What is PCI DSS? Understanding Risk Maturity Standards

The Airius Risk Maturity Knowledgebase is intended to give you a snapshot of those things in the world affecting information risk for April 14th through April 21th, 2023.

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands such as Visa, MasterCard, American Express etc. It is administered by the Payment Card Industry Security Standards Council and its use is mandated by the card brands. The standard applies to any organization involved in the processing, transmission, and storage of credit card information. The PCI DSS designates four levels of compliance based on transaction volume. Organizations of all sizes must follow PCI DSS standards if they accept payment cards from the five major credit card brands.

Why is PCI DSS important for business?

PCI DSS is important for businesses because it contains technical requirements which protect and secure payment card data during processing, handling, storage, and transmission. All businesses that handle payment card data, no matter their size or processing methods, must follow these requirements and be PCI compliant. By following this standard, businesses can keep their data secure, avoiding costly data breaches and protecting their employees and customers. PCI DSS requirements help organizations safeguard their business and reduce the risk of cardholder data loss.

How does PCI DSS compliance demonstrate risk maturity?

PCI DSS compliance demonstrates risk maturity because it shows that an organization has taken steps to protect its customers’ sensitive data and reduce the risk of data breaches. By following PCI DSS standards, businesses can demonstrate that they have implemented security controls and processes to protect their customers’ payment card data. This can help build trust with customers and partners, as well as reduce the risk of financial losses due to data breaches.

Is PCI aligned with recognized standards like the NIST CSF?

Yes, PCI DSS aligns with recognized standards like the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework). The NIST CSF provides a framework for managing cybersecurity risk and is designed to help organizations identify, assess, and manage cybersecurity risks. PCI DSS is one of the frameworks that can be used to implement the NIST CSF. The PCI DSS contains technical requirements which protect and secure payment card data during processing, handling, storage, and transmission.

What are some common risk management frameworks?

Some common risk management frameworks include ISO (International Organization for Standardization), NIST (National Institute of Standards and Technology), and RISK IT. These frameworks define how people leverage processes to manage technology, ensure oversight, and reduce an organization’s risk exposure. Other frameworks include COSO (Committee of Sponsoring Organizations of the Treadway Commission) and FAIR (Factor Analysis of Information Risk).

What are some benefits of PCI DSS compliance?

Some benefits of PCI DSS compliance include reducing the risk of security incidents and data breaches, building customer trust, avoiding fines and penalties, and meeting global data security standards. PCI DSS compliance means that your systems are secure, reducing the chances of data breaches. It only takes one high-profile security breach to cost your customers’ loyalty, sink your reputation as a business, and lead to significant financial losses.

What is the PCI DSS Standard?

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands. The PCI DSS applies to any organization involved in the processing, transmission, and storage of credit card information.

What are the parts of the PCI DSS standard?

The PCI DSS has twelve requirements for compliance, organized into six related groups known as control objectives. The six control objectives are:

1. Build and maintain a secure network and systems
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access-control measures
5. Regularly monitor and test networks
6. Maintain an information security policy

______________________________________________________________________________________________________________

The twelve requirements for compliance to PCI DSS are:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel.

______________________________________________________________________________________________________________

How does a company get PCI certified?

To become PCI certified, a company must follow these steps:

1. Determine your certification level
2. Understand PCI DSS requirements
3. Complete your ROC, AOC or SAQ
4. Verify your status and commitment to following compliance standards
5. Perform quarterly scans
6. Communicate compliance with banks and payment companies

• ROC stands for Report on Compliance, which is a form that merchants must fill out to report their compliance status with the Payment Card Industry Data Security Standards (PCI DSS).
• AOC stands for Attestation of Compliance, which is a document that merchants must submit to their acquiring bank to show that they are compliant with the PCI DSS.
• SAQ stands for Self-Assessment Questionnaire, which is a tool that merchants can use to assess their own compliance with the PCI DSS.

The entity that requires your PCI compliance (customers, acquiring bank, credit card companies) will usually specify in their request that you perform either a Report on Compliance (RoC) or a Self-Assessment Questionnaire (SAQ).

Any company that accepts credit or debit card payments needs to either complete an annual Self-Assessment Questionnaire (SAQ) or be assessed by a QSA to remain compliant with the PCI DSS. Only Level 1 merchants, or those that have suffered a significant hack that compromised important data, are required to use a QSA.

A QSA is a Qualified Security Assessor appointed by the PCI Council, to validate Merchants and Service Providers against the PCI DSS Standards and verify whether or not they are compliant. To maintain their QSA credential, QSAs are required to do a certain number of hours of educational activities every year.

Summary – Why is ISO27001 certification so important?

PCI certification is important because it helps companies protect the security of their data by following best practices and established requirements, which can mitigate the risk of data breaches and help protect sensitive customer financial information. It can also help companies gain access to merchant processing vendors, enhance business security, improve customer confidence, and reduce risk for penalties.

In The News

• World
  • Intelligence data leaked amid planned military activities in Ukraine. Secretary of Defense Lloyd Austin Defends Ukraine’s Spring Offensive Despite Damning Intelligence Leak.
• AI
  • Elon Musk's AI ambitions for Twitter show that some of the people calling for the tech to 'pause' seem to be acting out of their own self-interest (msn.com)
  • Promising new AI can detect early signs of lung cancer that doctors can't see (nbcnews.com)
  • AI can probably crack your password in seconds (msn.com)

Notable Mentions

We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 150 core contributors who have devoted their time and resources to helping us provide up-to-date information. Send your stories and announcements to knowledgebase@airius.com. 

The Risk Maturity Knowledgebase restarts an effort that we began in 2007. With hundreds of volunteers, interns and staff members at the time, along with over 60 weekly translations, our predecessor became the standard for GPL and open source security information.

The Risk Maturity Knowledgebase restarts an effort that we began in 2007. With hundreds of volunteers, interns and staff members at the time, along with over 60 weekly translations, our predecessor became the standard for GPL and open source security information. Can you translate the blog? Please reach out.

 Ready to Help!

If we can help you with risk management, ISO 27001 compliance, an emergency or you just need guidance with INFOSEC, please reach out to us.

Coming Soon

• AI engines
• HIPAA Compliance
• SOC2
• Political choices and reputational risk
• GDPR

Copyright and Attribution Statement

• Ernest M. Park, Airius, LLC, 2023

License

• http://creativecommons.org/licenses/by/3.0/

References and Credits

• https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
• https://www.talend.com/resources/pci-dss/
• https://learn.microsoft.com/en-us/compliance/regulatory/offering-pci-dss
• https://www.pcisecuritystandards.org/
• https://www.csoonline.com/article/3566072/pci-dss-explained-requirements-fines-and-steps-to-compliance.html
• https://www.securitymetrics.com/blog/importance-pci-dss-why-you-should-get-compliant
• https://secureframe.com/blog/why-is-pci-compliance-important
• https://foundersguide.com/3-reasons-why-pci-dss-is-important-for-business/
• https://www.forbes.com/advisor/business/what-is-pci-compliance/
• https://www.pluralsight.com/guides/selecting-a-risk-management-framework-for-your-organization
• https://www.selecthub.com/risk-management/risk-management-framework/
• https://open.alberta.ca/publications/common-risk-management-framework-version-2-0
• https://www.smartsheet.com/content/enterprise-risk-management-framework-model
• https://www.itgovernance.eu/blog/en/4-powerful-benefits-of-pci-dss-compliance
• https://www.forbes.com/advisor/business/what-is-pci-compliance/
• https://www.vumetric.com/blog/5-benefits-of-pci-dss-compliance/
• https://www.csoonline.com/article/3566072/pci-dss-explained-requirements-fines-and-steps-to-compliance.html
• https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
• https://www.auditboard.com/blog/pci-dss-requirements/
• https://www.pcidssguide.com/how-to-define-pci-dss-scope/
• https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-pci-dss
• https://www.csoonline.com/article/3566072/pci-dss-explained-requirements-fines-and-steps-to-compliance.html
• https://learn.microsoft.com/en-us/compliance/regulatory/offering-pci-dss
• https://www.indeed.com/career-advice/career-development/how-to-get-pci-compliance-certification
• https://secureframe.com/blog/how-to-become-pci-compliant
• https://www.pcisecuritystandards.org/assessors_and_solutions/become_qsa/
• https://pcijourney.com/what-is-a-pci-compliance-certificate/
• https://www.pcisecuritystandards.org/