Cybersecurity Solutions for Compliance with PCI DSS

What Is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) is a globally recognized framework of security requirements developed to help organizations that process, store, or transmit credit card information maintain a secure environment. Version 4.0 of the standard emphasizes a more flexible, customized approach to achieving and validating security outcomes while continuing to reduce payment data breaches and combat card fraud.

PCI DSS 4.0 covers both technical controls and operational practices, providing a baseline for securing cardholder data environments (CDEs). The standard promotes continuous security, supports evolving technologies, and addresses emerging threats.

The PCI Security Standards Council (PCI SSC) — an independent organization founded by major payment card brands including Visa, MasterCard, American Express, Discover, and JCB — administers and manages the standard. Enforcement and compliance responsibilities remain with each individual payment brand.

PCI DSS 4.0 encourages organizations to integrate security as a continuous process, with a focus on risk-based approaches, including the use of targeted risk analysis to support customized implementation of security controls. The standard provides detailed guidance and resources to help organizations prevent, detect, and respond to security incidents, ultimately supporting the protection of sensitive cardholder information in an ever-changing threat landscape.

What Does PCI DSS 4.0 Cover?

PCI DSS compliance is built on 12 core requirements—each a critical safeguard to protect cardholder data. Meeting these standards within your IT environment demands more than a checklist; it requires a strategic, layered approach to security. Organizations often achieve this through a suite of integrated data protection solutions that work together to defend against evolving threats and ensure continuous compliance.

The 12 PCI DSS 4.0 requirements are bucketed into six categories:

Build and Maintain a Secure Network and Systems

1. Install and maintain network security controls

2. Apply secure configurations to all system components

Protect Account Data

3. Protect stored account data

4. Protect cardholder data with strong cryptography during transmission over open, public networks

Maintain a Vulnerability Management Program

5. Protect all systems and networks from malicious software

6. Develop and maintain secure systems and software

Implement Strong Access Control Measures

7. Restrict access to system components and cardholder data by business need to know

8. Identify users and authenticate access to system components

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Log and monitor all access to system components and cardholder data

11. Test security of systems and networks regularly

Maintain an Information Security Policy

12. Support information security with organizational policies and programs

Does PCI DSS Compliance Apply to You?

Any organization – from the mom-and-pop coffee shop to enterprises that span the globe – that accepts, transmits, processes, or stores payment cards or cardholder data needs to adhere to the PCI DSS. There are differences in the level of PCI compliance that is required, depending on an organization’s transaction volume in a given year.

What Are the Different Levels of PCI DSS Compliance?

While ALL organizations that accept, transmit, process, or store cardholder data, are subject to the requirements of PCI DSS, there are four distinct levels of compliance required by individual organizations. These levels are based on transaction volume over a 12-month period:

Level 1:

Merchants processing over 6 million card transactions annually

Level 2:

Merchants processing 1 to 6 million transactions annually

Level 3:

Merchants processing 20,000 to 1 million transactions annually

Level 4:

Merchants processing fewer than 20,000 transactions annually

At the highest compliance level (Level 1), organizations must undergo an external audit conducted by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). This assessment validates the scope of the assessment, reviews documentation, determines whether PCI DSS requirements are being met, and provides guidance for achieving compliance. Upon completion, a Report on Compliance (RoC) is submitted to demonstrate adherence to PCI DSS standards.

Lower compliance level organizations (levels 2 through 4) do not need the external audit but can instead complete a self-assessment questionnaire (SAQ). Level 2 organization also need to complete a RoC.

View Resources from the PCI Security Standards Council

PCI DSS Compliance Checklist

Build and maintain a secure network and systems

Do you have a web application firewall in place to safeguard cardholder data in any system(s) used to store, process, or transmit that data?
Is it regularly updated and maintained?
Have you replaced any default passwords with unique, strong alternatives?
Are passwords protected and stored securely to minimize exposure risks?

Protect your cardholders’ data

Are security controls in place to protect data stored within your internal systems?
Are you securing cardholder data when it is in transit?
Are you using encryption to protect cardholder data? 
Is data protected when traveling across open networks or at rest?

Maintain a vulnerability management program

Do you have antivirus software or programs in place throughout your organization?
Are the programs or software up to date with the most recent version?
Do you regularly review your software?

Implement strong access control

Are systems and applications secured at your organization and are they being maintained?
Do you need to develop your systems and applications for PCI DSS compliance?
Have you restricted access to cardholder data within your internal systems?
Is access restricted based on a need-to-know or need-to-handle basis for daily task completion?
Does the task completion need outweigh the risk of providing access to the data?
Have you provided everyone in your organization with a unique user ID for computer access?
Does your systems administrator manage permissions/access control for these unique IDs?
Are your access and permissions controls granted on a business-need-to-know basis?
Do you restrict physical access to servers, computers, data centers, etc., where cardholder data may reside, be processed, or be sent?
Do you log and monitor all visitors to areas in your organization where access to cardholder data may be found?
Is all physical media securely stored to prevent inappropriate access?

Monitor and test networks regularly

Do you regularly review your organization’s networks to prevent exploitation?
Are your review processes logged for regulatory audit trails?
Do you test your systems frequently to discover any vulnerabilities and are any found appropriately addressed and maintained?
Do you test for vulnerabilities when new software is installed, or configuration changes are made?
Do your tests include internal and external network vulnerability scans and penetration testing?
Do you monitor critical system files to ensure they are not modified or accessed without authorization?

Maintain a Data Security Policy

Establishing a strong security culture within your organization can enhance PCI DSS 4.0 compliance and overall data security. Organizations should implement regular training programs and ongoing education focused on data security, with particular emphasis on PCI DSS compliance.

Internal data security policy

Do you have a current an internal data security policy in place?

PCI DSS requirements

Does your policy comprehensively address all PCI DSS requirements?

Changes to internal systems

Is your policy reviewed regularly or when changes to internal systems occur?

PCI compliance responsibilities

Does your policy outline how to identify and monitor the PCI compliance responsibilities of your service providers?

Data breaches

Do you have an actionable incident response plan that can be immediately deployed in the event of a data breach?

The Role of Vulnerability Management in PCI DSS Compliance

To achieve PCI DSS 4.0 compliance, organizations must implement a proactive vulnerability management (VM) program that swiftly identifies and remediates security weaknesses as they emerge. VM impacts multiple core PCI DSS requirements, including safeguarding stored cardholder data and monitoring system access.

The PCI SSC defines a vulnerability as a “flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system.” Organizations can stop vulnerabilities from being exploited using automated solutions to scan for common vulnerabilities and exposures (CVEs). Advanced VM solutions continuously scan and prioritize detected CVEs based on risk to help you remediate the most potentially damaging vulnerabilities first. A well-documented VM program also makes passing PCI audits faster and simpler.

Discover Fortra VM

PCI and Application Security

Meeting PCI DSS 4.0 requirements for application security requires adherence to best practices and the use of the right tools to verify your solutions. Verification involves enhancing visibility into potential flaws and vulnerabilities in both the code and the endpoints where the application is hosted. It is crucial to use solutions that can accurately detect issues and provide detailed reports that offer evidence for auditors.

With applications, code is the best place to start testing. While manual inspection might allow testers to catch some application problems, it does not scale well for modern software — it is a lengthy process and can have a low accuracy rate.

Current codebases amalgamate numerous external libraries and thousands of lines of code. Automated tools are the only efficient and effective way to test the code and its implementation. Using code analysis tools such as software composition analysis (SCA), static application security testing (SAST), and dynamic application security testing (DAST), testers can identify security vulnerabilities, design defects, logical errors, and implementation flaws, as PCI DSS requires.

Take the next step in PCI security

Technology never stops evolving. New and different attack combinations are continually being attempted. Learn more about our Dynamic Application Security Testing Software.

Learn More

Fortra is a PCI Approved Scanning Vendor

Discover our fully managed PCI scanning services

PCI DSS 4.0 Compliance Solutions

Complying with PCI DSS requirements is easier with layers of security solutions that can be put in place across your organization to protect sensitive cardholder data. Fortra's security suite offers a range of solutions designed to help you meet your PCI DSS obligations and protect the data of your cardholders.

Adaptive Data Loss Prevention (DLP)

Clearswift Adaptive DLP from Fortra applies the optimal security treatment to cardholder data with custom dictionaries and more than 200 pre-configured tokens to help simplify policy definition to help comply with PCI DSS. The solution’s adaptive redaction allows for any content that would be considered a PCI breach to be dynamically modified (redacted or sanitized) to allow legitimate communications to be delivered for secure but continuous collaboration.

Data Classification

Fortra's data classification software solutions help protect personal data by reducing the risk of a data breach by applying a visual and metadata label to a document or an email as being PCI-related to help ensure the information is handled confidentially and appropriately in line with PCI requirements, triggering encryption where required. PCI-related information can be clearly identified to help enforce DLP. In addition, for auditing purposes, classification technology can assist with enterprise search.

Vulnerability Assessments and Intrusion Protection

Proving PCI DSS compliance is easier with the security solutions delivered by Powertech. Organizations handling cardholder data can identify and quantify any system security vulnerabilities as well as harden these systems to intrusion. In addition, there is visibility to any database access of PCI to help meet PCI DSS audit requirements.

Secure Managed File Transfer

MFT solutions can help meet PCI requirements by securing data at rest and in transit through encryption, performing integrity checks of transfers, and providing detailed audit trails and reporting of all transfers. In addition, non-compliance with PCI DSS can be monitored with a compliance module and captured information can be used to build detailed reports to meet auditing and reporting requirements.

Secure Collaboration

Digital Guardian Secure Collaboration can protect files that contains sensitive consumer PII and PCI data, no matter where or how it is shared. Organizations can encrypt and control access to this data, as well as track and audit the data and revoke access to it.

Offensive Security

Offensive security is a well-defined piece of PCI DSS, with requirements for regular testing of security systems and processes. Vulnerability management and penetration testing solutions help organizations adhere to this requirement by finding, prioritizing, and verifying the remediation of external and internal vulnerabilities. Additionally, these tools help prove compliance with robust reporting capabilities that can provide a thorough record for auditors.

Managed Web Application Firewall

Despite not being an explicit requirement in PCI DSS 3.2.1, PCI DSS 4.0 requirement 6.4.2 does mandate a WAF to "continuously detect and prevent web-based attacks" made against your applications and APIs. Fortra Managed WAF can prepare organizations for PCI 4.0, by offering an end-to-end managed WAF service, with deployment support and always-optimized protections.

Managed Detection and Response

With our Managed Detection and Response services, security analysts conduct continuous monitoring of your environment for PCI DSS compliance, including event log analysis, log collection oversight, incident identification, alerting, and audit trail creation. In addition, due to Fortra's accreditation as a PCI Approved Scanning Vendor (ASV), we offer expert review and dispute resolution assistance with PCI ASV reports.

Fortra and PCI DSS

Fortra’s portfolio of cybersecurity and compliance offerings provide a wide range of solutions and services to help businesses comply with the PCI DSS 4.0 requirements and fulfill the daily demands of protecting the company from risks and threats. The following table maps PCI DSS 4.0 requirements to Fortra’s solutions.

Requirement 1: Install and maintain network security controls

Requirement 2: Apply secure configurations

Fortra’s Tripwire Integrity Management

Requirement 3: Protect stored account data

Fortra Data Loss Prevention

Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks

Fortra's GoAnywhere Secure File Transfer
Fortra's Digital Guardian Secure Collaboration

Requirement 5: Protect systems and networks from malicious software

Fortra's Powertech for IBM i

Requirement 6: Develop and maintain secure systems and software

Fortra's Alert Logic Managed Security Services
Fortra's Application Security Testing
Fortra's Tripwire Integrity Management
Fortra's Vulnerability Management

Requirement 7: Restrict access to system components and cardholder data

Fortra's Core Security Penetration Testing and Security Consulting Services

Requirement 8: Identify users and authenticate access

Fortra's Core Security Penetration Testing and Security Consulting Services

Requirement 9: Restrict physical access

Requirement 10: Log and monitor all access

Fortra's Alert Logic Managed Security Services
Fortra's Tripwire Integrity Management

Requirement 11: Test security of systems and networks regularly

Fortra's Alert Logic Managed Security Services
Fortra's Core Security Penetration Testing and Security Consulting Services
Fortra's Tripwire Integrity Management
Fortra's Vulnerability Management

Requirement 12: Support information security with policies and programs

Fortra Security Awareness Training

If you don’t have the capacity to manage all these activities, our Fortra managed security services can act as an extension of your team to reduce your security risks and simplify PCI DSS 4.0 compliance.

Get a Fortra Demo

We Can Help with PCI DSS 4.0 Compliance. Let’s Talk.

Contact the experts at Fortra for a free 30-minute consultation to explore the best solutions for securing cardholder data in your organization. We’ll work with you to identify the right layers of protection to ensure PCI DSS compliance.

Schedule Your PCI DSS 4.0 Consultation