Hot Topics
Data Security Security Bloggers Network 
SBN

Understanding PCI DSS Compliance

by Alison Furneaux on February 13, 2023

According to the PCI Security Standards Council Prioritized Approach document, the Prioritized Approach provides a roadmap of compliance activities based on the risk associated with storing, processing, and transmitting cardholder data. Approved vendors, such as approved scanning vendors (ASV) for vulnerability scanning, must be used and are sometimes included in the requirements. 

PCI DSS Compliance tools help to automate and accelerate the Prioritized Approach to PCI DSS Compliance when teams feel their objectives are bogged down in manual effort and self-attestation that isn’t trackable or reportable outside of spreadsheets. 

The roadmap helps to achieve compliance, establish milestone target controls, lower the risk of cardholder data breaches sooner in the compliance process, and helps acquirers objectively measure PCI DSS compliance activities and risk reduction by merchants, service providers, and others. 

The Prioritized Approach for PCI DSS compliance was devised after factoring data from actual breaches and feedback from Qualified Security Assessors, forensic investigators, and the PCI Security Standards Council Board of Advisors. 

PCI DSS Requirement 1: Install and Maintain a Firewall and Router Configuration to Protect Cardholder Data

Your firewall functionality must be robust enough to thoroughly and accurately control traffic in and out of your network monitor. Both routers and firewalls are within the scope of PCI Requirement One as long as they’re used in the cardholder data environment.

PCI compliance tools can help track how often you test your firewalls and determine compliance against these requirements.

Make sure to formalize the processes by which you test your firewalls at a determined cadence. Identify wireless and non-wireless connections to cardholder data that are possible. Review your settings every six months at the very minimum.

Restrict access points between any system component in the CDE and public internet access.

Install personal firewall software on all mobile and computers your employees own. These devices must be protected if they use your company’s internet to access the organization’s network and sensitive data. 

PCI DSS Requirement 4: Encrypt Transmission of Cardholder Data Across Open Public Networks

Merchants processing this data through any point-of-sale system, for example, similar service providers, must ensure the safety and security of sensitive information when offering their products and services, especially when traveling across unprotected networks. Information security organizations can have specific challenges with PCI DSS compliance requirements 4. 

All vulnerable encryption protocols must be removed while ensuring cardholder data is protected simultaneously for inputting into publicly accessible e-commerce or cloud-based ordering systems. Unencrypted fax or email, plus end-user messaging systems, are unencrypted and, unfortunately, unprotected. Keep your debit card/credit card cardholder data out of reach. PCI compliance tools can help organizations maintain their posture against these controls while minimizing duplicative efforts across other frameworks and industry standards by intelligently mapping requirements across other compliance controls.

PCI DSS Requirement 8.3: Two-Factor or Multi-Factor Authentication

We know that passwords are no longer sufficient to secure access rights to sensitive data. Compromised passwords are the leading cause of data breaches, according to the 2016 Verizon Data Breach Investigations Report. PCI DSS Compliance Standard 3.2 changed the two-factor authentication (2FA) requirement to multi-factor authentication (MFA), clarifying that you’re not limited to only two. Anyone with access to the cardholder data environment (CDE) has to use multi-factor auth whether they’re working remotely or on-premise.

Pick two or more of these methods to be PCI DSS compliant with this requirement:

  • A password or passphrase
  • A physical device or smart card, token device
  • A retinal or fingerprint scan

Contact us to learn how CyberStrong can support your alignment with PCI DSS.

According to the PCI Security Standards Council Prioritized Approach document, the Prioritized Approach provides a roadmap of compliance activities based on the risk associated with storing, processing, and transmitting cardholder data. Approved vendors, such as approved scanning vendors (ASV) for vulnerability scanning, must be used and are sometimes included in the requirements. 

PCI DSS Compliance tools help to automate and accelerate the Prioritized Approach to PCI DSS Compliance when teams feel their objectives are bogged down in manual effort and self-attestation that isn’t trackable or reportable outside of spreadsheets. 

The roadmap helps to achieve compliance, establish milestone target controls, lower the risk of cardholder data breaches sooner in the compliance process, and helps acquirers objectively measure PCI DSS compliance activities and risk reduction by merchants, service providers, and others. 

The Prioritized Approach for PCI DSS compliance was devised after factoring data from actual breaches and feedback from Qualified Security Assessors, forensic investigators, and the PCI Security Standards Council Board of Advisors. 

PCI DSS Requirement 1: Install and Maintain a Firewall and Router Configuration to Protect Cardholder Data

Your firewall functionality must be robust enough to thoroughly and accurately control traffic in and out of your network monitor. Both routers and firewalls are within the scope of PCI Requirement One as long as they’re used in the cardholder data environment.

PCI compliance tools can help track how often you test your firewalls and determine compliance against these requirements.

Make sure to formalize the processes by which you test your firewalls at a determined cadence. Identify wireless and non-wireless connections to cardholder data that are possible. Review your settings every six months at the very minimum.

Restrict access points between any system component in the CDE and public internet access.

Install personal firewall software on all mobile and computers your employees own. These devices must be protected if they use your company’s internet to access the organization’s network and sensitive data. 

PCI DSS Requirement 4: Encrypt Transmission of Cardholder Data Across Open Public Networks

Merchants processing this data through any point-of-sale system, for example, similar service providers, must ensure the safety and security of sensitive information when offering their products and services, especially when traveling across unprotected networks. Information security organizations can have specific challenges with PCI DSS compliance requirements 4. 

All vulnerable encryption protocols must be removed while ensuring cardholder data is protected simultaneously for inputting into publicly accessible e-commerce or cloud-based ordering systems. Unencrypted fax or email, plus end-user messaging systems, are unencrypted and, unfortunately, unprotected. Keep your debit card/credit card cardholder data out of reach. PCI compliance tools can help organizations maintain their posture against these controls while minimizing duplicative efforts across other frameworks and industry standards by intelligently mapping requirements across other compliance controls.

PCI DSS Requirement 8.3: Two-Factor or Multi-Factor Authentication

We know that passwords are no longer sufficient to secure access rights to sensitive data. Compromised passwords are the leading cause of data breaches, according to the 2016 Verizon Data Breach Investigations Report. PCI DSS Compliance Standard 3.2 changed the two-factor authentication (2FA) requirement to multi-factor authentication (MFA), clarifying that you’re not limited to only two. Anyone with access to the cardholder data environment (CDE) has to use multi-factor auth whether they’re working remotely or on-premise.

Pick two or more of these methods to be PCI DSS compliant with this requirement:

  • A password or passphrase
  • A physical device or smart card, token device
  • A retinal or fingerprint scan

Contact us to learn how CyberStrong can support your alignment with PCI DSS.

*** This is a Security Bloggers Network syndicated blog from CyberSaint Blog authored by Alison Furneaux. Read the original post at: https://www.cybersaint.io/blog/understanding-pci-dss-compliance

Alison Furneaux ,