The 12 Pci Dss Requirements To Ensure Pci Compliance

The writing on the wall is clear. Cash payments are passé.

Consumers are increasingly opting for debit and credit cards or other digital payment methods—for in-store and eCommerce purchases alike. A study by the Pew Research Centre found that in 2022, 41% of consumers didn’t use cash for weekly purchases of essentials like groceries and gas. This was a huge leap from 2018 when only 29% used cashless payments for the same. 

As more consumers gravitate online, they risk putting more sensitive authentication data and financial information on the internet. Unfortunately, personal data is most sought-after by criminals. If merchants are exposed to security vulnerabilities when processing digital payments, the risk of cardholder data falling into the wrong hands increases exponentially.

This is why PCI DSS compliance is critical.

Compliance with PCI Data Security Standard regulations prevents shortcomings and vulnerabilities in payment processing, thereby reducing the risk of fraud, identity theft, and cyberattacks. In this article, we’ll discuss why your business needs to ensure PCI compliance and what the 12 PCI DSS v4.0 security requirements are.

TL;DR

  • PCI DSS is a set of protocols to be followed by companies that store, process, and transmit cardholder data. As such, any business that accepts and processes credit card transactions should be aware of PCI DSS compliance requirements. 
  • The 12 PCI DSS requirements are meant to help companies achieve six main goals. PCI DSS is constantly updated, so you should check if your security control system complies with the latest standards.
  • PCI DSS can be very useful as its guidelines and requirements have all the details you need to protect sensitive payment information. As a business owner, we suggest that you take the PCI SAQ (Self-Assessment Questionnaire) to check if your business is compliant.
Learn More

What Is PCI DSS?

Before we learn about PCI DSS requirements that businesses should fulfill, let’s look at what PCI DSS is. Payment Card Industry Data Security Standard is a set of regulations or standards formalized by the PCI SSC (Payment Card Industry Security Standards Council) or PCI Security Standards Council in 2004. 

The PCI SSC is a group consisting of the five biggest payment card brands—American Express, JCB International, Discover Financial Services, Visa, and Mastercard. Before 2004, credit card companies had their own set of rules for cybersecurity. However, in 2004, these companies came together to set up best practices to ensure data security for rising digital payments globally. 

PCI DSS is a set of protocols to be followed by companies that store, process, and transmit cardholder data. As such, any business that accepts and processes credit card transactions should be aware of PCI DSS compliance requirements. 

These standards provide a robust set of regulations that businesses can use to set up compliance programs to protect their cardholder data environment (CDE), prevent cyberattacks, and improve their credit card payment processing system. While it isn’t mandatory by law to comply with PCI security controls, most credit card brands require PCI DSS compliance and non-compliance can lead to hefty fines. 

According to a report by the Federal Reserve Bank of San Francisco, credit card usage among Americans has been steadily increasing since 2016. In 2022, 31% of all payments were made using credit cards. This shows that businesses cannot ignore accepting credit card payments. They must be PCI DSS compliant to ensure maximum data security, protect cardholder data, prevent reputation damage from data leaks, and avoid non-compliance penalties.

The 12 PCI DSS Requirements You Should Know

PCI DSS helps organizations create a robust, secure, and efficient IT infrastructure to reduce the risk of cyberattacks as much as possible. Note that PCI DSS is constantly updated, so you should check if your security control system complies with the latest standards. You may avail the services of a PCI QSA (Qualified Security Assessor) to check this. 

PCI DSS can be very useful as its guidelines and requirements have all the details you need to protect sensitive payment information. As a business owner, we suggest that you take the PCI SAQ (Self-Assessment Questionnaire) to check if your business is compliant.

The 12 PCI DSS requirements are meant to help companies achieve six main goals. When you partner with a payment processor, ensure they are PCI DSS compliant too. Stax is 100% PCI compliant, which makes it the perfect solution for all your payment processing needs.  

Goal 1: Create and maintain a secure system and network

PCI DSS Requirement 1 – Avoid using default system passwords and security parameters provided by vendors

Most often, companies do not build their tech stack from scratch. They buy, install, and set up software, APIs, etc. to create customized IT infrastructure suited to each company’s needs. 

Each of these components—operating systems, firewalls, servers, applications, etc.—comes with vendor-supplied default passwords. Make sure to change them the instant you receive a product from the vendor. 

Default usernames and passwords provided by vendors are usually very simple and, hence, can be easily cracked by hackers. To maintain a secure network, businesses must make sure that users of these components aren’t using defaults as well. In fact, the PCI DSS requirement states that it is best to disable all default accounts before a system or software is installed in your network. 

PCI DSS Requirement 2 – Set up and maintain firewalls to secure cardholder data

This requirement has been put in place to protect cardholder information from unauthorized access within an organization. Firewalls monitor traffic to a system and can be configured to block a certain section of the traffic.

To comply with PCI DSS, you must set up firewalls in your IT infrastructure over networks to set access controls so that only those with the right security clearance within the organization can access cardholder data. Firewalls must also be set up to protect your internal network from external intrusions. These firewalls and network traffic need to be monitored at all times.

Apart from suggestions on firewalls, PCI DSS requirements also provide guidance on router configuration and management to protect sensitive information. Make sure to check router configurations, and reconfigure if required, every six months. 

Goal 2: Protect cardholder data

PCI DSS Requirement 3 – Stored cardholder data must be protected

Businesses should try to not store cardholder data as much as possible. In cases where businesses have to store cardholder data, they must follow these steps:

  • Delete all cardholder data on a quarterly basis
  • Restrict the amount of time the data is stored
  • Encrypt authentication data so that it is unusable by criminals

PCI DSS Requirement 4 – Cardholder data that is transmitted across open and public networks must be encrypted

Not only should you think about protecting sensitive customer information on your internal networks but also ensure that such data is protected when being transmitted on external networks. The best way to protect data as it is being transmitted over a network, especially one that is public and open, is to encrypt it.

One of the most common ways that cybercriminals get access to cardholder data is when it is being transmitted. Encryption is a method that renders information useless to criminals when being transmitted. 

According to PCI DSS, any organization that transmits, stores, or processes cardholder data must use encryption or tokenization tools to protect data. Encryptions can be broken but it takes a lot of time and effort on the criminal’s end to do so and gives your cybersecurity personnel time to protect the data even in the case of breaches.

Goal 3: Install a vulnerability management program

PCI DSS Requirement 5 – Update antivirus programs regularly and protect systems from malware

All devices in the tech stack and those connected to your networks must have antivirus programs on them. Every day, malicious parties come up with new malware so your antivirus software needs to be kept updated so your IT infrastructure is immune from as much malicious software as possible. 

It is suggested that companies should set up processes where they aim to constantly strengthen the entire system against cyber attacks. Vulnerability scans should be conducted at regular intervals and networks should be monitored to identify potential threats. 

PCI DSS Requirement 6 – Develop and maintain secure systems and applications

As per this requirement, businesses must prioritize security and ensure that security measures are inserted throughout the software development lifecycle. This means that security needs to be of utmost importance when code is written and vulnerabilities must be addressed as soon as possible.

This requirement describes the process of creating a risk management system that detects security issues, prioritizes them, installs patches, and recommends appropriate actions. Organizations must also conduct regular training for their engineers about security and code must be protected as much as possible.

Goal 4: Implementing strong access control measures

PCI DSS Requirement 7 – Cardholder data must be accessed on a need-to-know basis

As mentioned earlier, businesses must discard as much cardholder information as possible. If sensitive data needs to be stored then strict access management systems need to be put in place so that only those who need access to the data can do so. 

Your access management protocols should have clear user roles and default access to credit card data should be blocked. These protocols should also be able to deal with changes in access controls when the user’s role changes or is terminated. 

PCI DSS Requirement 8 – Identify and authenticate access to system components

This requirement deals with tracking activities related to cardholder data. As a result, each user that has access to cardholder or account data must have a unique ID assigned to them. This allows their activities to be traced back to them.

You should also assign strong passwords to such users and give them additional multi-factor authentication tools. Of course, their access and credentials need to be checked and corrected periodically. 

PCI DSS Requirement 9 – Limit physical access to cardholder data

Credit card data isn’t just under threat from online sources. Cardholder information can be easily collected from physical cards as well, by criminals. Hence, areas where card payments are processed and credit cards are handled must be restricted and secured. Additionally, the areas where sensitive payments and cardholder information are stored must also be secured by businesses. 

Employees handling physical cards must wear some form of physical identification and any document—physical or digital—that has cardholder data must be stored securely with their contents made unreadable. 

Goal 5: Regularly test and monitor 

PCI DSS Requirement 10 – Monitor and track access to cardholder data and network resources 

Your business must monitor all user activity over its internal network, especially those related to the cardholder data environment. Apart from monitoring, your business must also track user activity and maintain audit logs. These activities can help detect anomalous and fraudulent activity over the network and prevent criminals from getting access to any cardholder data.

According to this PCI DSS requirement, logs should have data, time, and user information and the data should be stored for at least a year. Three months of audit trails and logs should be easily accessible for immediate review.

These logs should be of high quality and maintained well. This will make it easier for you to identify issues, catch and stop data breaches, and find those responsible. It is also best to automate the logging process to make it easier, less time-consuming, and error-free.

PCI DSS Requirement 11 – Test security systems and processes on a regular basis

A business’ IT structure can be complex as it is made up of so many systems, hardware, and software. Also, technology needs to be up-to-date and when a certain software in your system updates itself or if a user makes changes to certain configurations, it can throw the whole stack off-balance. 

This is why PCI DSS has a requirement that details how to conduct tests and scans to check your entire system for vulnerabilities. Apart from regular vulnerability testing,  PCI DSS recommends annual penetration tests and necessary re-testing and follow-ups. Only ASVs (Approved Scanning Vendors) should perform vulnerability tests and the process must be documented. 

Goal 6: Maintain an Information Security Policy

PCI DSS Requirement 12 – Create a policy that addresses information security for all personnel

No employee should be left behind when it comes to education on cyber and information security. It’s only when everyone is aware of security protocols and knows how to handle suspicious activity, that your business will be able to handle all types of threats. 

Your policy should be well-documented, constantly updated, and sent to all employees. PCI DSS requires an annual review of the policy. To minimize internal threats, you should have a strong screening process when hiring. 

Final Words

Constantly fighting attacks and potential cardholder breaches is no joke. It takes a lot of time, effort, and money to set up the right systems, train employees, and monitor network traffic to prevent cyberattacks. 

For a small business, all this can be overwhelming. However, to be able to accept credit cards and process card transactions, you need to be PCI DSS compliant. It’s best to partner with a payment service provider like Stax that can not only set up a credit card payment processing environment for you but can also ensure that you are PCI DSS compliant. 

To learn more, contact one of our experts today and request a consultation.

Request a Quote