Skip to content

Resources

What are Payment Card Industry Data Security Standards?

PCI DSS (Payment Card Industry Data Security Standard) is a global standard that provides a set of technical and operational requirements to ensure all businesses, regardless of size, that handle credit card information maintain a secure environment. It was created by the five major card schemes; American Express, JCB, Visa, MasterCard and Discover Financial Services to protect payment data and reduce card data fraud.

The PCI Security Standards Council (PCI SSC) brings together industry stakeholders to develop and drive adoption of data security standards.

PCI DSS Compliance

Being compliant with PCI DSS means that a business is doing their very best to keep their customers' valuable information safe and secure and out of the hands of people who could use that data in a fraudulent way. A key part of this is ensuring that the cardholder data environment (CDE) is properly segmented and protected.

Any merchant with a merchant ID that accepts payment cards must follow PCI-compliance regulations to protect themselves against data breaches. The requirements range from establishing data security policies for their business and employees to removing card data from their processing system and payment terminals. 

Qualified Security Assessors (QSAs) and Internal Security Assessors (ISAs) have a critical role in helping organizations achieve and maintain PCI DSS compliance.

What are the requirements for PCI DSS compliance? 

There are 12 main requirements in the PCI DSS, spread across six core principles. For more information on them read our blog here.

Build and Maintain a Secure Network and Systems

1. Install and maintain network security controls

2. Apply secure configurations to all system components

Protect Account
Data

3. Protect stored account data

4. Protect cardholder data with strong cryptography during transmission over open, public networks 

Maintain a Vulnerability Management Program

5. Protect all systems and networks from malicious software

6. Develop and maintain secure systems and software

Implement Strong Access Control Measures

7. Restrict access to system components and cardholder data by business need to know 

8. Identify users and authenticate access to system components 

9. Restrict physical access to cardholder data 

Regularly Monitor and Test Networks

10. Log and monitor all access to system components and cardholder data 

11. Test security of systems and networks regularly 

Maintain an Information Security Policy

12. Support information security with organizational policies and programs 
TNA_PCI_DSS_Report_Cover

Research Report

Report reveals less than 40% of senior cybersecurity decision makers can effectively prioritize risks to PCI DSS 4.0 compliance.

Read the report

What is PCI DSS v4.0?

Global payment security forum PCI SSC released the PCI DSS Version 4.0 in 2022. The development of PCI DSS v4.0 was driven by industry feedback and aims to protect payment data from increasingly sophisticated cyber-attacks.

PCI DSS v4.0 release has four main goals: 

  1. Continuing to meet the payment industry’s security needs
    The PCI DSS recognizes that security must evolve as new threats emerge. There are a number of new phishing and e-commerce requirement changes to address this and password and authentication requirements have been updated.

  2. Increased flexibility to allow the use of technology innovation 
    The new requirements allow organizations to take a customized approach to support their use of innovative methods in meeting security objectives. Allowances are also made for the use of shared and group accounts.

  3. Enhanced validation and reporting options 
    This focuses on the alignment between compliance reports or self-assessments and the Attestation of Compliance.

  4. Security as a continuous process 
    One of the most significant aspects of this new release is the recognition that security should be a continuous process. PCI SSC are encouraging organizations to step away from time-based auditing and embrace continuous security assessments and reporting. Security Assessors (QSAs) and Internal Security Assessors (ISAs) have a critical role in helping organizations achieve and maintain PCI DSS compliance.

PCI DSS v4.0 Implementation Timeline

PCI DSS v3.2.1 was retired on March 31 2024. All organizations now need to meet the PCI v4 standards (with the exception of some future-dated new requirements which have until March 31 2025).  

PCI-DSS-v4-0-At-A-Glance-1

Source: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Supporting%20Document/PCI-DSS-v4-0-At-A-Glance.pdf 

How Nipper and Nipper Resilience can help with PCI DSS compliance?

For more information about how Nipper solutions can support PCI DSS compliance visit our solutions page. 

Video: Continuously Viewing and Managing PCI DSS Compliance

PCI DSS v4.0 recommends abandoning sampling and regularly assessing network infrastructure (routers, switches and firewalls) to ensure organizations gain increased security from continuous compliance.

Ian Robinson, Chief Architect at Titania talks through why this is important and how Nipper Enterprise* enables the shift from ad-hoc, sampled assessments to continuous compliance assurance for the Enterprise.

With a short product demo, Ian shows how this can enable network owners to increase the coverage and cadence of network infrastructure assessments, prioritize remediation of non-compliances, & shut down real-world threats.  

*Nipper Resilience is the new name for Nipper Enterprise. Renamed to represent the operational resilience value that our continuous network exposure risk management solution delivers to organizations across critical infrastructure sectors, globally.