The Payment Card Industry Data Security Standard (PCI DSS) was developed to set a single, global security standard for organisations that handle or process cardholder data. The standard sets out twelve technical and operational requirements.
12 PCI DSS technical and operational requirements
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
The twelve requirements are in themselves broken down into well over a hundred separate, specific controls that are all assessed for compliance.
PCI DSS is a set of minimum requirements. These can always be enhanced through the use of additional controls. Being a standard, PCI DSS is not a legal requirement and as such, national law or sector regulations will supersede it.
PCI DSS requires a zone to be established that is in scope for compliance. This zone is called the cardholder data environment. The CDE includes all people, processes and technologies that are involved in the processing, storing or transmitting of cardholder data or sensitive authentication data. The zone need not necessarily be segmented out in the network, however, this is strongly recommended.
Just like other compliance regulations, the standard promotes an analysis of what the business need is to store cardholder data and to what extent, encouraging the concept of data minimisation. Generally speaking, less data equals less risk to both the organisation and the data subject.
PCI Security Standards Council advice
The PCI Security Standards Council advises that the standards become business as usual. As such, they recommend the following:
- Monitor security controls to ensure effective operation
- Ensure that failures in security controls are detected and responded to rapidly
- Have an effective change management procedure
- Review of change to organisation structure (eg mergers/acquisitions)
- Regular reviews and communications on most current PCI requirements, policies and procedures
- Regular reviews of both hardware and software to ensure they are still current, relevant and supported
- Separation of duty concept