PCI DSS Compliance

Conquer the complexity of PCI DSS 4.0 compliance with Fortra

READ THE PCI DSS 4.0 GUIDE

What Is PCI DSS?

PCI Compliance

PCI DSS (Payment Card Industry Data Security Standard) is a globally recognized framework of security requirements developed to help organizations that process, store, or transmit credit card information maintain a secure environment. Version 4.0 of the standard emphasizes a more flexible, customized approach to achieving and validating security outcomes while continuing to reduce payment data breaches and combat card fraud.

PCI DSS 4.0 covers both technical controls and operational practices, providing a baseline for securing cardholder data environments (CDEs). The standard promotes continuous security, supports evolving technologies, and addresses emerging threats.

The PCI Security Standards Council (PCI SSC) — an independent organization founded by major payment card brands including Visa, MasterCard, American Express, Discover, and JCB — administers and manages the standard. Enforcement and compliance responsibilities remain with each individual payment brand.

PCI DSS 4.0 encourages organizations to integrate security as a continuous process, with a focus on risk-based approaches, including the use of targeted risk analysis to support customized implementation of security controls. The standard provides detailed guidance and resources to help organizations prevent, detect, and respond to security incidents, ultimately supporting the protection of sensitive cardholder information in an ever-changing threat landscape.

PCI Compliance

What Do the PCI DSS Security Standards Cover?

PCI DSS compliance is built on 12 core requirements—each a critical safeguard to protect cardholder data. Meeting these standards within your IT environment demands more than a checklist; it requires a strategic, layered approach to security. Organizations often achieve this through a suite of integrated data protection solutions that work together to defend against evolving threats and ensure continuous compliance.

The 12 PCI DSS 4.0 requirements are bucketed into six categories:

Build and Maintain a Secure Network and Systems

1. Install and maintain network security controls

2. Apply secure configurations to all system components

Protect Account Data

3. Protect stored account data

4. Protect cardholder data with strong cryptography during transmission over open, public networks

Maintain a Vulnerability Management Program

5. Protect all systems and networks from malicious software

6. Develop and maintain secure systems and software

Implement Strong Access Control Measures

7. Restrict access to system components and cardholder data by business need to know

8. Identify users and authenticate access to system components

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Log and monitor all access to system components and cardholder data

11. Test security of systems and networks regularly

Maintain an Information Security Policy

12. Support information security with organizational policies and programs

Does PCI DSS Compliance Apply to You?

Any organization – from the mom-and-pop coffee shop to enterprises that span the globe – that accepts, transmits, processes, or stores payment cards or cardholder data needs to adhere to the PCI DSS. There are differences in the level of PCI compliance that is required, depending on an organization’s transaction volume in a given year.

What Are the Different Levels of PCI Compliance?

While ALL organizations that accept, transmit, process, or store cardholder data, are subject to the requirements of PCI DSS, there are four distinct levels of compliance required by individual organizations. These levels are based on transaction volume over a 12-month period:

Level 1:

Merchants processing over 6 million card transactions annually

Level 2:

Merchants processing 1 to 6 million transactions annually

Level 3:

Merchants processing 20,000 to 1 million transactions annually

Level 4:

Merchants processing fewer than 20,000 transactions annually

At the highest compliance level (level 1), organizations need to have an external audit performed by a Qualified Security Assessor (QSA) Internal Security Assessor (ISA). This evaluation will validate the scope of the assent, review documentation, determine whether PCI DSS requirements are met and provide guidance for compliance. A Report on Compliance (RoC) is then submitted to demonstrate compliance.

Lower compliance level organizations (levels 2 through 4) do not need the external audit but can instead complete a self-assessment questionnaire (SAQ). Level 2 organization will also need to complete an RoC.

View Resources from the PCI Security Standards Council

PCI DSS Compliance Checklist

  • Do you have a firewall in place to safeguard cardholder data in any system(s) used to store, process, or transmit that data?
  • Is it regularly updated and maintained? Have you replaced any default passwords with unique, strong alternatives?
  • Are passwords protected and stored securely to minimize exposure risks?
  • Are security controls in place to protect data stored within your internal systems?
  • Are you securing cardholder data when it is in transit?
  • Are you using encryption to protect cardholder data? 
  • Is data protected when traveling across open networks or at rest? 
  • Do you have antivirus software or programs in place throughout your organization?
  • Are the programs or software up to date with the most recent version?
  • Do you regularly review your software?
  • Are systems and applications secured at your organization and are they being maintained?
  • Do you need to develop your systems and applications for PCI DSS compliance?
  • Have you restricted access to cardholder data within your internal systems?
  • Is access restricted based on a need-to-know or need-to-handle basis for daily task completion?
  • Does the task completion need outweigh the risk of providing access to the data?
  • Have you provided everyone in your organization with a unique user ID for computer access?
  • Does your systems administrator manage permissions/access control for these unique IDs?
  • Are your access and permissions controls granted on a business-need-to-know basis?
  • Do you restrict physical access to servers, computers, data centers, etc. where cardholder data may reside, be processed, or be sent?
  • Do you log and monitor all visitors to areas in your organization where access to cardholder data may be found?
  • Is all physical media securely stored to prevent inappropriate access?
  • Do you regularly review your organization’s networks to prevent exploitation?
  • Are your review processes logged for regulatory audit trails?
  • Do you test your systems frequently to discover any vulnerabilities and are any found appropriately addressed and maintained?
  • Do you test for vulnerabilities when new software is installed, or configuration changes are made?
  • Do your tests include internal and external network vulnerability scans and penetration testing?
  • Do you monitor critical system files to ensure they are not modified or accessed without authorization?

Maintain a Data Security Policy:

Setting the tone for your organization can help bolster PCI DSS compliance as well as overall data security. Organizations can develop regular training programs and continuing education on data security and specifically PCI DSS compliance.

Internal data security policy

Do you have a current an internal data security policy in place?

PCI DSS requirements

Does your policy thoroughly cover PCI DSS requirements?

Changes to internal systems

Is your policy reviewed regularly or when changes to internal systems occur?

PCI compliance responsibilities

Does your policy address how to identify and monitor service provider PCI compliance responsibilities?

Data breaches

Is there an executable incident response plan that can be immediately implemented should you suffer a data breach?

The Role of Vulnerability Management in PCI Compliance

To comply with PCI DSS, organizations must have a program in place to identify and remediate vulnerabilities as they are discovered, making vulnerability management (VM) one of the most critical security controls for PCI compliance. VM impacts several of PCI’s 12 main requirements, such as protecting stored cardholder data and monitoring access. 

The PCI Security Standards Council defines a vulnerability as a “flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system.” Organizations can stop vulnerabilities from being exploited using automated solutions to scan for common vulnerabilities and exposures (CVEs). Advanced VM solutions will scan continuously and prioritize detected CVEs based on risk to help you remediate the most potentially damaging vulnerabilities first. A well-documented VM program also makes passing PCI audits faster and simpler. 

PCI and Application Security

Meeting PCI-DSS requirements for application security requires following best practices and having the right tools to verify your solutions. The verification involves increasing visibility into the different flaws and vulnerabilities that might exist in the code and those in the endpoints where the application is hosted. It is essential to use solutions that accurately detect issues and provide in-depth reporting that can supply evidence to auditors. 

With applications, code is the best place to start testing. While manual inspection might allow testers to catch some application problems, it does not scale well for modern software — it is a lengthy process and can have a low accuracy rate.  

Current codebases amalgamate numerous external libraries and thousands of lines of code. Automated tools are the only efficient and effective way to test the code and its implementation. Using code analysis tools such as software composition analysis (SCA), static application security testing (SAST), and dynamic application security testing (DAST), testers can identify security vulnerabilities, design defects, logical errors, and implementation flaws, as PCI-DSS requires. 

PCI Compliance Solutions

Complying with PCI DSS requirements is easier with layers of security solutions that can be put in place across your organization to protect sensitive cardholder data. Fortra's security suite offers a range of solutions designed to help you meet your PCI DSS obligations and protect the data of your cardholders.

Adaptive Data Loss Prevention (DLP)

Clearswift Adaptive DLP from Fortra applies the optimal security treatment to cardholder data with custom dictionaries and more than 200 pre-configured tokens to help simplify policy definition to help comply with PCI DSS. The solution’s adaptive redaction allows for any content that would be considered a PCI breach to be dynamically modified (redacted or sanitized) to allow legitimate communications to be delivered for secure but continuous collaboration.

Data Classification

Fortra's data classification software solutions help protect personal data by reducing the risk of a data breach by applying a visual and metadata label to a document or an email as being PCI-related to help ensure the information is handled confidentially and appropriately in line with PCI requirements, triggering encryption where required. PCI-related information can be clearly identified to help enforce DLP. In addition, for auditing purposes, classification technology can assist with enterprise search.

Vulnerability Assessments and Intrusion Protection

Proving PCI DSS compliance is easier with the security solutions delivered by Powertech. Organizations handling cardholder data can identify and quantify any system security vulnerabilities as well as harden these systems to intrusion. In addition, there is visibility to any database access of PCI to help meet PCI DSS audit requirements.

Secure Managed File Transfer

MFT solutions can help meet PCI requirements by securing data at rest and in transit through encryption, performing integrity checks of transfers, and providing detailed audit trails and reporting of all transfers. In addition, non-compliance with PCI DSS can be monitored with a compliance module and captured information can be used to build detailed reports to meet auditing and reporting requirements.

Secure Collaboration

Digital Guardian Secure Collaboration can protect files that contains sensitive consumer PII and PCI data, no matter where or how it is shared. Organizations can encrypt and control access to this data, as well as track and audit the data and revoke access to it.

Offensive Security

Offensive security is a well-defined piece of PCI DSS, with requirements for regular testing of security systems and processes. Vulnerability management and penetration testing solutions help organizations adhere to this requirement by finding, prioritizing, and verifying the remediation of external and internal vulnerabilities. Additionally, these tools help prove compliance with robust reporting capabilities that can provide a thorough record for auditors.

Managed Web Application Firewall

Despite not being an explicit requirement in PCI DSS 3.2.1, PCI DSS 4.0 requirement 6.4.2 does mandate a WAF to "continuously detect and prevent web-based attacks" made against your applications and APIs. Fortra Managed WAF can prepare organizations for PCI 4.0, by offering an end-to-end managed WAF service, with deployment support and always-optimized protections.

Managed Detection and Response

With our Managed Detection and Response services, security analysts conduct continuous monitoring of your environment for PCI DSS compliance, including event log analysis, log collection oversight, incident identification, alerting, and audit trail creation. In addition, due to Fortra's accreditation as a PCI Approved Scanning Vendor (ASV), we offer expert review and dispute resolution assistance with PCI ASV reports.

Fortra and PCI DSS

Fortra’s portfolio of cybersecurity and compliance offerings provide a wide range of solutions and services to help businesses comply with the PCI DSS 4.0 requirements and fulfill the daily demands of protecting the company from risks and threats. The following table maps PCI DSS 4.0 requirements to Fortra’s solutions.

Requirement 1: Install and maintain network security controls

Requirement 2: Apply secure configurations

Requirement 3: Protect stored account data

Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks

Requirement 5: Protect systems and networks from malicious software

Requirement 6: Develop and maintain secure systems and software

Requirement 7: Restrict access to system components and cardholder data

  • Fortra's Core Security Penetration Testing and Security Consulting Services

Requirement 8: Identify users and authenticate access

  • Fortra's Core Security Penetration Testing and Security Consulting Services

Requirement 9: Restrict physical access

Requirement 10: Log and monitor all access

Requirement 11: Test security of systems and networks regularly

Requirement 12: Support information security with policies and programs

If you don’t have the capacity to manage all these activities, our Fortra managed security services can act as an extension of your team to reduce your security risks and simplify PCI DSS 4.0 compliance.

We Can Help with PCI DSS Compliance. Let’s Talk.

Contact the professionals as Fortra for a free, 30-minute consultation on what solutions are best for your organization when it comes to securing PCI data. We’ll help you determine the right layers of protection to comply with PCI DSS.

Schedule Your PCI DSS Consultation