Resources
What are Payment Card Industry Data Security Standards?
PCI DSS (Payment Card Industry Data Security Standard) is a global standard that provides a set of technical and operational requirements to ensure all businesses, regardless of size, that handle credit card information maintain a secure environment. It was created by the five major card schemes; American Express, JCB, Visa, MasterCard and Discover Financial Services to protect payment data and reduce card data fraud.
The PCI Security Standards Council (PCI SSC) brings together industry stakeholders to develop and drive adoption of data security standards.
PCI DSS Compliance
Being compliant with PCI DSS means that a business is doing their very best to keep their customers' valuable information safe and secure and out of the hands of people who could use that data in a fraudulent way. A key part of this is ensuring that the cardholder data environment (CDE) is properly segmented and protected.
Any merchant with a merchant ID that accepts payment cards must follow PCI-compliance regulations to protect themselves against data breaches. The requirements range from establishing data security policies for their business and employees to removing card data from their processing system and payment terminals.
Qualified Security Assessors (QSAs) and Internal Security Assessors (ISAs) have a critical role in helping organizations achieve and maintain PCI DSS compliance.
What are the requirements for PCI DSS compliance?
There are 12 main requirements in the PCI DSS, spread across six core principles. For more information on them read our blog here.
Build and Maintain a Secure Network and Systems
1. Install and maintain network security controls
2. Apply secure configurations to all system components
Protect Account
Data
3. Protect stored account data
4. Protect cardholder data with strong cryptography during transmission over open, public networks
Maintain a Vulnerability Management Program
5. Protect all systems and networks from malicious software
6. Develop and maintain secure systems and software
Implement Strong Access Control Measures
7. Restrict access to system components and cardholder data by business need to know
8. Identify users and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Log and monitor all access to system components and cardholder data
11. Test security of systems and networks regularly
Maintain an Information Security Policy
Research Report
Report reveals less than 40% of senior cybersecurity decision makers can effectively prioritize risks to PCI DSS 4.0 compliance.
What is PCI DSS v4.0?
Global payment security forum PCI SSC released the PCI DSS Version 4.0 in 2022. The development of PCI DSS v4.0 was driven by industry feedback and aims to protect payment data from increasingly sophisticated cyber-attacks.
PCI DSS v4.0 release has four main goals:
- Continuing to meet the payment industry’s security needs
The PCI DSS recognizes that security must evolve as new threats emerge. There are a number of new phishing and e-commerce requirement changes to address this and password and authentication requirements have been updated. - Increased flexibility to allow the use of technology innovation
The new requirements allow organizations to take a customized approach to support their use of innovative methods in meeting security objectives. Allowances are also made for the use of shared and group accounts. - Enhanced validation and reporting options
This focuses on the alignment between compliance reports or self-assessments and the Attestation of Compliance. - Security as a continuous process
One of the most significant aspects of this new release is the recognition that security should be a continuous process. PCI SSC are encouraging organizations to step away from time-based auditing and embrace continuous security assessments and reporting. Security Assessors (QSAs) and Internal Security Assessors (ISAs) have a critical role in helping organizations achieve and maintain PCI DSS compliance.
PCI DSS v4.0 Implementation Timeline
PCI DSS v3.2.1 was retired on March 31 2024. All organizations now need to meet the PCI v4 standards (with the exception of some future-dated new requirements which have until March 31 2025).
How Nipper and Nipper Enterprise can help with PCI DSS compliance?
For more information about how Nipper solutions can support PCI DSS compliance visit our solutions page.
Video: Continuously Viewing and Managing PCI DSS Compliance
PCI DSS v4.0 recommends abandoning sampling and regularly assessing network infrastructure (routers, switches and firewalls) to ensure organizations gain increased security from continuous compliance.
Ian Robinson, Chief Architect at Titania talks through why this is important and how Nipper Enterprise enables the shift from ad-hoc, sampled assessments to continuous compliance assurance for the Enterprise.
With a short product demo, Ian shows how this can enable network owners to increase the coverage and cadence of network infrastructure assessments, prioritize remediation of non-compliances, & shut down real-world threats.