<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

PCI, Data Privacy

Understanding PCI DSS Compliance

down-arrow

According to the PCI Security Standards Council Prioritized Approach document, the Prioritized Approach provides a roadmap of compliance activities based on the risk associated with storing, processing, and transmitting cardholder data. Approved vendors, such as approved scanning vendors (ASV) for vulnerability scanning, must be used and are sometimes included in the requirements. 

PCI DSS Compliance tools help to automate and accelerate the Prioritized Approach to PCI DSS Compliance when teams feel their objectives are bogged down in manual effort and self-attestation that isn’t trackable or reportable outside of spreadsheets. 

The roadmap helps to achieve compliance, establish milestone target controls, lower the risk of cardholder data breaches sooner in the compliance process, and helps acquirers objectively measure PCI DSS compliance activities and risk reduction by merchants, service providers, and others. 

The Prioritized Approach for PCI DSS compliance was devised after factoring data from actual breaches and feedback from Qualified Security Assessors, forensic investigators, and the PCI Security Standards Council Board of Advisors. 

PCI DSS Requirement 1: Install and Maintain a Firewall and Router Configuration to Protect Cardholder Data

Your firewall functionality must be robust enough to thoroughly and accurately control traffic in and out of your network monitor. Both routers and firewalls are within the scope of PCI Requirement One as long as they're used in the cardholder data environment.

PCI compliance tools can help track how often you test your firewalls and determine compliance against these requirements.

Make sure to formalize the processes by which you test your firewalls at a determined cadence. Identify wireless and non-wireless connections to cardholder data that are possible. Review your settings every six months at the very minimum.

Restrict access points between any system component in the CDE and public internet access.

Install personal firewall software on all mobile and computers your employees own. These devices must be protected if they use your company's internet to access the organization’s network and sensitive data. 

PCI DSS Requirement 4: Encrypt Transmission of Cardholder Data Across Open Public Networks

Merchants processing this data through any point-of-sale system, for example, similar service providers, must ensure the safety and security of sensitive information when offering their products and services, especially when traveling across unprotected networks. Information security organizations can have specific challenges with PCI DSS compliance requirements 4. 

All vulnerable encryption protocols must be removed while ensuring cardholder data is protected simultaneously for inputting into publicly accessible e-commerce or cloud-based ordering systems. Unencrypted fax or email, plus end-user messaging systems, are unencrypted and, unfortunately, unprotected. Keep your debit card/credit card cardholder data out of reach. PCI compliance tools can help organizations maintain their posture against these controls while minimizing duplicative efforts across other frameworks and industry standards by intelligently mapping requirements across other compliance controls.

PCI DSS Requirement 8.3: Two-Factor or Multi-Factor Authentication

We know that passwords are no longer sufficient to secure access rights to sensitive data. Compromised passwords are the leading cause of data breaches, according to the 2016 Verizon Data Breach Investigations Report. PCI DSS Compliance Standard 3.2 changed the two-factor authentication (2FA) requirement to multi-factor authentication (MFA), clarifying that you’re not limited to only two. Anyone with access to the cardholder data environment (CDE) has to use multi-factor auth whether they're working remotely or on-premise.

Pick two or more of these methods to be PCI DSS compliant with this requirement:

  • A password or passphrase
  • A physical device or smart card, token device
  • A retinal or fingerprint scan

Contact us to learn how CyberStrong can support your alignment with PCI DSS.

You may also like

Leveraging Cyber Risk Dashboard ...
on March 20, 2023

Cybersecurity risks have a far-reaching impact. As we’ve come to know, the effect of cyber has grown far beyond information systems and can render a company obsolete. The data and ...

Private Equity Firms are Embracing ...
on March 15, 2023

Private Equity firms pride themselves on implementing best practices in every functional area within their portfolio companies. Cyber Risk Management is emerging as a core ...

How to Use Cyber Risk Analysis to ...
on February 28, 2023

Cyber risk management has become more challenging to manage and monitor as the cybersecurity landscape has developed and digitized. Numerous endpoints, regulatory changes, cloud ...

The Top 10 Cybersecurity Dashboard ...
on February 23, 2023

As cybersecurity continues to become a more significant focus for organizations, other C-suite leaders must get up to speed on cyber risks and their impact on the organization's ...

Leveraging CISO Dashboard Metrics ...
on February 21, 2023

As a Chief Information Security Officer (CISO), it is essential to clearly understand your organization’s cybersecurity posture and how to improve it continuously. One way to do ...

The Importance of Monitoring Cyber ...
on February 14, 2023

Cybersecurity has become a critical concern for businesses and organizations in today’s digital age. With the increasing number of cyber threats and attacks, monitoring ...