Does PCI DSS Apply to All Cards?<\/h3>\n\n\n\n
Technically, no. PCI DSS compliance is driven by credit card issuers. All major credit card issuers require PCI DSS compliance. These include: <\/p>\n\n\n\n
- \n
- Visa <\/li>\n\n\n\n
- Mastercard<\/li>\n\n\n\n
- Discover<\/li>\n\n\n\n
- American Express <\/li>\n\n\n\n
- Japan Credit Bureau (JCB)<\/li>\n<\/ul>\n\n\n\n
Other cards may choose to align with PCI DSS, or they may define their own set of rules. If your organization processes credit cards from other issuers, make sure you understand the issuer\u2019s specified standards.<\/p>\n\n\n\n\n
\n\n![\"JumpCloud\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/02\/image-1-1-aspect-ratio-160-110-1.png\")
\n <\/div>\n \n\n The IT Manager\u2019s Guide to Data Compliance Hygiene <\/p>\n
\n How to ace your audit <\/p>\n <\/div>\n
\n Get the Guide <\/a>\n <\/div>\n<\/div>\n\n\n\n\nThe 12 Requirements of PCI DSS Compliance<\/h2>\n\n\n\n
PCI DSS is defined by 12 main requirements of compliance, each of which has many subcategories and steps associated with it. <\/p>\n\n\n\n
- \n
- Install and maintain network security controls.<\/li>\n\n\n\n
- Apply secure configurations to all system components.<\/li>\n\n\n\n
- Protect stored account data.<\/li>\n\n\n\n
- Protect cardholder data with strong cryptography during transmission over open, public networks. <\/li>\n\n\n\n
- Develop and maintain secure systems and software.<\/li>\n\n\n\n
- Protect systems and software from malicious software.<\/li>\n\n\n\n
- Restrict access to system components and cardholder data on a \u201cneed to know\u201d basis.<\/li>\n\n\n\n
- Identify users and authenticate access to system components.<\/li>\n\n\n\n
- Restrict physical access to cardholder data.<\/li>\n\n\n\n
- Log and monitor all access to system components and cardholder data. <\/li>\n\n\n\n
- Test security systems and networks regularly.<\/li>\n\n\n\n
- Maintain ongoing security with organizational policies and programs. <\/li>\n<\/ol>\n\n\n\n
These 12 requirements can be broken down into six key objectives. Consider treating these six objectives as your overarching PCI DSS compliance goals as you develop your compliance plan. <\/p>\n\n\n\n
- \n
- Secure networks and systems.<\/strong>
Make sure your groundwork is secure so that anything you do with payment info is done over a secure network and with secure systems. This includes both implementing and maintaining these elements. Requirements one and two fall under this objective:\n- \n
- 1. Install and maintain network security controls.<\/li>\n\n\n\n
- 2. Apply secure configurations to all system components.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Protect account data.<\/strong>
<\/strong>Protect the critical account and cardholder data, both in transit and at rest. This includes requirements three and four:\n- \n
- 3. Protect stored account data.<\/li>\n\n\n\n
- 4. Protect cardholder data with strong cryptography during transmission over open, public networks. <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Ongoing vulnerability management<\/strong>
<\/strong>Protect the controls you put in place with ongoing vulnerability management. This includes requirements five and six:\n- \n
- 5. Develop and maintain secure systems and software.<\/li>\n\n\n\n
- 6. Protect them from malicious software.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Access control<\/strong>
<\/strong>Access control is one of the most important elements of security, as it both limits sanctioned access and reduces the chances of malicious access.\n- \n
- 7. Restrict access to system components and cardholder data by Need to Know.<\/li>\n\n\n\n
- 8. Identify users and authenticate access to system components<\/li>\n\n\n\n
- 9. Restrict physical access to cardholder data.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Network monitoring and testing<\/strong>
Ensure ongoing security by monitoring and testing regularly.\n- \n
- 10. Log and monitor all access to system components and cardholder data. <\/li>\n\n\n\n
- 11. Test security systems and networks regularly.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Information security policies<\/strong>
This category embodies the final requirement:\n- \n
- 12. Maintain ongoing security with organizational policies and programs. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
The PCI DSS Audit Process<\/h2>\n\n\n\n
When you start preparing for a PCI DSS audit, it\u2019s helpful to know what to expect. This can help you define goals and benchmarks. <\/p>\n\n\n\n
The PCI DSS standards outline six major steps to achieving compliance:<\/p>\n\n\n\n
- \n
- Scope: <\/strong>Determine the scope of your PCI DSS assessment. Note that scope can be narrowed by segmenting the cardholder data environment (CDE) from the rest of the organization\u2019s network. As the PCI DSS standards put it: \u201cAt a high level, adequate segmentation isolates systems that store, process, or transmit account data from those that do not.\u201d<\/li>\n<\/ol>\n\n\n\n
- \n
- Assess:<\/strong> Assess the environment\u2019s alignment with PCI DSS standards. <\/li>\n<\/ol>\n\n\n\n
- \n
- Report:<\/strong> Complete the applicable assessment report according to PCI DSS guidance and instructions. Read on to learn more<\/a>. <\/li>\n<\/ol>\n\n\n\n
- \n
- Attest: <\/strong>Complete the Attestation of Compliance (AoC) based on the findings in steps 2 and 3. Read on to learn more about AoCs<\/a>.<\/li>\n<\/ol>\n\n\n\n
- \n
- Submit documentation:<\/strong> This includes any SAQ, RoC, and AoC, as well as any other requested documentation.<\/li>\n<\/ol>\n\n\n\n
- \n
- Remediate: <\/strong>If there were any identified gaps, work on remediating them so they end up in compliance with PCI DSS. Provide an updated report once remediated controls are in place. <\/li>\n<\/ol>\n\n\n\n
SAQ<\/h3>\n\n\n\n
The self-assessment questionnaire (SAQ) is to be completed by the organization undergoing the PCI DSS audit. It\u2019s designed to enable the organization to self-declare its compliance standing and means for accomplishing compliance. <\/p>\n\n\n\n
Organizations that fall under Levels 2-4 must complete an SAQ, which can take the place of an external audit. Level 1 companies must instead undergo an external audit. <\/p>\n\n\n\n
There are many different SAQs designed for different types of organizations. Review the different types<\/a> to determine which SAQ is right for your organization.<\/p>\n\n\n\n
RoC<\/h3>\n\n\n\n
The RoC, or Report on Compliance, is a reporting tool that documents the results of a PCI DSS assessment. The RoC is to be completed by an external Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA), which is an internal employee who has received their ISA qualification through official PCI DSS training<\/a>. The RoC is typically required for all Level 1 organizations and some Level 2 organizations. <\/p>\n\n\n\n
AoC <\/h3>\n\n\n\n
The PCI Attestation of Compliance (AoC) is the PCI SSC form that attests to an organization\u2019s compliance. The AoC can come from either the SAQ or the RoC. <\/p>\n\n\n\n
Navigating PCI DSS Requirements<\/h2>\n\n\n\n
The 12 main requirements, outlined above, are broken down into several individual requirements. PCI DSS standards outline the following information for each requirement: <\/p>\n\n\n\n
- \n
- Requirement:<\/strong> This specifies the rule or standard you must comply with. It is usually stated as a concise and strategic outcome.
Example (Requirement 1.3): \u201cNetwork access to and from the cardholder data environment (CDE) is restricted.\u201d <\/em><\/li>\n\n\n\n- Defined Approach: <\/strong>PCI DSS standards grant you the flexibility to choose how <\/em>you comply. As such, it lays out both a defined<\/em> approach and a customized<\/em> approach for each requirement. The defined<\/em> approach specifies the means by which you must meet a requirement.
Example (Requirement 1.3): Inbound traffic to the CDE is restricted as follows: <\/em><\/li>\n<\/ul>\n\n\n\nA. To only traffic that is necessary.<\/em><\/p>\n\n\n\n
B. All other traffic is specifically denied. <\/em><\/p>\n\n\n\n
- \n
- Customized Approach: <\/strong>In contrast to the defined approach, the customized approach offers general guidelines for the requirement and allows you meet them however best suits your organization.<\/li>\n<\/ul>\n\n\n\n
Example (Requirement 1.3): Unauthorized traffic cannot enter the CDE. <\/em><\/p>\n\n\n\n
- \n
- Testing Procedure: <\/strong>The testing procedures state how the defined approach can be tested for compliance. <\/li>\n<\/ul>\n\n\n\n
Example (Requirement 1.3): <\/em><\/em> <\/em><\/em> <\/em><\/em> <\/em><\/em> <\/em><\/em> <\/em><\/em><\/em><\/p>\n\n\n\n
- \n
- Examine configuration standards for network security controls (NSCs) to verify that they define restricting inbound traffic to the CDE is in accordance with all elements specified in this requirement. <\/em><\/em> <\/em><\/em> <\/em><\/em><\/li>\n\n\n\n
- Examine configurations of NSCs to verify that inbound traffic to the CDE is restricted in accordance with all elements specified in this requirement. <\/em><\/li>\n<\/ol>\n\n\n\n
- \n
- Guidance: <\/strong>The guidance section offers context, tips, and helpful information for each requirement.<\/li>\n<\/ul>\n\n\n\n
Example (Requirement 1.3)<\/em>: The guidance for requirement 1.3 contains information regarding the requirement\u2019s purpose, a summary of relevant good practices, and examples of how a rule might be configured to satisfy the requirement.<\/p>\n\n\n\n
Start with Strong Fundamentals<\/h2>\n\n\n\n
The PCI DSS standards largely align with basic security best practices. Fortunately, you may already be doing many of them. If you have any identity and access management (IAM) <\/a>solutions in place, for instance, you\u2019re already equipped to comply with many of the PCI DSS standards.<\/p>\n\n\n\n
Requirement 1.3, for example, specifies that the CDE should only be accessible to necessary traffic, and all other traffic should be specifically denied. With the right IAM solution, an organization could create a rule that denies all access to the CDE unless a user belongs to a specific user group for necessary CDE traffic. <\/p>\n\n\n\n
A strong baseline of security and identity management will not only help you ace this audit, but it will also make compliance \u2014 with PCI DSS and other regulations \u2014 more painless in the future. That\u2019s because many IT and security compliance principles are based on the same security fundamentals. Increasingly, these fundamentals align with Zero Trust security, a security approach that centers around the identity rather than the outdated physical perimeter. Learn more about Zero Trust security.<\/a> <\/p>\n\n\n\n
More Compliance Guidance for IT Professionals<\/h2>\n\n\n\n
- Examine configurations of NSCs to verify that inbound traffic to the CDE is restricted in accordance with all elements specified in this requirement. <\/em><\/li>\n<\/ol>\n\n\n\n
- Examine configuration standards for network security controls (NSCs) to verify that they define restricting inbound traffic to the CDE is in accordance with all elements specified in this requirement. <\/em><\/em> <\/em><\/em> <\/em><\/em><\/li>\n\n\n\n
- Testing Procedure: <\/strong>The testing procedures state how the defined approach can be tested for compliance. <\/li>\n<\/ul>\n\n\n\n
- Defined Approach: <\/strong>PCI DSS standards grant you the flexibility to choose how <\/em>you comply. As such, it lays out both a defined<\/em> approach and a customized<\/em> approach for each requirement. The defined<\/em> approach specifies the means by which you must meet a requirement.
- Requirement:<\/strong> This specifies the rule or standard you must comply with. It is usually stated as a concise and strategic outcome.
- Remediate: <\/strong>If there were any identified gaps, work on remediating them so they end up in compliance with PCI DSS. Provide an updated report once remediated controls are in place. <\/li>\n<\/ol>\n\n\n\n
- Submit documentation:<\/strong> This includes any SAQ, RoC, and AoC, as well as any other requested documentation.<\/li>\n<\/ol>\n\n\n\n
- Attest: <\/strong>Complete the Attestation of Compliance (AoC) based on the findings in steps 2 and 3. Read on to learn more about AoCs<\/a>.<\/li>\n<\/ol>\n\n\n\n
- Report:<\/strong> Complete the applicable assessment report according to PCI DSS guidance and instructions. Read on to learn more<\/a>. <\/li>\n<\/ol>\n\n\n\n
- Assess:<\/strong> Assess the environment\u2019s alignment with PCI DSS standards. <\/li>\n<\/ol>\n\n\n\n
- Scope: <\/strong>Determine the scope of your PCI DSS assessment. Note that scope can be narrowed by segmenting the cardholder data environment (CDE) from the rest of the organization\u2019s network. As the PCI DSS standards put it: \u201cAt a high level, adequate segmentation isolates systems that store, process, or transmit account data from those that do not.\u201d<\/li>\n<\/ol>\n\n\n\n
- 12. Maintain ongoing security with organizational policies and programs. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- Secure networks and systems.<\/strong>