PCI DSS

The PCI DSS security standards were released in 2006 and have faced multiple revisions. The PCI DSS V4 version, the latest version, was released in March 2022 and will become effective in 2024.

The standard is divided into 12 principal requirements to achieve compliance. Each one contains multiple individual must-have items. Organizations must fulfill all of them to achieve PCI DSS certification.

There are around 240 requirements in total in a deep checklist to ensure compliance and secure payment data worldwide.

The 12 PCI DSS principal requirements

1. Install and Maintain Network Security Controls;
   
   

2. Apply Secure Configurations to All System Components;
   
   

3. Protect Stored Account Data;
   
   

4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks;
   
   

5. Protect All Systems and Networks from Malicious software;
   
   

6. Develop and Maintain Secure Systems and Software;
   
   

7. Restrict Access to System Components and Cardholder Data by Business Need to Know;
   
   

8. Identify Users and Authenticate Access to System Components;
   
   

9. Restrict Physical Access to Cardholder Data;
   
   

10. Log and Monitor All Access to System Components and Cardholder Data;
    
    

11. Test Security of Systems and Networks Regularly;
    
    

12. Support Information Security with Organizational Policies and Programs.
    
    

An organization can meet a requirement in one of two ways:

• Way No. 1: The Defined Approach; and

• Way No. 2: The Customized Approach.
  
  

When thinking about PCI DSS, separate two concepts:

1. The written standard itself. It is a security standard, just like other security standards you may be familiar with, like ISO 27001 or the NIST Cybersecurity Framework.
   
   

2. The card brand compliance programs. They require participants in their payment systems to comply with the standard.

The Defined Approach contains a prescriptive requirement and a prescriptive testing procedure.

The prescriptive requirement describes the controls the organization needs to implement to meet the requirement.

The testing procedure says what an assessor has to do to validate that the requirement is met. As an example, a defined approach requirement is:

The deployed anti-malware solution(s):

• Detects all known types of malware;

• Removes, blocks, or contains all known types of malware.

And the associated testing procedure:

Examine the vendor documentation and configurations of the anti-malware solution(s) to verify that the selected option:

• Detects all known types of malware;

• Removes, blocks, or contains all known types of malware.

The Customized Approach was introduced in version 4 of PCI DSS, allowing organizations flexibility to choose how they meet the requirement.

Rather than following the prescriptive controls contained in the defined approach, the organization can pick its controls to meet the Customized Approach Objective. For the example above, the Customized Approach Objective is:

Malware cannot execute or infect other system components.

To prove that an organization’s controls meet the objective, a rigorous assessment process is defined within the PCI DSS standard.

If an organization wants to participate in a card brand’s network to issue payment cards or acquire payment transactions made with those cards, it must sign a contract with the card brand. That contract will contain references to the card brand’s rules, which will specify that:

• The organization has to comply with PCI DSS.
  
  

• The organization has to confirm that all of their third-party service providers that can affect the security of cardholder data comply with PCI DSS.
  
  

• If the organization acquires payment card transactions, the merchants that use the acquiring services must be PCI DSS-compliant.
  
  

Organizations are therefore required to comply with PCI DSS because of a contractual obligation:

• The contract between a merchant or retailer and the acquiring bank will require the merchant to be compliant.
  
  

• Contact between a financial institution that issues or accepts payment cards and a card brand will require the institution to be compliant.
  
  

• Any contracts between merchants or financial institutions with third-party service providers who either store, process, or transmit cardholder data or who provide technology services that could affect the security of cardholder data will require the service provider to be compliant.

The card brand rules specify how an organization has to demonstrate its compliance with PCI DSS, and this will either be by undergoing an independent assessment or by completing a self-assessment.

The Independent Assessment:

It is an annual activity that validates the 240 PCI DSS requirements by following the testing procedures defined in the standard. It has to be carried out by either a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA).  

QSAs work for independent professional services companies; ISAs work for the organization being assessed but are independent of any function responsible for managing controls and are typically based in departments such as internal audits.

The PCI SSC provides training and accreditation to Both QSAs and ISAs.

The result of an independent assessment is documented in a Report on Compliance (RoC). This can be summarized in an Attestation of Compliance (AoC). The AoC is typically given to any entity that asks for evidence of compliance. Large merchants and service providers are required to have these formal assessments.

The Self-Assessment:

Smaller merchants and service providers will be asked to complete a Self-assessment Questionnaire (SAQ).

Someone inside the organization goes through the PCI requirements and marks the ones they comply with.

A few different SAQs are tailored to the different ways merchants accept payment transactions. Each one of these contains a subset of the appropriate PCI DSS requirements.

Historically, brands used to levy monetary penalties on ​​organizations that did not meet their contractual requirement to comply with PCI DSS. This does not happen now. However, it is still a sanction available within card brand rules.

When an organization suffers a breach of the confidentiality of cardholder data, it will be subject to sanctions by the card brands. They are required to engage a PCI Forensic Investigator (PFI), who will undertake an investigation to determine:

1. The cause of the breach;
   
   

2. Whether the breach has been rectified and the attacker removed from the network;
   
   

3. Whether the organization was compliant with PCI DSS at the time of the breach; and
   
   

4. Which elements of non-compliance were contributory factors to the breach?
   
   

For some card brands, any non-compliance with PCI DSS at the time of the breach can affect the amount of the penalty levied on the organization.

[LEARN MORE] Myth buster: 10 of the most common PCI DSS myths busted

Any organization that suffers a breach of cardholder data has to have assessor audits in the years following the leak until the card brand is happy that the organization is committed to following the PCI DSS standard.