What is PCI DSS?
PCI DSS, or the Payment Card Industry Data Security Standard, is the comprehensive set of requirements designed to ensure that any company that processes, stores, or transmits credit card information does so by maintaining a secure environment. The requirements were established to help prevent payment data breaches and payment card fraud.
The PCI standards cover both technical solutions as well as the operational practices and processes that are included in, or are connected to, cardholder data systems.
An independent body, the PCI Security Standards Council (PCI SSC), made up of major payment companies, including Visa, MasterCard, American Express, Discover, and JCB, administers and manages this standard. However, enforcing the compliance of PCI DSS is the responsibility of the individual payment brands.
The council provides the comprehensive standards and support to help ensure sensitive cardholder information security is upheld. The PCI DSS serves as a framework for organizations to develop and maintain a data security process for payments that includes prevention, detection, and appropriate responses to any security incidents.
Who Needs to Comply with PCI DSS?
Any organization – from the mom-and-pop coffee shop to enterprises that span the globe – that accepts, transmits, processes, or stores payment cards or cardholder data needs to adhere to the PCI DSS. There are, however, differences in the level of PCI compliance that is required, depending on an organization’s transaction volume in a given year.
What are the Different levels of PCI Compliance?
While ALL organizations that accept, transmit, process, or store cardholder data, are subject to the requirements of PCI DSS, there are four distinct levels of compliance required by individual organizations. These levels are based on transaction volume over a 12-month period:
Merchants processing over 6 million card transactions annually
Merchants processing 1 to 6 million transactions annually
Merchants processing 20,000 to 1 million transactions annually
Merchants processing fewer than 20,000 transactions annually
At the highest compliance level (level 1), organizations need to have an external audit performed by a Qualified Security Assessor (QSA) Internal Security Assessor (ISA). This evaluation will validate the scope of the assent, review documentation, determine whether PCI DSS requirements are met and provide guidance for compliance. A Report on Compliance (RoC) is then submitted to demonstrate compliance.
Lower compliance level organizations (levels 2 through 4) do not need the external audit but can instead complete a self-assessment questionnaire (SAQ). Level 2 organization will also need to complete an RoC.
Maintain a data security policy:
Setting the tone for your organization can help bolster PCI DSS compliance as well as overall data security. Organizations can develop regular training programs and continuing education on data security and specifically PCI DSS compliance.
PCI DSS requirements
Does your policy thoroughly cover PCI DSS requirements?
Changes to internal systems
Is your policy reviewed regularly or when changes to internal systems occur?
PCI compliance responsibilities
Does your policy address how to identify and monitor service provider PCI compliance responsibilities?
Is there an executable incident response plan that can be immediately implemented should you suffer a data breach?
PCI Compliance Solutions
Complying with PCI DSS requirements is easier with layers of security solutions that can be put in place across your organization to protect sensitive cardholder data. Fortra's security suite offers a range of solutions designed to help you meet your PCI DSS obligations and protect the data of your cardholders.
Adaptive Data Loss Prevention (DLP)
Clearswift Adaptive DLP from Fortra applies the optimal security treatment to cardholder data with custom dictionaries and more than 200 pre-configured tokens to help simplify policy definition to help comply with PCI DSS. The solution’s adaptive redaction allows for any content that would be considered a PCI breach to be dynamically modified (redacted or sanitized) to allow legitimate communications to be delivered for secure but continuous collaboration.
Fortra's data classification software solutions help protect personal data by reducing the risk of a data breach by applying a visual and metadata label to a document or an email as being PCI-related to help ensure the information is handled confidentially and appropriately in line with PCI requirements, triggering encryption where required. PCI-related information can be clearly identified to help enforce DLP. In addition, for auditing purposes, classification technology can assist with enterprise search.
Vulnerability Assessments and Intrusion Protection
Proving PCI DSS compliance is easier with the security solutions delivered by Powertech. Organizations handling cardholder data can identify and quantify any system security vulnerabilities as well as harden these systems to intrusion. In addition, there is visibility to any database access of PCI to help meet PCI DSS audit requirements.
Secure Managed File Transfer
MFT solutions can help meet PCI requirements by securing data at rest and in transit through encryption, performing integrity checks of transfers, and providing detailed audit trails and reporting of all transfers. In addition, non-compliance with PCI DSS can be monitored with a compliance module and captured information can be used to build detailed reports to meet auditing and reporting requirements.
Digital Guardian Secure Collaboration can protect files that contains sensitive consumer PII and PCI data, no matter where or how it is shared. Organizations can encrypt and control access to this data, as well as track and audit the data and revoke access to it.
Offensive security is a well-defined piece of PCI DSS, with requirements for regular testing of security systems and processes. Vulnerability management and penetration testing solutions help organizations adhere to this requirement by finding, prioritizing, and verifying the remediation of external and internal vulnerabilities. Additionally, these tools help prove compliance with robust reporting capabilities that can provide a thorough record for auditors.
Managed Web Application Firewall
Despite not being an explicit requirement in PCI DSS 3.2.1, PCI DSS 4.0 requirement 6.4.2 does mandate a WAF to "continuously detect and prevent web-based attacks" made against your applications and APIs. Fortra Managed WAF can prepare organizations for PCI 4.0, by offering an end-to-end managed WAF service, with deployment support and always-optimized protections.
We Can Help with PCI DSS Compliance. Let’s Talk.
Contact the professionals as Fortra for a free, 30-minute consultation on what solutions are best for your organization when it comes to securing PCI data. We’ll help you determine the right layers of protection to comply with PCI DSS.