What Is PCI DSS? Overview, Requirements, and Benefits

PCI DSS was developed to encourage and enhance payment account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data and safeguard both consumers and businesses from financial fraud and reputational damage.

One of the central purposes of PCI DSS is to protect cardholder data from unauthorized access and potential misuse. This includes primary account numbers, cardholder names, expiration dates, and other sensitive information. The standard is also designed to minimize the risk of data breaches, which could result in unauthorized access or theft of payment card information. By implementing PCI DSS controls, organizations also help prevent and detect fraudulent activities related to payment card transactions.

It is important to note that PCI DSS requirements evolve over time to address new security threats, technological advancements, and changes in the regulatory landscape. Find the latest requirements at the PCI Security Standard Council website.

PCI DSS compliance requires organizations to address a range of potential vulnerabilities to ensure the security of cardholder data. Following are four common vulnerability areas that organizations must address to maintain PCI DSS compliance.

• Point of Sale (POS) Systems: POS systems handle sensitive payment card data during transactions and are susceptible to various vulnerabilities that can lead to data breaches and unauthorized access. Many POS systems run on outdated hardware and software that may not receive regular security updates, exposing vulnerabilities that attackers can exploit. Weak or default usernames and passwords on POS systems can also be exploited by attackers. In addition, POS systems also often involve third-party integrations. If these third-party vendors have weak security practices or if there are vulnerabilities in the supply chain, these can introduce risks to the overall system.
• Unsecured Wireless Networks: These can provide a potential entry point for attackers to compromise sensitive cardholder data, as unsecured wireless networks can be easily accessed by unauthorized individuals to connect to POS systems and other devices handling payment card information. In addition, wireless traffic may lack encryption, exposing transmitted data to interception and eavesdropping.
• Weak Access Controls and Authentication: When access controls are not robust, unauthorized individuals may gain entry to sensitive resources, increasing the risk of data breaches, unauthorized activities, and other security incidents. For instance, reliance on simple passwords without complexity requirements or poorly managed user accounts that do not effectively verify the identity of users can lead to the unauthorized viewing, modification, or exfiltration of sensitive payment information. PCI DSS also emphasizes the use of multi-factor authentication (MFA) to enhance the security of access controls. Users and systems should be given the minimum level of access or permissions required to perform their tasks, according to the principle of least privilege. Access rights should be tailored to specific job roles, responsibilities, and functions.
• Inadequate Encryption, Tokenization, and Data Storage: Failure to implement robust encryption, tokenization, and secure data storage measures can lead to PCI DSS non-compliance and increase the risk of data breaches and the compromise of sensitive payment card information. End-to-end encryption ensures that sensitive payment information is encrypted at the point of entry (at the POS) and remains encrypted throughout its journey through various systems and networks until it reaches its destination, where the recipient uses the correct key to decrypt the data. Alternatively, payment information can be tokenized, a process that involves substituting sensitive data, such as credit card numbers, with non-sensitive placeholder values called tokens. When a payment transaction occurs, the actual cardholder data is replaced with a unique token which has no intrinsic value and is useless to attackers without access to the tokenization system. Both encryption and tokenization help prevent eavesdropping or interception by malicious actors and maintain the confidentiality of cardholder data.

PCI DSS dictates a baseline of technical and operational requirements designed to protect payment account data. These requirements are detailed in the following six PCI DSS principles.

1. Build and Maintain a Secure Network and Systems

Protecting cardholder data begins with establishing a secure network infrastructure. This includes using firewalls to control and monitor traffic between networks and to restrict unauthorized access. Microsegmentation is another recommended security strategy that involves dividing a network into small, distinct segments to improve security by controlling “east-west” lateral traffic within the network and at the application or workload level to reduce the potential attack surface. Establishing vulnerability management best practices is also critical for ensuring that systems are patched and up to date.

2. Protect Cardholder Data

This principle focuses on the encryption and protection of cardholder data during transmission and storage to prevent unauthorized access to sensitive information. The requirement dictates the use of strong cryptography to protect cardholder data during transmission over public networks and developing data retention policies that avoid the storage of sensitive authentication data after authorization. Data protection policies also mandate the masking or truncation of primary account numbers (PANs) to minimize the risk of unauthorized access and exposure of sensitive cardholder information. According to PCI DSS requirements, the first six and last four digits of a PAN are the maximum number of digits displayed when the PAN is visible.

3. Maintain a Vulnerability Management Program

Maintaining a secure environment requires regularly identifying and addressing vulnerabilities. This includes conducting regular vulnerability scans, which alert companies to preexisting flaws in their code, and penetration tests, which determines whether unauthorized access or other malicious activity is possible by simulating real-world attacks to test the effectiveness of existing security measures. Promptly addressing any weakness found through scans or testing is critical to protect against possible compromise of systems and the cardholder data it may hold. In addition, organizations are required to develop and enforce secure coding guidelines, such as those outlined by organizations like OWASP, to prevent the introduction of vulnerabilities during the software development life cycle.

4. Implement Strong Access Control Measures

Restricting access to system components and cardholder data helps prevent unauthorized individuals or systems from gaining entry. PCI DSS dictates limiting access by business need-to-know, often referred to as the principle of least privilege, which maintains that a user or system should only have access to the specific data, resources, and applications needed to complete a required task. Similarly, role-based access controls (RBAC) restrict system access to authorized users based on their roles within an organization. These policies require that access controls are frequently reviewed and updated to reflect changes in personnel and roles. They also call for implementation of MFA for access to systems and cardholder data and for improving password policies and best practices.

5. Regularly Monitor and Test Networks

Continuous monitoring and testing are critical for detecting and responding promptly to security incidents. This involves implementing logging mechanisms, conducting regular security testing, and ongoing review of network activity. Network monitoring tools also include intrusion detection systems (IDS) and intrusion prevention systems (IPS) that analyze and assess the integrity of network traffic to identify attack patterns, abnormal activities, and unauthorized use. Organizations must also establish an incident response plan and emergency procedures and ensure that these processes are regularly tested.

6. Maintain an Information Security Policy

PCI DSS also requires that organizations establish and maintain a comprehensive security policy that sets the framework for protecting cardholder data and guiding security practices within the organization. The policy must be documented, regularly reviewed, and updated to reflect changes in technology and business processes. Organizations must also ensure that employees are aware of and trained on security policies and procedures.

Compliance with the following 12 PCI DSS requirements is essential for organizations to create a robust security posture, protect cardholder data, and minimize the risk of data breaches.

1. Install and maintain network security controls. Network security controls (NSCs), such as firewalls and other network security technologies, are network policy enforcement points that typically control network traffic between two or more logical or physical network segments (or subnets). NSCs act as a barrier between secure internal network and external networks, and control incoming and outgoing traffic based on predetermined security rules or policies to help prevent unauthorized access to cardholder data.
2. Apply secure configurations to all system components. Changing default configurations ensures that systems are configured securely from the outset by reducing the risk of unauthorized access, as default passwords and settings are well-known to attackers. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data. Organizations are required to encrypt stored cardholder data to protect it from unauthorized access even if a breach occurs, rendering stolen data unreadable without the proper decryption keys.
4. Protect cardholder data with strong cryptography during transmission over open, public networks. This protects against eavesdropping and unauthorized access during data transmission.
5. Protect all systems and networks from malicious software. Regular updates to antivirus software and the use of anti-malware tools help prevent, detect, and remove malicious software, reducing the risk of compromise.
6. Develop and maintain secure systems and software. Develop applications with security in mind by stressing the importance of secure coding practices and ongoing maintenance of systems and applications. Regularly update and patch software to help address vulnerabilities that can be exploited by attackers.
7. Restrict access to system components and cardholder data by business need to know. Access controls limit access to cardholder data to only those individuals whose job requires it. This reduces the risk of unauthorized access and helps organizations adhere to the principle of least privilege.
8. Identify users and authenticate access to system components. Assign unique IDs and strong passwords to authenticate users. This helps ensure that only authorized individuals can access cardholder data. Multi-factor authentication can add an extra layer of security.
9. Restrict physical access to cardholder data. Physical access controls, such as entry restrictions and surveillance, help prevent unauthorized individuals from physically accessing systems that store cardholder data.
10. Log and monitor all access to system components and cardholder data. Log files, intrusion detection/prevention systems, and other tracking tools contribute to effective continuous monitoring, allowing organizations to detect and respond to suspicious activities promptly.
11. Test security of systems and networks regularly. Proactive testing, including vulnerability assessments and penetration testing, helps identify and address security weaknesses before attackers can exploit them.
12. Support information security with organizational policies and programs. Implement a comprehensive security policy for ongoing compliance that establishes the rules and guidelines for protecting cardholder data, and ensure that all personnel are aware of, trained in, and adhere to this policy.

PCI compliance levels are divided into four levels based on the total volume of credit, debit card, and prepaid card transactions over 12 months. Organizations must determine their transaction volume accurately and comply with the corresponding level's requirements to ensure and maintain PCI DSS compliance. Maintaining the appropriate level of compliance is critical for securing e-commerce transactions, maintaining a secure environment for cardholder data, and preventing potential breaches.

Level 1: Businesses with Over 6 Million Transactions Annually

PCI Compliance Level 1 is the highest and most stringent PCI DSS level and is designed to ensure the highest level of security for businesses that store, transmit, or process credit card data. In addition, merchants and service providers of any size that have been exposed to a breach or cyberattack resulting in the compromise of credit card or cardholder data must meet PCI Level 1 requirements. PCI Level 1 validation requires an annual report on compliance (ROC) by a qualified security assessor (QSA) or an internal security assessor, and typically also mandates penetration testing, which involves simulating real-world cyberattacks on computer systems and applications to identify vulnerabilities. PCI Level 1 validation also requires a quarterly network scan by an approved scanning vendor (ASV).

Level 2: Businesses with 1 to 6 Million Transactions Annually

PCI DSS Level 2 merchants must conduct a compliance assessment once a year using a self-assessment questionnaire (SAQ) and perform quarterly network scans by an ASV. They must also complete the Attestation of Compliance (AOC) Form. Like Level 1, some Level 2 merchants may be required to conduct penetration testing. An on-site PCI DSS audit is not required for Level 2 merchants unless they have experienced a data breach or cyberattack that compromises credit card or cardholder data.

Level 3: Businesses with 20,000 to 1 Million E-Commerce Transactions Annually

PCI DSS Level 3 merchants must complete the appropriate annual SAQ and perform a quarterly network scan by an ASV. The merchant must also complete and submit an AOC form.

Level 4: Businesses with Less than 20,000 E-Commerce Transactions or up to 1 Million Other Transactions Annually

PCI Level 4 merchants must complete the appropriate annual SAQ, and a quarterly ASV external network security scan may be required. The merchant must also complete and submit an AOC form. Not all card providers have Level 4 designations.

Adhering to the 12 PCI DSS requirements is critical for strengthening data security and contributing to overall compliance. The requirements work together to create a comprehensive framework for protecting cardholder data and preventing security breaches.

PCI DSS compliance demonstrates a commitment to securing sensitive cardholder data, assuring customers that their credit card details are handled with the highest standards of security, and fostering confidence in the business's ability to safeguard their personal information. In addition, businesses that adhere to PCI DSS are better positioned to defend against legal actions and regulatory penalties related to inadequate data security.

Maintaining PCI DSS compliance offers other long-term advantages as technology and security landscapes evolve. Adhering to PCI DSS requirements mean that organizations stay vigilant and are better equipped to prevent advanced and sophisticated attacks and can more quickly adapt to evolving cyber threats. PCI DSS adherence also fosters a security-centric culture within an organization that extends beyond compliance, encouraging ongoing efforts to strengthen data security practices.

As an example of how PCI DSS can help build (and rebuild) customer trust, in 2012 Global Payments, a major payment processing company, experienced a data breach that resulted in unauthorized access to sensitive payment card information. The breach affected about 1.5 million credit and debit cards, raising concerns about the security of payment transactions. Global Payments took immediate action to contain the breach and initiated an investigation to determine the extent of the compromise. Law enforcement agencies, including the U.S. Secret Service, were involved in the investigation.

In response to the breach, Global Payments committed to enhancing its security infrastructure and implementing additional measures to prevent similar incidents in the future. The company also committed to making a priority of achieving and maintaining compliance with PCI DSS requirements, which helped assure customers and stakeholders that Global Payments was taking concrete steps to secure payment data.

By proactively addressing security vulnerabilities, investing in enhanced security measures, and achieving PCI DSS compliance, Global Payments demonstrated a commitment to rebuilding trust. The company’s commitment to transparency, investment in security, and achieving PCI DSS compliance played pivotal roles in regaining customer confidence and rebuilding its reputation in the payment processing industry.

Complexity of Requirements

Executing the 12 PCI DSS requirements can pose multiple challenges for organizations because adequate resources, both in terms of personnel and technology, are needed for implementing and maintaining PCI DSS compliance. Organizations of all sizes may struggle to accurately define and limit the scope of their implementation but is particularly challenging for smaller businesses with limited budgets and expertise, or for those with legacy systems that must be updated to meet current PCI DSS standards. Businesses often rely on third-party vendors for various elements of the implementation but ensuring that these vendors comply with PCI DSS requirements and securing the supply chain is also a major responsibility.

Ongoing Maintenance

Maintaining compliance with PCI DSS is a continuing process and requires regular monitoring, testing, and assessments. This requires organizations to stay vigilant and update their security measures and patch management policies on a regular basis. Maintaining compliance also involves an ongoing commitment to regular testing of security systems and processes, including conducting thorough penetration tests and vulnerability assessments, which can be resource-intensive, may present logistical challenges, and strain resources over time.

Cost Implications

The cybersecurity landscape is constantly evolving, with new and sophisticated threats emerging regularly. PCI DSS compliance requires that companies continuously monitor and analyze the threat landscape to understand and keep ahead of these risks. Identifying and mitigating zero-day vulnerabilities also presents a significant challenge in maintaining PCI DSS compliance, as these vulnerabilities are unknown security flaws that threat actors exploit before vendors have a chance to release patches. Continuous improvement and a commitment to staying informed about the latest security trends are key to successfully navigating the challenges of keeping ahead of emerging threats while ensuring that PCI DSS compliance adapts to the dynamic nature of cyber threats.

Evolving Threat Landscape

The cybersecurity landscape is constantly evolving, with new and sophisticated threats emerging regularly. PCI DSS compliance requires that companies continuously monitor and analyze the threat landscape to understand and keep ahead of these risks. Identifying and mitigating zero-day vulnerabilities also presents a significant challenge in maintaining PCI DSS compliance, as these vulnerabilities are unknown security flaws that threat actors exploit before vendors have a chance to release patches. Continuous improvement and a commitment to staying informed about the latest security trends are key to successfully navigating the challenges of keeping ahead of emerging threats while ensuring that PCI DSS compliance adapts to the dynamic nature of cyber threats.

Visit the PCI Security Standard Council website for the latest information on PCI DSS compliance requirements, training and qualification information, and access to PCI qualified professionals. The site also offers an extensive resource library that includes FAQs, a glossary, and a handy PCI DSS quick reference guide.

PCI DSS compliance is essential for organizations that handle credit card transactions, as its requirements help ensure security of cardholder data, protection of transaction networks, and mandatory monitoring and testing of security systems. F5 offers a suite of application security products, services, and solutions to help your organization achieve and maintain PCI DSS compliance. In addition, F5 Distributed Cloud Services are PCI DSS complaint as a Level 1 service provider.

F5 also provides thought leadership for application security and protection strategies and insights through F5 Labs research, analysis, blogs, and reports.