ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

You are here: Home / Blog / What are the 6 Major Principles of PCI DSS?
PCI DSS Compliance Requirement Checklist
Download Now

What is PCI-DSS?

PCI DSS is an acronym for “Payment Card Industry Data Security Standard.” This standard was developed by the PCI Security Standards Council. Any business which stores, process or transmits cardholder data must be compliant with PCI DSS.
The PCI DSS standard establishes the security strategies that merchants must follow to protect cardholder data. The breach or theft of cardholder data impacts the entire payment card lifecycle. When customers lose respect for merchants or financial institutions, their credit can be negatively impacted, and the personal consequences can be enormous. When merchants, banks and other financial institutions lose the trust of their clientele, they also endure negative institutional consequences.

What Are The 6 Major Principles of PCI DSS?

 

Ensure that you create and maintain a secure network

Cardholder data refers to any information printed, processed, transmitted, or stored in any form on a payment card. Entities accepting payment cards are expected to protect cardholder data and to prevent its unauthorized use – whether the data is printed or stored locally or transmitted over an internal or public network to a remote server or service provider.

Secure Network Requirements:

  • Change all passwords provided by vendors to complex unique ones.
  • Restrict both inbound and outbound traffic to your payment systems to only what is necessary.
  • Avoid the use of “Any” in firewall allow rules.
  • “Deny all” traffic that you do not specifically authorize.
  • Permit only “established” connections into your network (for example, via stateful packet inspection or dynamic packet filtering).
  • Turn on intrusion detection and intrusion blocking, if available.
  • Turn on notifications.
  • Turn on Network Address Translation (NAT) to hide your internal addresses from the Internet.
  • Check for and install firewall updates (or patches) to address new vulnerabilities as soon as the patch is available.
  • Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.
  • Develop and update configuration standards for all system components that address all known security vulnerabilities.
  • Using strong cryptography, encrypt all non-console administrative access.
  • Maintain an inventory of system components that are in scope for PCI DSS.
  • Ensure that related security policies and operational procedures are documented, in use, and known to all.
  • Shared hosting providers must protect each entity’s hosted environment and cardholder data.

Protect Your Clients’ Cardholder Data

Cardholder data refers to any information stored in any form on a payment card. Businesses accepting payment cards are expected to protect cardholder data and to prevent its unauthorized use – whether the data is printed or stored locally or transmitted over an internal or public network to a remote server or service provider.

Cardholder Data Requirements:

  • Limit cardholder data storage and retention time to that which is required for business and purge unneeded data at least quarterly.
  • Do not store authentication data after authorization (even if it is encrypted).
  • Mask PAN when displayed so that only authorized people with a legitimate business need can see more than the first six/last four digits.
  • Render PAN unreadable anywhere it is stored.
  • Implement procedures to protect any keys used for encryption of cardholder data from disclosure and misuse.
  • Implement key management processes and procedures for cryptographic keys used for encryption of cardholder data.
  • Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.

Maintain a vulnerability management program

Vulnerability management is the process of finding weaknesses in a business’ payment card system. This includes security procedures, system design, implementation, or internal controls that could be exploited to violate system security policy.

Vulnerability Management Requirements:

  • Deploy anti-virus software on all systems commonly affected by malicious software.
  • Ensure that all anti-virus mechanisms are kept current, perform periodic scans, generate audit logs.
  • Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users.
  • Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.

Implement strong access control measures

Access-controls allow businesses to permit or deny access to PAN and other cardholder data. Access must be granted on a business need-to-know basis. Physical access controls entail the use of locks or other means to restrict access to computer media, paper-based records, or system hardware. Logical access controls permit or deny use of payment devices, wireless networks, PCs and other computing devices, and also controls access to digital files containing cardholder data.

Assess Controls Requirements:

  • Limit access to system components and cardholder data to only those individuals whose job requires such access.
  • Formalize an access control policy that includes a list of who gets access to specified cardholder data and systems.
  • Deny all access to anyone who is not specifically allowed to access cardholder data and systems.

Regularly monitor and test networks

Physical and wireless networks are the glue connecting all endpoints and servers in the payment infrastructure. Vulnerabilities in network devices and systems present opportunities for criminals to gain unauthorized access to payment card applications and cardholder data. To prevent exploitation, organizations must regularly monitor and test networks to find and fix vulnerabilities.

Monitoring and Testing Requirements

  • Implement audit trails to link all access to system components to each individual user.
  • Implement automated audit trails for all system components.
  • Record audit trail entries for all system components for each event.
  • Synchronize all critical system clocks and times and implement controls for acquiring, distributing, and storing time.
  • Secure audit trails so they cannot be altered.
  • Review logs and security events for all system components to identify anomalies or suspicious activity.
  • Retain audit trail history for at least one year; at least three months of history must be immediately available for analysis.
  • Service providers must implement a process for timely detection and reporting of failures of critical security control systems.
  • Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.
  • Implement processes to test for the presence of wireless access points.
  • Maintain an inventory of authorized wireless access points and implement incident response procedures in the event unauthorized wireless access points are detected.
  • Run internal and external network vulnerability scans at least quarterly.
  • Develop and implement a methodology for penetration testing that includes external and internal penetration testing at least annually.
  • Use network intrusion detection and/or intrusion prevention techniques to detect and/or prevent intrusions into the network.

Maintain an Information Security Policy

A strong security policy sets the tone for security affecting an organization’s entire company, and it informs employees of their expected duties related to security. All employees should be aware of the sensitivity of cardholder data and their responsibilities for protecting it.

Security Policies Requirements

  • Establish, publish, maintain, and disseminate a security policy.
  • Implement a risk assessment process that is performed at least annually.
  • Develop usage policies for critical technologies to define their proper use by all personnel.
  • Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
  • Assign to an individual or team information security responsibilities.
  • Screen potential personnel prior to hire to minimize the risk of attacks from internal sources.
  • Maintain and implement policies and procedures to manage service providers with which cardholder data is shared.
  • Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data that they possess.
  • Implement an incident response plan. Be prepared to respond immediately to a system breach.
  • Service providers must perform and document reviews at least quarterly to confirm personnel are following security policies and operational procedures.

Conclusion

The PCI-DSS standards outline the minimum security features that businesses are required to implement in order to reduce the chance of a data breach. The above is a summary of the 6 Major Principles of the PCI DSS.
For more information, please contact us at contact@controlcase.com
Download our PCI DSS Compliance Requirement Checklist
What are the 12 requirements of PCI DSS Compliance?

Contact our team today to get started

About Us

ControlCase is a global provider of certification, cybersecurity, and continuous compliance services. ControlCase is committed to empowering organizations to develop and deploy strategic information security and compliance programs that are simplified, cost-effective, and comprehensive in both on-premise and cloud environments.
ControlCase offers certifications and a broad spectrum of cyber security services that meet the needs of companies required to certify to PCI DSS, HITRUST, SOC2, CMMC, ISO 27001, PCI PIN, PCI P2PE, PCI TSP, PCI SSF, CSA STAR, HIPAA, GDPR, SWIFT, and FedRAMP.