What is the PCI DSS Compliance Framework?

PCI DSS stands for Payment Card Industry Data Security Standard. This compliance framework is an industry-mandated set of standards intended to keep consumers' card data safe when it is used with merchants and service providers. It is administered by the PCI Security Standards Council (PCI SSC), founded by leading payment card companies such as American Express, Discover, Mastercard, and Visa.

Although compliance with the standards put forth in the PCI DSS is not required of businesses by governments, the card companies that control these standards may levy fines against organizations that do not comply.

Who Does the PCI DSS Compliance Framework Apply To?

PCI DSS applies to all organizations, including merchants, banks, processors, developers, and more, that store, process, or transmit cardholder data. Actual validation of DSS compliance may not be necessary for those below a set threshold of annual transactions and may also depend on which payment cards you intend to accept at your place of business. Each PCI SSC founding member has its own compliance program to protect their cardholders’ data and should be contacted directly for specific requirements.

How Can I Accommodate the PCI DSS Compliance Framework?

There are six primary groups of requirements (goals) for proper compliance with the PCI DSS framework. Among these groups are distributed 12 separate requirements that need to be met individually. The six primary goals of the Payment Card Industry Data Security Standards and their accompanying 12 critical requirements are as follows:

1. Build and Maintain a Secure Network

• A firewall configuration must be installed to help adequately protect sensitive cardholder data.
• Unique passwords must be created to maximize system security. These passwords cannot be vendor defaults or otherwise untrustworthy.

2. Protect Cardholder Data

• Cardholder data that is kept in storage must be adequately protected from theft and unauthorized alteration.
• Whenever cardholder data is transmitted over open networks of any kind, it must be sufficiently encrypted to ensure it cannot be intercepted by third parties.

3. Maintain a Vulnerability Management Program

• Anti-virus software must be used to maintain the integrity of systems that process cardholder data.
• All systems and applications that are intended to process cardholder information must be made secure.

4. Implement Strong Access Control Measures

• Access to all cardholder information needs to be completely restricted on a business need-to-know basis.
• Unique identifiers must be assigned to individuals with computer access to systems that process cardholder data.
• Actual physical access to cardholder data should be restricted.

5. Regularly Monitor and Test Networks

• Access to any available resource within your network that handles cardholder data needs to be tracked and fully monitored.
• Tests should be regularly scheduled and implemented for all security systems functioning in your network.

6. Maintain an Information Security Policy

• Implement a functioning information security policy for both your employees and independent contractors. This includes creating technology usage policies and an employee security awareness program.
  

How Can I Comply with the PCI DSS?

Although there are a number of converging factors worthy of consideration where achieving compliance with the PCI DSS on a technical and organizational level is concerned, following a few useful tips and best practices can set you on the right track. 

Stick to Approved POS Tools

Point of Sale devices and programs need to be approved by the PCI Security Standards Council to guarantee their safety for your organization and customers.

You can consult their official database to determine whether or not your chosen POS solutions are approved.

Avoid Storing Cardholder Data at All

Ideally, you should keep cardholder data from touching your servers at all. This can be accomplished by using a third-party processing service instead. Make sure your third-party processor is approved by the PCI SSC before utilizing their services.

Incorporate the Use of Stronger Passwords into Every Part of Your System

The PCI SSC recommends the following for strengthening passwords:

• Commit to a regular password-changing schedule to keep your passwords from easily being guessed or deduced over time.
• Make sure that no one shares passwords within your organization.
• Replace vendor default passwords quickly and avoid simple alternatives such as "1234" or "secret."
  

Not only are good password management practices important for compliance, but they’re also a core component of effective cyber hygiene. 

Do Not Overlook Employee Training

Keep your staff members up to date on best practices as well as current standards surrounding the handling of cardholder information through a robust training program.  

The PCI DSS presents a streamlined rule set for simplifying the handling of cardholders' sensitive information. Safeguarding cardholders' data makes handling orders and purchases both locally as well as internationally much easier for consumers and businesses alike. The standards described in the PCI DSS keep the process of protecting such information clearly defined so that you can focus on implementation rather than low-level systems design. 

Zeguro Cyber Safety can help you comply with several PCI DSS requirements and reduce the risk of payment card data misuse through web vulnerability scanning, employee security training, and security policy templates. In addition, our cyber liability insurance provides a safety net in the event of a data breach and can help cover PCI DSS fines and penalties (subject to underwriting approval).