PCI DSS Part 1: Where to Start?

Written by Daniel Fay on September 8, 2020

Share This Article

In the expanding world of online retail and e-commerce, credit institutions created an international standard council to help regulate, secure, and enforce standards — Payment Card Industry Data Security Standard (PCI DSS). For companies working with card payments, security is paramount to meet the PCI DSS standards and requirements of compliance. IT administrators are in charge of ensuring that the company and contained assets are secure, controlled, and audited regularly. In preparing for a PCI DSS audit, we’ll cover several of the main requirements needed to get you started. 

PCI DSS: A Security Standard

As online retailers and electronic payments are on the rise, there is an increasing demand for stronger security practices globally. The Security Standards Council is the group who works with credit card companies (AmericanExpress®, VISA®, MasterCard®, Discover®, JCB®) to create, regulate, and enforce the PCI DSS security standard. 

PCI DSS started with Version 1.0 in 2004 to create a fundamental standard for regulating how payments are processed securely. As PCI grew over the years alongside a rapidly growing tech industry, the DSS requirements became stricter, more scoped, and more complex.

Looking at the current version of the PCI DSS standards and Quick Reference Guide, we’ll dive into a discussion around different approaches to achieve compliance. 

Practice Security, Preach Practice

Like many other security compliance requirements, PCI is no different when it comes to rules, regulations, clauses, and auditing. 

This chart outlines sub-item requirements to help achieve the compliance goals and standards. The best security approaches involve access by least-privilege paired with zero trust. By creating a strong foundational security practice, subsequent actions taken to achieve compliance become natural and easier to define.

Securing and protecting cardholder data is the primary objective of PCI DSS standards, but it’s not as simple as enabling encryption or locking down the data store where the information is held. Implementing strong network access restrictions, device management, internal auditing & monitoring, and continual training are only a few of the related tasks you will consider when approaching PCI compliance. Security is a practice and mindset, not a check-it-off-the-list line item.

Managing employee access to applications, systems, and information stores is critically important. By only granting access to what is absolutely necessary for employees based on role, department, or organizational need, you nullify some of the risks around potential access breaches. In tandem, enforcing network security through VPN, VLAN tags, RADIUS-based authentication, and firewalls, you control the traffic to and from secured resources. Devices are another attack vector not only for bad actors externally, but also internal actors. By securing devices with strong policies, anti-virus, standard user access, and an MDM or RMM tool, you can ensure that employees and their devices meet the PCI DSS specification standards. 

Progress Forward — Work Outward

Security-focused admins will continue to monitor their employees on best practices. Security is not just a flip-of-the-switch. There are many areas to secure, monitor, and audit routinely.

Sometimes the simplest approach to complex security standards is to start at the root of the goal and work outward. Start where the cardholder data is held, then check who/what has access to the data, whether the data is encrypted, why is it accessed, and how it is accessed. This is called your cardholder data environment (CDE) and will help you with security as well as tightly scoping your audit. This very first step will help you build a strong and secure defense between the cardholder data and anything outside of its storage.

Expanding out from the core view, look at the network connections, user access, device access, monitoring reports, and auditing cadences. Like layers of an onion, each stratum helps safeguard the core in order to thrive effectively and efficiently. By starting at the core to build strong and well-defined security layers, the closer you’ll achieve compliance. This way you actively build a comprehensive security practice which is well defined and monitored while ensuring assets, access, and data are all protected.

Next in the series: PCI DSS — Unify, Manage, and Secure Assets

As we continue this three-part blog series, the next article will cover how admins can use different parts of JumpCloud’s cloud directory platform to unify, manage, and secure their organization. You can find Part 2 here.

Try JumpCloud Free

Evaluate JumpCloud Free today to see why 100,000+ organizations trust JumpCloud to help secure and easily manage their resources. With JumpCloud Free, you receive up to 10 users and 10 systems, as well as 10 days free of premium in-app chat support to help you explore the entirety of the platform.

Daniel Fay

Daniel Fay is a Product Marketing Manager at JumpCloud.

Continue Learning with our Newsletter