What is
PCI Compliance?

The goal of the PCI Data Security Standard (PCI DSS) is to protect cardholder data (CHD) and sensitive authentication data (SAD) wherever it is processed, stored or transmitted. Maintaining payment security is required for all organizations that store, process or transmit cardholder data.

The PCI Security standards include technical and operational requirements for

• Organizations accepting or processing payment transactions
• Software developers and manufacturers of applications and devices used in those transactions

PCI 3.2.1, which was released in May 2018, is the current version that covered organizations have to adhere to.

Validation of compliance is performed annually or quarterly, by a method suited to the organization’s merchant level designation, which is a function of the annual volume of credit card transactions handled.

The table below offers an overview of the PCI merchant levels, the common payment architectures typically used at each level, and the corresponding PCI audit and reporting requirements. Note: There are some subtle differences in merchant level benchmarks across credit card companies, so readers are advised to consult with their PCI advisory and QSA partners to get an accurate assessment of the requirements that apply to their organization. 

PCI DSS 3.2.1 includes 6 objectives, 12 requirements, 78 base requirements, and over 400 test procedures. The table below summarizes the PCI DSS objectives and the related requirements. For details on the sub-requirements and testing, readers should review the PCI DSS reference guide. 

PCI DSS has been around for more than 12 years, but many organizations continue to face critical adverse findings during audits. A handful of organizations also continue to report that it experienced a data breach even after recently passing a PCI audit. The key takeaway here is that compliance doesn’t necessarily mean the data and applications are secure. Compliance should be viewed as the baseline; and organizations should also focus on identifying and mitigating threat vectors that aren’t necessarily covered by its compliance mandates.

These are the most common PCI compliance challenges:

1. Need to manage the scope and control the cost of PCI audits. The PCI Security Council published a guide for scoping and network segmentation. The document offers a framework to help covered organizations identify the CDE (cardholder data environment) components, PCI-connected and PCI-security impacting systems, and out-of-scope components. Unfortunately, executing the scoping and segmenting framework is challenging for many organizations because of the increasingly dynamic and complex nature of data center environments and payment architectures. Relying on static, point-in-time data and network flow maps to populate and maintain the PCI component inventory combined with inconsistent IT change and firewall change management practices lead to scoping and segmentation errors, which in turn, result in PCI assessment failures and higher audit costs.
2. Inability to continuously maintain its PCI security compliance and segmentation posture. The PCI Security standards require organizations to continuously maintain its PCI segmentation posture and ensure that it is continuously compliant with PCI requirements and base requirements. Dynamic and complex data center and payment architectures combined with misalignments across security processes and IT operations lead to security and control gaps. As a result of IT practices, PCI-components often end up co-mingling with non-PCI components within the same zone, VLAN, or subnet, and without additional controls to restrict traffic to the CDE. In some cases, the disconnect between IT change management, resource provisioning, and firewall change management processes result in the incorrect inventory of in-scope PCI-connected systems and misconfigured firewall rules. Poor vulnerability management and patch management processes also prevent an organization from continuously maintaining its PCI security posture.

   The Verizon Payment Security Report provides a detailed review of the payment security trends and the critical security challenges that organizations continue to experience. Verizon has been publishing this report annually since 2010. In the 2020 report, the authors conclude that the following PCI requirements have the worst control gaps:

   • Req 11. Test security systems and processes
   • Req 5. Protect against malicious software
   • Req 10. Track and monitor access
   • Req 12. Security management
   • Req 8. Authenticate access
   • Req 1. Install and maintain a firewall configuration
3. Having flat networks. Surprisingly, many organizations today continue to have flat networks because these are simple to architect and easy to operate and maintain. However, a flat network means that everything in the environment (including non-PCI connected and non-CDE components) are in-scope for PCI leading to higher PCI audit costs. A flat network also means that if a bad actor is able to successfully compromise a single host, it can then easily traverse the network and access the payment applications and cardholder database.
4. Need to secure transition to remote work operating model. As organizations transition to an all-remote work operating model, they need to evaluate how these changes affect the scope of their PCI environment, and what additional controls they have to implement to control legitimate traffic to the CDE. Examples include securing legitimate remote access of authorized admins to payment applications from worker laptops, securing remote customer support and billing, and on-site, contactless, securing authorized connections between internet-facing contactless kiosks and the data center applications.

Real-time visibility into the workloads, users, devices, and its connections and flows are important for:

• Ensuring that the scope of the PCI environment is up-to-date and accurate, which in turn means that segmentation and firewall rules are correctly applied.
• Providing valuable inputs to the mandated quarterly internal vulnerability scans and using this information to map the potential lateral attack pathways associated with vulnerabilities.
• Continuously monitoring the PCI environment for changes in workloads, devices, users, connections, and failed attempts to connect which could be indicators of a potential attack.
• Identifying changes in the attack surface and threat vectors that are not necessarily covered by PCI compliance requirements.

• Real-time visibility helps ensure the accuracy of the PCI scope by continuously monitoring all the connections of the CDE, PCI-connected, and PCI security-impacting systems, all of which are in scope for PCI. An organization can then apply host-based micro-segmentation to enforce the applicable firewall rules to restrict inbound and outbound traffic to the PCI environment only to those that are “allowed” or “legitimate”. (Requirement 1)
• Continuously maintaining effective and accurate segmentation of the PCI environment helps control the PCI audit costs.
• Eliminating misconfigured and out-of-date firewall rules mitigates a covered organization’s exposure to a potential data breach.
• Take advantage of the integration with IT automation tools (like Chef, Puppet, and Ansible, Terraform) to ensure that segmentation policies are provisioned, at the same time as workload resource provisioning and release to production environment.
• Real-time visibility helps the organization assess the changes to the PCI scope as an organization transitions to remote work. It helps the organization identify critical control gaps and potential attack vectors. Organizations can then apply host-based micro-segmentation to restrict peer-to-peer connections from at-home devices to the remote user’s laptops, and to control user to data center application connections.
• Control connections between authorized PCI workloads, users, and devices that are scattered across multiple VLANs, zones and subnets, and keep up with IT operations changes, without re-architecting the networking environment.
• In cloud-native and greenfield environments, organizations can take advantage of the integration with container orchestration platforms to provision “segmentation policies” at the birth of a workload.
• In addition to directly meeting PCI compliance requirements, an organization can apply micro-segmentation to reduce its attack surface, obstruct lateral movement, and contain the rapid propagation of ransomware.

• Real-time visibility helps ensure the accuracy of the PCI scope by continuously monitoring all the connections of the CDE, PCI-connected, and PCI security-impacting systems, all of which are in scope for PCI. An organization can then apply host-based micro-segmentation to enforce the applicable firewall rules to restrict inbound and outbound traffic to the PCI environment only to those that are “allowed” or “legitimate”. (Requirement 1)
• Continuously maintaining effective and accurate segmentation of the PCI environment helps control the PCI audit costs.
• Eliminating misconfigured and out-of-date firewall rules mitigates a covered organization’s exposure to a potential data breach.
• Take advantage of the integration with IT automation tools (like Chef, Puppet, and Ansible, Terraform) to ensure that segmentation policies are provisioned, at the same time as workload resource provisioning and release to production environment.
• Real-time visibility helps the organization assess the changes to the PCI scope as an organization transitions to remote work. It helps the organization identify critical control gaps and potential attack vectors. Organizations can then apply host-based micro-segmentation to restrict peer-to-peer connections from at-home devices to the remote user’s laptops, and to control user to data center application connections.
• Control connections between authorized PCI workloads, users, and devices that are scattered across multiple VLANs, zones and subnets, and keep up with IT operations changes, without re-architecting the networking environment.
• In cloud-native and greenfield environments, organizations can take advantage of the integration with container orchestration platforms to provision “segmentation policies” at the birth of a workload.
• In addition to directly meeting PCI compliance requirements, an organization can apply micro-segmentation to reduce its attack surface, obstruct lateral movement, and contain the rapid propagation of ransomware.

Start now to implement steps to become PCI compliant and protect your customers and your company.

Learn more about how micro-segmentation can help reduce your PCI DSS scope and achieve compliance with our white paper, "Three Steps to Effectively Segment Your PCI Compliance."