Learn about the Payment Card Industry Data Security Standard (PCI DSS), which was jointly developed to simplify compliance for merchants and payment processors.
First issued in 2004, the PCI DSS is a set of security standards developed by five major payment card brands that are designed to keep payment data safe from theft and exploitation. Any business or organization that deals with payment card data—whether processing, transmitting, or storing data—needs to abide by the PCI DSS standards or risk serious consequences, including financial penalties, legal actions, or termination of merchant accounts.
PCI DSS was developed to encourage and enhance payment account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data and safeguard both consumers and businesses from financial fraud and reputational damage.
One of the central purposes of PCI DSS is to protect cardholder data from unauthorized access and potential misuse. This includes primary account numbers, cardholder names, expiration dates, and other sensitive information. The standard is also designed to minimize the risk of data breaches, which could result in unauthorized access or theft of payment card information. By implementing PCI DSS controls, organizations also help prevent and detect fraudulent activities related to payment card transactions.
It is important to note that PCI DSS requirements evolve over time to address new security threats, technological advancements, and changes in the regulatory landscape. Find the latest requirements at the PCI Security Standard Council website.
PCI DSS compliance requires organizations to address a range of potential vulnerabilities to ensure the security of cardholder data. Following are four common vulnerability areas that organizations must address to maintain PCI DSS compliance.
PCI DSS dictates a baseline of technical and operational requirements designed to protect payment account data. These requirements are detailed in the following six PCI DSS principles.
Protecting cardholder data begins with establishing a secure network infrastructure. This includes using firewalls to control and monitor traffic between networks and to restrict unauthorized access. Microsegmentation is another recommended security strategy that involves dividing a network into small, distinct segments to improve security by controlling “east-west” lateral traffic within the network and at the application or workload level to reduce the potential attack surface. Establishing vulnerability management best practices is also critical for ensuring that systems are patched and up to date.
This principle focuses on the encryption and protection of cardholder data during transmission and storage to prevent unauthorized access to sensitive information. The requirement dictates the use of strong cryptography to protect cardholder data during transmission over public networks and developing data retention policies that avoid the storage of sensitive authentication data after authorization. Data protection policies also mandate the masking or truncation of primary account numbers (PANs) to minimize the risk of unauthorized access and exposure of sensitive cardholder information. According to PCI DSS requirements, the first six and last four digits of a PAN are the maximum number of digits displayed when the PAN is visible.
Maintaining a secure environment requires regularly identifying and addressing vulnerabilities. This includes conducting regular vulnerability scans, which alert companies to preexisting flaws in their code, and penetration tests, which determines whether unauthorized access or other malicious activity is possible by simulating real-world attacks to test the effectiveness of existing security measures. Promptly addressing any weakness found through scans or testing is critical to protect against possible compromise of systems and the cardholder data it may hold. In addition, organizations are required to develop and enforce secure coding guidelines, such as those outlined by organizations like OWASP, to prevent the introduction of vulnerabilities during the software development life cycle.
Restricting access to system components and cardholder data helps prevent unauthorized individuals or systems from gaining entry. PCI DSS dictates limiting access by business need-to-know, often referred to as the principle of least privilege, which maintains that a user or system should only have access to the specific data, resources, and applications needed to complete a required task. Similarly, role-based access controls (RBAC) restrict system access to authorized users based on their roles within an organization. These policies require that access controls are frequently reviewed and updated to reflect changes in personnel and roles. They also call for implementation of MFA for access to systems and cardholder data and for improving password policies and best practices.
Continuous monitoring and testing are critical for detecting and responding promptly to security incidents. This involves implementing logging mechanisms, conducting regular security testing, and ongoing review of network activity. Network monitoring tools also include intrusion detection systems (IDS) and intrusion prevention systems (IPS) that analyze and assess the integrity of network traffic to identify attack patterns, abnormal activities, and unauthorized use. Organizations must also establish an incident response plan and emergency procedures and ensure that these processes are regularly tested.
PCI DSS also requires that organizations establish and maintain a comprehensive security policy that sets the framework for protecting cardholder data and guiding security practices within the organization. The policy must be documented, regularly reviewed, and updated to reflect changes in technology and business processes. Organizations must also ensure that employees are aware of and trained on security policies and procedures.
Compliance with the following 12 PCI DSS requirements is essential for organizations to create a robust security posture, protect cardholder data, and minimize the risk of data breaches.
PCI compliance levels are divided into four levels based on the total volume of credit, debit card, and prepaid card transactions over 12 months. Organizations must determine their transaction volume accurately and comply with the corresponding level's requirements to ensure and maintain PCI DSS compliance. Maintaining the appropriate level of compliance is critical for securing e-commerce transactions, maintaining a secure environment for cardholder data, and preventing potential breaches.
PCI Compliance Level 1 is the highest and most stringent PCI DSS level and is designed to ensure the highest level of security for businesses that store, transmit, or process credit card data. In addition, merchants and service providers of any size that have been exposed to a breach or cyberattack resulting in the compromise of credit card or cardholder data must meet PCI Level 1 requirements. PCI Level 1 validation requires an annual report on compliance (ROC) by a qualified security assessor (QSA) or an internal security assessor, and typically also mandates penetration testing, which involves simulating real-world cyberattacks on computer systems and applications to identify vulnerabilities. PCI Level 1 validation also requires a quarterly network scan by an approved scanning vendor (ASV).
PCI DSS Level 2 merchants must conduct a compliance assessment once a year using a self-assessment questionnaire (SAQ) and perform quarterly network scans by an ASV. They must also complete the Attestation of Compliance (AOC) Form. Like Level 1, some Level 2 merchants may be required to conduct penetration testing. An on-site PCI DSS audit is not required for Level 2 merchants unless they have experienced a data breach or cyberattack that compromises credit card or cardholder data.
PCI DSS Level 3 merchants must complete the appropriate annual SAQ and perform a quarterly network scan by an ASV. The merchant must also complete and submit an AOC form.
PCI Level 4 merchants must complete the appropriate annual SAQ, and a quarterly ASV external network security scan may be required. The merchant must also complete and submit an AOC form. Not all card providers have Level 4 designations.
Adhering to the 12 PCI DSS requirements is critical for strengthening data security and contributing to overall compliance. The requirements work together to create a comprehensive framework for protecting cardholder data and preventing security breaches.
PCI DSS compliance demonstrates a commitment to securing sensitive cardholder data, assuring customers that their credit card details are handled with the highest standards of security, and fostering confidence in the business's ability to safeguard their personal information. In addition, businesses that adhere to PCI DSS are better positioned to defend against legal actions and regulatory penalties related to inadequate data security.
Maintaining PCI DSS compliance offers other long-term advantages as technology and security landscapes evolve. Adhering to PCI DSS requirements mean that organizations stay vigilant and are better equipped to prevent advanced and sophisticated attacks and can more quickly adapt to evolving cyber threats. PCI DSS adherence also fosters a security-centric culture within an organization that extends beyond compliance, encouraging ongoing efforts to strengthen data security practices.
As an example of how PCI DSS can help build (and rebuild) customer trust, in 2012 Global Payments, a major payment processing company, experienced a data breach that resulted in unauthorized access to sensitive payment card information. The breach affected about 1.5 million credit and debit cards, raising concerns about the security of payment transactions. Global Payments took immediate action to contain the breach and initiated an investigation to determine the extent of the compromise. Law enforcement agencies, including the U.S. Secret Service, were involved in the investigation.
In response to the breach, Global Payments committed to enhancing its security infrastructure and implementing additional measures to prevent similar incidents in the future. The company also committed to making a priority of achieving and maintaining compliance with PCI DSS requirements, which helped assure customers and stakeholders that Global Payments was taking concrete steps to secure payment data.
By proactively addressing security vulnerabilities, investing in enhanced security measures, and achieving PCI DSS compliance, Global Payments demonstrated a commitment to rebuilding trust. The company’s commitment to transparency, investment in security, and achieving PCI DSS compliance played pivotal roles in regaining customer confidence and rebuilding its reputation in the payment processing industry.
Executing the 12 PCI DSS requirements can pose multiple challenges for organizations because adequate resources, both in terms of personnel and technology, are needed for implementing and maintaining PCI DSS compliance. Organizations of all sizes may struggle to accurately define and limit the scope of their implementation but is particularly challenging for smaller businesses with limited budgets and expertise, or for those with legacy systems that must be updated to meet current PCI DSS standards. Businesses often rely on third-party vendors for various elements of the implementation but ensuring that these vendors comply with PCI DSS requirements and securing the supply chain is also a major responsibility.
Maintaining compliance with PCI DSS is a continuing process and requires regular monitoring, testing, and assessments. This requires organizations to stay vigilant and update their security measures and patch management policies on a regular basis. Maintaining compliance also involves an ongoing commitment to regular testing of security systems and processes, including conducting thorough penetration tests and vulnerability assessments, which can be resource-intensive, may present logistical challenges, and strain resources over time.
The cybersecurity landscape is constantly evolving, with new and sophisticated threats emerging regularly. PCI DSS compliance requires that companies continuously monitor and analyze the threat landscape to understand and keep ahead of these risks. Identifying and mitigating zero-day vulnerabilities also presents a significant challenge in maintaining PCI DSS compliance, as these vulnerabilities are unknown security flaws that threat actors exploit before vendors have a chance to release patches. Continuous improvement and a commitment to staying informed about the latest security trends are key to successfully navigating the challenges of keeping ahead of emerging threats while ensuring that PCI DSS compliance adapts to the dynamic nature of cyber threats.
The cybersecurity landscape is constantly evolving, with new and sophisticated threats emerging regularly. PCI DSS compliance requires that companies continuously monitor and analyze the threat landscape to understand and keep ahead of these risks. Identifying and mitigating zero-day vulnerabilities also presents a significant challenge in maintaining PCI DSS compliance, as these vulnerabilities are unknown security flaws that threat actors exploit before vendors have a chance to release patches. Continuous improvement and a commitment to staying informed about the latest security trends are key to successfully navigating the challenges of keeping ahead of emerging threats while ensuring that PCI DSS compliance adapts to the dynamic nature of cyber threats.
Visit the PCI Security Standard Council website for the latest information on PCI DSS compliance requirements, training and qualification information, and access to PCI qualified professionals. The site also offers an extensive resource library that includes FAQs, a glossary, and a handy PCI DSS quick reference guide.
PCI DSS compliance is essential for organizations that handle credit card transactions, as its requirements help ensure security of cardholder data, protection of transaction networks, and mandatory monitoring and testing of security systems. F5 offers a suite of application security products, services, and solutions to help your organization achieve and maintain PCI DSS compliance. In addition, F5 Distributed Cloud Services are PCI DSS complaint as a Level 1 service provider.
F5 also provides thought leadership for application security and protection strategies and insights through F5 Labs research, analysis, blogs, and reports.