What Is PCI DSS?
PCI DSS, or the Payment Card Industry Data Security Standard, is the comprehensive set of requirements designed to ensure that any company that processes, stores, or transmits credit card information does so by maintaining a secure environment. The requirements were established to help prevent payment data breaches and payment card fraud.
The PCI standards cover both technical solutions as well as the operational practices and processes that are included in, or are connected to, cardholder data systems.
An independent body, the PCI Security Standards Council (PCI SSC), made up of major payment companies, including Visa, MasterCard, American Express, Discover, and JCB, administers and manages this standard. However, enforcing the compliance of PCI DSS is the responsibility of the individual payment brands.
The council provides the comprehensive standards and support to help ensure sensitive cardholder information security is upheld. The PCI DSS serves as a framework for organizations to develop and maintain a data security process for payments that includes prevention, detection, and appropriate responses to any security incidents.
Who Needs to Comply with PCI DSS?
Any organization – from the mom-and-pop coffee shop to enterprises that span the globe – that accepts, transmits, processes, or stores payment cards or cardholder data needs to adhere to the PCI DSS. There are, however, differences in the level of PCI compliance that is required, depending on an organization’s transaction volume in a given year.
What Are the Different levels of PCI Compliance?
While ALL organizations that accept, transmit, process, or store cardholder data, are subject to the requirements of PCI DSS, there are four distinct levels of compliance required by individual organizations. These levels are based on transaction volume over a 12-month period:
Level 1:
Level 2:
Level 3:
Level 4:
At the highest compliance level (level 1), organizations need to have an external audit performed by a Qualified Security Assessor (QSA) Internal Security Assessor (ISA). This evaluation will validate the scope of the assent, review documentation, determine whether PCI DSS requirements are met and provide guidance for compliance. A Report on Compliance (RoC) is then submitted to demonstrate compliance.
Lower compliance level organizations (levels 2 through 4) do not need the external audit but can instead complete a self-assessment questionnaire (SAQ). Level 2 organization will also need to complete an RoC.
Maintain a data security policy:
Setting the tone for your organization can help bolster PCI DSS compliance as well as overall data security. Organizations can develop regular training programs and continuing education on data security and specifically PCI DSS compliance.
Internal data security policy
PCI DSS requirements
Changes to internal systems
PCI compliance responsibilities
Data breaches
PCI Compliance Solutions
Complying with PCI DSS requirements is easier with layers of security solutions that can be put in place across your organization to protect sensitive cardholder data. Fortra's security suite offers a range of solutions designed to help you meet your PCI DSS obligations and protect the data of your cardholders.
Fortra and PCI DSS
Fortra’s portfolio of cybersecurity and compliance offerings provide a wide range of solutions and services to help businesses comply with the PCI DSS 4.0 requirements and fulfill the daily demands of protecting the company from risks and threats. The following table maps PCI DSS 4.0 requirements to Fortra’s solutions.
Requirement 1: Install and maintain network security controls
Requirement 2: Apply secure configurations
Requirement 3: Protect stored account data
Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks
Requirement 5: Protect systems and networks from malicious software
Requirement 6: Develop and maintain secure systems and software
Requirement 7: Restrict access to system components and cardholder data
Requirement 8: Identify users and authenticate access
Requirement 9: Restrict physical access
Requirement 10: Log and monitor all access
Requirement 11: Test security of systems and networks regularly
Requirement 12: Support information security with policies and programs
We Can Help with PCI DSS Compliance. Let’s Talk.
Contact the professionals as Fortra for a free, 30-minute consultation on what solutions are best for your organization when it comes to securing PCI data. We’ll help you determine the right layers of protection to comply with PCI DSS.