PCI DSS compliance ensures your customer’s credit card data is protected from hackers and compromise attempts. Though complying with this regulation isn’t easy, it is possible. To simplify this essential effort, we’ve compiled a checklist of the key security metrics that should be addressed to meet the compliance requirements of this critical information security standard.
How Many PCI DSS Requirements Are There?
There are twelve core requirements in the Payment Card Industry Data Security Standard. They address the standards for security controls, security policies, and overall security requirements to ensure the protection of stored credit card data.
The PCI DSS standard also specifies database isolation best practices to obfuscate digital and physical access to payment card data across the entire cardholder data environment.
It’s important to note that the current PCI requirements are based on version 3.2.1 of the standard, which is due to expire in 2024. The PCI Security Standards Council (PCI SSC) has issued an updated standard - version 4. PCI DSS version 4 has an even greater emphasis on protecting sensitive financial data and stored cardholder data.
Organizations that must be PCI Compliant have until March 31, 2024, to familiarize themselves with this new version before it comes into effect. The updated compliance requirements in version 4 are addressed in the list of key metrics below.
Metrics for Tracking PCI DSS Compliance
The following metrics checklist will help businesses in the financial sector, including fintech, banks, and eCommerce businesses, comply with PCI DSS version 3.2.1. For assessing vendor compliance with PCI DSS, use this free template.
PCI DSS Requirement 1 - Firewall and Router Configurations
🔲 Secure the applications layer with a Web Application Firewall.
🔲 Establish access control policies to protect sensitive resources.
🔲 Map sensitive data flow across internal and public networks.
🔲 Create a digital footprint to identify all financial data processes and network traffic.
🔲 Define a network access policy.
🔲 Define information security policies.
🔲 Secure all endpoints, including wireless devices, with Multi-Factor Authentication (MFA).
PCI DSS Requirement 2 - Document Configuration Parameters and Include PCI Security Best Practices.
🔲 Don’t use default passwords supplied by service providers.
🔲 Create a strong password policy that includes a regular update schedule.
🔲 Define deletion policies mitigating data leakage.
PCI DSS Requirement 3 – Protect Keys from Disclosure and Misuse
🔲 Segment the network to obfuscate access to data centers and critical systems.
🔲 Design and implement an Incident Response Plan (IRP).
🔲 Include data backup policies in disaster recovery plans to prevent data loss.
🔲 Implement processes and audit trails for tracking credit card components, including magnetic bands and chips.
PCI DSS Requirement 4 – Use Strong Cryptography and Secure Protocols when Transferring Cardholder Data
🔲 Enforce server-side encryption for all resources housing card transactions and credit card data from American Express, Mastercard, Visa, etc.
🔲 Include data protection tools, such as a data leak detection solution, in your cybersecurity program to support the detection and remediation of unauthorized network access.
🔲 Continuously perform vulnerability scans in cloud software and operating systems to discover exposures negatively impacting your security posture.
🔲 Enforce encryption across all communication pathways.
PCI DSS Requirement 5 – Document and Enforce an Anti-Virus policy
🔲 Implement anti-virus software.
🔲 Ensure anti-virus software is continuously updated with the latest security patches.
PCI DSS Requirement 6 - Document Change Control Processes And Procedures. Document Safe Software Development Procedures
🔲 Implement security measures to secure all system components from unauthorized access.
🔲 Integrate a Vendor Risk Management (VRM) program with your security program to prevent malware injections through third-party security breaches.
🔲 Continuously scan vendors for security risks threatening credit card data integrity.
🔲 Establish a system for identifying regulatory noncompliance for all vendors.
🔲 Establish a communication stream with the executive team to efficiently report on compliance.
PCI DSS Requirement 7 - Written Access Control Policy That Limits Access to System Components And Cardholder Data
🔲 Adopt the principle of least privilege to minimize credit card data handling processes.
🔲 Implement strong privileged access management policies to secure systems linking to financial data.
PCI DSS Requirement 8 - Policies And Procedures For User Identity Management Controls
🔲 Enforce access control mandates across the entire organization.
🔲 Ensure access control documentation is kept updated and readily available to Qualified Security Assessors (QSA) - ideally as an instant download through a security feature like Shared Profile.
PCI DSS Requirement 9 - Documented Facility Controls to Limit And Monitor Physical Access to Systems
🔲 Secure network access points - digital and physical.
PCI DSS Requirement 10 - Audit logs for all system components in the cardholder data environment.
🔲 Ensure the presentation of an audit trail for all credit card-related processes.
🔲 Implement a system monitoring policy to monitor credit card data handling.
PCI DSS Requirement 11 - Documented Evidence of Internal And External Network Vulnerability Scans And Penetration Testing
🔲 Regularly scan the internal and third-party service attack surface for potential credit card data breach exploits.
🔲 Establish a regular penetration testing schedule as a validation of security control efficacy.
🔲 Ensure both an internal and external penetration test report is created.
PCI DSS Requirement 12 - Evidence of Security Policy Created, Published, Maintained, And Distributed to All Relevant Personnel
🔲 Implement security awareness training to ensure staff understand which actions constitute a PCI DSS compliance violation.
🔲 Track security awareness training retention with simulated phishing attack campaigns.
🔲 Regularly perform incident response and disaster recovery drills.