If you’re looking for help with understanding what PCI DSS is, whether it applies to you and how to reach compliance, you’ve come to the right blog. No time to waste, so let’s dive in!
What is PCI DSS?
PCI DSS stands for the Payment Card Industry Data Security Standard. It is an information security standard with requirements for companies that accept, process, store or transmit credit card data. The aim of the standard is to ensure that these merchants maintain a secure credit card ecosystem.
PCI DSS is managed by the PCI Security Standards Council, an independent organization that was created by well-known financial brands like Visa, MasterCard, American Express and more.
The Council provides a wealth of resources and guidance to help companies with meeting PCI compliance, so the website is well worth a review if you’re new to the standard.
Below, we’ll give you an introduction to the critical requirements of PCI DSS, along with an overview of how Polymer’s DLP engine can support you in reaching compliance.
What are the 12 requirements of PCI DSS compliance?
The requirements of PCI DSS span both operational and technical activities. Each requirement links back to the regulation’s core aim: to safeguard cardholder data.
1. Install and maintain firewalls
Firewalls are a preventative tool that restrict blocked and unknown entities from accessing corporate data.
2. Change vendor-supplied passwords and implement appropriate password protections
Third-party hardware and software products often come with default passwords that make setup easier. PCI DSS mandates that companies change these passwords and practice good password hygiene (changing passwords regularly, using a unique password for every account/device, ensuring passwords are difficult to guess).
3. Safeguard cardholder data
PCI DSS has specific instructions regarding how companies store cardholder data. Firstly, they must encrypt this data with specific algorithms. The encryption keys for this data must also be encrypted. As well as this, companies must carry out regular checks of primary account numbers (PAN) to discover any unencrypted data.
4. Encrypt data during transmissions
The payment process involves multiple steps, meaning that cardholder data is transported across numerous locations. It’s vital that companies only send data to known locations and, moreover, encrypt this data during transmission.
5. Deploy anti-virus
Anti-virus software is fundamental to basic cyber hygiene, but it’s also mandated by PCI DSS for all devices that store PAN data. The regulation also instructs companies to regularly patch and update their anti-virus software to ensure it is effective.
6. Patch software regularly
Security software vendors frequently release patches with bug fixes and security updates that address newly discovered vulnerabilities. If you fail to patch, you could leave your IT estate open to attack. PCI DSS, therefore, governs that companies must regularly patch software on devices that store, receive or transmit cardholder data.
7. Implement a “need to know” basis for cardholder data
Only employees who legitimately need to access cardholder data should be able to. In other words, organizations should implement the principles of least privilege and zero trust, ensuring that their employees can only access the data they need to perform their jobs – and nothing more. For roles that require access to cardholder data, PCI DSS states that companies must keep a detailed, up-to-date record of these privileges.
8. Unique IDs for accessing cardholder data
As well as recording privileges, companies must ensure that each user with access to cardholder data has their own unique login. It’s forbidden for multiple users to share the same login, in other words.
9. Restrict physical access to cardholder data
All cardholder data must be stored in a physically secured location – such as a locked room or file cabinet. Only people with legitimate, authorized access should be able to access this location.
10. Implement access logs
For every interaction with cardholder data and PAN, companies must keep a record of who accessed what data and when. This is often a sticking point of non-compliance for organizations if they lack the tools to automate this activity. This is where solutions like ours can help, with automated auditing and record-keeping enabled by default (more on that below!).
11. Establish regular vulnerability scanning procedures
Vulnerability scanning is an additional check to ensure that software, networks and applications are functioning securely. Companies should conduct these scans on a regular basis, complemented by manual penetration testing at bi-annual or annual intervals.
12. Document policies and procedures
The information flow of cardholder data will need to be documented in detail. As well as this, the regulation instructs companies to keep an inventory of equipment and software that interact with cardholder data. This inventory should complement the logs you have in place for monitoring employee access to data both physically and digitally.
What are the benefits of PCI Compliance?
With so many requirements, spanning people, processes and technology, achieving PCI DSS can seem like an insurmountable task – but this is far from the case, and the effort is well worth the reward.
Here are the major benefits you stand to gain from achieving PCI DSS.
- Compliance gives you, your customers and your partners more confidence in the security of your systems. This is vital for building trust and brand affinity.
- Meeting the standard can enhance your reputation with payment brands – who may refuse to do business with you otherwise.
- PCI DSS requirements help you to improve your overall security posture, meaning you are better protected from malicious actors.
- Achieving PCI compliance puts you on the path to meeting other standards like HIPAA, GBLA and the CCPA.
Bear in mind too, that failing to comply puts you at risk of fines of up to $5,000 to $100,000 per month until you rectify your compliance violations.
To give you an idea of the ramifications of non-compliance with PCI, take a look below:
- Increased chances of a data breach that impacts your customers, leading to reputational damage and a loss of business
- The potential for class-action lawsuits and regulatory fines for a wide-scale data breach
How to get started on the road to PCI Compliance
At its core, PCI Compliance is all about safeguarding critical information: cardholder data. It makes sense, then, to take a data-centric approach to compliance. Rather than relying on a complex array of security solutions to meet the requirements, look for data loss prevention (DLP) software that can help you with data protection, auditing and compliance from end to end and from one central console.
While this might sound easy, we appreciate that the DLP market is flooded with tools all promising to solve your PCI DSS woes.
To help you find a tool that actually works, here’s our checklist of what to look for in a PCI DLP solution:
- Extends data classification and protection to the cloud: The cloud is the future of work and, increasingly, brands are storing cardholder data in numerous cloud repositories and SaaS applications. To meet compliance, it’s therefore vital to use a tool that can discover and protect this data in your cloud-based applications.
- Can discover structured and unstructured data: Card data often resides in many formats, so you need a tool that can discover both structured and unstructured data for complete protection.
- Uses automation and AI to work autonomously: IT and security teams are already overburdened by alerts and support requests. Your solution should alleviate the workload for your team – not add to it. The best-in-breed solutions use technologies like AI and machine learning to automate the data classification and protection process, so your IT team rarely needs to intervene.
- In-built auditing and reporting: Manual reporting is a time-intensive, error-prone activity. A good DLP solution will take on reporting for you, producing ready-to-go reports that are perfect for compliance audits.
How Polymer helps with PCI DSS compliance
In today’s mobile and cloud-first world, reaching PCI DSS compliance demands a new approach. That’s where Polymer comes in. Our solution gives you unparalleled visibility and control over cardholder data in your SaaS applications.
Our DLP solution uses a self-learning engine to quickly and automatically discover, classify and secure sensitive data like PCI, PII and PHI in SaaS applications. Our unique algorithm is in-built with special capabilities to identify all types of cardholder data. Then, based on the principles of zero trust, our solution ensures that only authorized, legitimate users interact with this data – remediating potential compliance violations and risky actions in real-time.
Here’s a look at how Polymer secures your cardholder data with a holistic four-pronged approach:
Dynamic user training
Polymer helps to foster a security-aware culture. Our solution nudges users when they attempt to use or share sensitive data in a way that violates compliance, so they learn for the future. This approach has proven to reduce sensitive data traffic over SaaS platforms by over 50% within four weeks.
Monitor and audit
Auditing and compliance requirements mean that organizations need to prove they know where their data is, where it’s been and how it is being used. Through reporting tools and real-time analysis capabilities, our solution streamlines the audit process so you know where data is at all times. You can also use our out-of-the-box compliance reports, which are ready for PCI DSS, HIPAA and other audits.
Polymer’s engine takes an intelligent, contextual approach to risk identification. Based on the principles of zero trust, it discerns potential threats to data security and takes appropriate action based on the context.
Cardholder data protection
Polymer DLP discovers and protects cardholder data to ensure it is only accessed and edited by authorized, legitimate users. Using APIs, our solutions effortlessly integrate into your cloud apps and begin scanning for sensitive data – you can get set up in minutes!
No matter what format your data is in, our solutions can find it – even sensitive information in documents, chats, databases and more.
Once identified, our solution uses automation and a self-learning engine to take the most sensible, secure steps to safeguard your data as users try to access it. Actions include redaction, quarantine, blocking and alerting, depending on the threat in question.