PCI DSS

<< Back to Technical Glossary

PCI DSS Definition

PCI DSS stands for payment card industry data security standard. This global security standard for information is designed to enhance control over credit card data to prevent fraud.
All businesses regardless of size must follow PCI DSS requirements if they accept credit card payments from the five major brands. Those brands are American Express, Discover, MasterCard, Visa, and the Japan Credit Bureau (JCB). For any organization that processes, stores, or transmits cardholder and payment data, PCI DSS compliance is required.

Diagram depicts the main pillars of PCI DSS, the payment card industry data security standard designed to enhance control over credit card data to prevent fraud.

FAQs

What is PCI DSS?

In practice, PCI DSS basics include keeping consumer data safe online. Despite the sophistication of modern malware, data breaches, and cyberattacks, small businesses are held to the same basic scope of PCI DSS requirements.

The PCI DSS regulations are a group of operational and technical requirements designed to protect cardholder data. They are effectively the broader rules surrounding payment processing. The overall goal of PCI is to ensure that anyone processing, accepting, storing, or transmitting credit card data maintains a secure environment.

What Are the PCI DSS 12 Requirements?

The latest version of the requirements is PCI DSS 3.2. This version replaced version 3.1 in October 2016.
The PCI DSS compliance checklist includes 12 requirements for card industry security standards. Those 12 PCI DSS standards are spread across 6 compliance groups for PCI DSS, or 6 goals. The 12 PCI DSS compliance requirements and 6 PCI DSS compliance goals themselves are:

Goal 1: Build and maintain a secure network and systems.
Requirement 1: Protect cardholder data by installing and maintaining a firewall configuration.
Requirement 2: Configure settings and passwords rather than defaulting to vendor-supplied security parameters such as system passwords.

Goal 2: Protect cardholder data.
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Goal 3: Maintain a vulnerability management program.
Requirement 5: Use anti-virus software and malware software or programs and provide regular updates.
Requirement 6: Develop and maintain applications and systems that are secure by routinely updating and patching them.

Goal 4: Implement strong access control measures.
Requirement 7: Limit access to cardholder data based on “need to know” business justification.
Requirement 8: Authenticate each person with access so they have a unique identity in the system.
Requirement 9: Restrict physical access to all sensitive data, including cardholder and workplace data.

Goal 5: Regularly monitor and test networks.
Requirement 10: Monitor and track all access to cardholder data and network resources by implementing log management.
Requirement 11: Regularly conduct penetration tests and vulnerability scans to test security processes and systems.

Goal 6: Maintain an information security policy.
Requirement 12: This policy should address information security for all personnel and include risk assessments and documentation.

What Do PCI DSS Levels Mean?

PCI DSS applies to every company or organization that stores, transmits, or accepts cardholder data, regardless of the number of transactions or the size of the business. This means that if just one donor or customer uses a credit or debit card, PCI DSS security requirements apply.

PCI DSS definitions include four PCI DSS compliance levels for validation of businesses. These levels are based on total transaction volume across a period of 12 months.

PCI DSS Level 1 businesses process more than 6 million transactions a year. Level 2 organizations process fewer transactions annually—between 1 million and 6 million. Level 3 companies process 20,000 to 1 million transactions, and Level 4 businesses process fewer than 20,000 transactions.

What is PCI DSS Outsourcing?

PCI DSS outsourcing refers to the practice of delegating some PCI DSS compliance tasks to a third party. For example, some small businesses might choose to use a PCI-compliant third-party service provider such as PayPal.

The goal is to limit their exposure, or the scope of the compliance rules that apply to them. In the PayPal example, a small business might avoid accessing and storing the credit card data of shoppers who use PayPal on its commerce website.

However, use of a third-party provider or other outsourcer does not eliminate PCI DSS requirements. In fact, in January 2019, the Security Standards Council PCI SSC updated its recommendations to include several new principles. One of them directs businesses that they should be, “Monitoring Compliance of Third-Party Service Providers.”

Why PCI DSS is Important

It is critical for businesses to remain PCI compliant because data theft and data breaches are extremely common. These issues impact all payment parties negatively in myriad ways. To protect both consumers and your own businesses from damages resulting from a data breach, ongoing compliance—not just spot checks or point-in-time validation—is essential.

Consumers expect PCI DSS compliant applications from businesses because they keep sensitive information safer. Furthermore, to access any major credit card company services, it is essential to achieve payment card industry data security standard PCI DSS best practices.

What is a PCI DSS Audit?

There is a difference between a PCI assessment and a PCI DSS audit. Merchants can perform PCI DSS assessments themselves, to simply take stock of their current practices. These are typically voluntary, and conducted in-house to bring a business up to compliance.

On the other hand, only a qualified security assessor (QSA) can perform a PCI DSS audit. The PCI security standards council provides names of qualified security assessors to the public.

Many larger Level 1 businesses will conduct a PCI DSS audit voluntarily. However, sometimes credit card companies mandate these audits for organizations of any size that have experienced data breaches. When they do, the audit is mandatory for any businesses wanting to continue to use credit card services.

To achieve PCI DSS certification after an audit, the QSA must collect all of the evidence. The QSA then explains in a report that the business is in compliance with all PCI DSS requirements. Typically the report includes a discussion of security configurations and processes. This type of recertification assessment is usually yearly.

How Does Avi Help Your Business Achieve PCI DSS Compliance?

Avi Networks enables you to secure your business’s web applications to achieve compliance—across a host of regulatory landscapes. The 2019 and 2018 Verizon Data Breach investigations found that web application attacks rank #1 and security breaches are on the rise. Achieve more with a comprehensive range of security features including Avi iWAF:

  • Compliance with PCI, HIPAA, and GDPR
  • Detailed, point-and-click audit trails and logs of application accesses and traffic flows
  • Enable more precise security policies with app insights on rule matches and traffic flows
  • Automatic scale-out, highly performant architecture enables elastic scale
  • Gain central control over security policies with point-and-click simplicity