verizon has been publishing this report annually since 2010. In the 2020 report, the authors conclude that the following PCI requirements have the worst control gaps:
-
Req 11. Test security systems and processes
-
Req 5. Protect against malicious software
-
Req 10. Track and monitor access
-
Req 12. Security management
-
Req 8. Authenticate access
-
Req 1. Install and maintain a firewall configuration
-
-
Having flat networks. Surprisingly, many organizations today continue to have flat networks because these are simple to architect and easy to operate and maintain. However, a flat network means that everything in the environment (including non-PCI connected and non-CDE components) are in-scope for PCI leading to higher PCI audit costs. A flat network also means that if a bad actor is able to successfully compromise a single host, it can then easily traverse the network and access the payment applications and cardholder database.
-
Need to secure transition to remote work operating model. As organizations transition to an all-remote work operating model, they need to evaluate how these changes affect the scope of their PCI environment, and what additional controls they have to implement to control legitimate traffic to the CDE. Examples include securing legitimate remote access of authorized admins to payment applications from worker laptops, securing remote customer support and billing, and on-site, contactless, securing authorized connections between internet-facing contactless kiosks and the data center applications.
Why is real-time visibility into application dependencies critical to effective PCI DSS compliance?
Real-time visibility into the workloads, users, devices, and its connections and flows are important for:
-
Ensuring that the scope of the PCI environment is up-to-date and accurate, which in turn means that segmentation and firewall rules are correctly applied.
-
Providing valuable inputs to the mandated quarterly internal vulnerability scans and using this information to map the potential lateral attack pathways associated with vulnerabilities.
-
Continuously monitoring the PCI environment for changes in workloads, devices, users, connections, and failed attempts to connect which could be indicators of a potential attack.
-
Identifying changes in the attack surface and threat vectors that are not necessarily covered by PCI compliance requirements.
How can organizations use host-based micro-segmentation to address their PCI compliance and cybersecurity challenges?
-
Real-time visibility helps ensure the accuracy of the PCI scope by continuously monitoring all the connections of the CDE, PCI-connected, and PCI security-impacting systems, all of which are in scope for PCI. An organization can then apply host-based micro-segmentation to enforce the applicable firewall rules to restrict inbound and outbound traffic to the PCI environment only to those that are “allowed” or “legitimate”. (Requirement 1)
-
Continuously maintaining effective and accurate segmentation of the PCI environment helps control the PCI audit costs.
-
Eliminating misconfigured and out-of-date firewall rules mitigates a covered organization’s exposure to a potential data breach.
-
Take advantage of the integration with IT automation tools (like Chef, Puppet, and Ansible, Terraform) to ensure that segmentation policies are provisioned, at the same time as workload resource provisioning and release to production environment.
-
Real-time visibility helps the organization assess the changes to the PCI scope as an organization transitions to remote work. It helps the organization identify critical control gaps and potential attack vectors. Organizations can then apply host-based micro-segmentation to restrict peer-to-peer connections from at-home devices to the remote user’s laptops, and to control user to data center application connections.
-
Control connections between authorized PCI workloads, users, and devices that are scattered across multiple VLANs, zones and subnets, and keep up with IT operations changes, without re-architecting the networking environment.
-
In cloud-native and greenfield environments, organizations can take advantage of the integration with container orchestration platforms to provision “segmentation policies” at the birth of a workload.
-
In addition to directly meeting PCI compliance requirements, an organization can apply micro-segmentation to reduce its attack surface, obstruct lateral movement, and contain the rapid propagation of ransomware.