What is PCI Compliance?

The PCI DSS (Payment Card Industry Data Security Standards) is the set of standards for companies (of any size) that accept credit card transactions. If your company falls in this category and stores cardholder data as part of transactions, then it’s best to secure the data through PCI Compliance.

Why PCI Compliance is needed?

Ensuring PCI compliance helps companies keep sensitive personal data of customers secure and out of the hands of cybercriminals who may try to steal such data and misuse them. Thus PCI compliance, which helps prevent data breaches, also helps businesses earn trust and credibility, which in turn helps businesses flourish.

What are the requirements to become PCI Compliant?

The first question that a new entrepreneur would ask about PCI DSS compliance is "What is PCI Compliance?". The next thing he would want to know would be about the requirements for ensuring PCI compliance.

It's the PCI Security Standards Council that has set the requirements for acquiring PCI compliance. There are basically 12 requirements, all designed to meet certain security goals…

Requirement 1: Companies, to become PCI compliant, should create their own firewall configuration policy; they must also develop a configuration test procedure that's designed to protect cardholder data. Companies should also ensure that their hosting providers have firewalls in place.

Goal- to build and maintain a secure network.

What is PCI Compliance

Requirement 2: Companies should not use vendor-supplied defaults for system passwords and other security parameters. They should create, maintain and update their unique system passwords and not use the ones that the software vendor would have supplied them.

Goal- to build and maintain a secure network.

Requirement 3: Every hosting provider should provide multiple layers of defense plus a secure data protection model with a blend of physical and virtual security methods.

Goal- to protect cardholder data.

Requirement 4: A company that stores cardholder data should ensure that the transmission of cardholder data across open, public networks is always done in an encrypted manner. (It's also said that as an added security measure sensitive authentication data like PIN numbers, card validation codes etc should not be stored after authorization.

Goal- to protect cardholder data.

Requirement 5: Companies should use antivirus software and also ensure that it's regularly updated. Updating the antivirus software is necessary to protect systems from new malware that hackers keep developing. If a company depends on an MSP (Managed Service Provider) for hosting data on outsourced servers, then it's to be ensured that the MSP maintains a safe environment and generates audit logs.

Goal- to ensure and maintain a perfect vulnerability management program.

Requirement 6: To ensure PCI DSS compliance, companies should opt for secure systems and applications. They should also keep on looking for security vulnerabilities and also ensure that their hosting providers monitor and update systems and look for vulnerabilities.

Goal- to ensure and maintain a perfect vulnerability management program.

Requirement 7: Companies should, to ensure PCI DSS compliance, restrict access to cardholder data to a limited number of employees.

Goal- to implement access control measures.

Requirement 8: Companies should assign unique IDs to each person who has computer access. They should also ensure that best security practices like password management, authorization, authentication etc are followed strictly.

Goal- to implement access control measures.

Requirement 9: Companies aiming to get PCI DSS compliance should restrict physical access to cardholder data. In case it's an off-site data center that hosts the data, then the data center provider must make sure that only limited number of people have access to the sensitive information. For PCI compliance, data centers should also do full monitoring, including entry authentication, surveillance etc.

Goal- to implement access control measures.

Requirement 10: All access to network resources, cardholder data etc should be tracked and monitored. Systems that track user activity and stored archives should be logged by hosting providers; this helps ascertain causes of security breaches, if at all they happen.

Goal- to implement access control measures.

Requirement 11: Security systems and processes need to be regularly tested. Data hosting provider should monitor and test processes in a company to ensure that customers' cardholder data is secure.

Goal- to implement access control measures.

Requirement 12: Companies should maintain a concrete information security policy, which should include all acceptable uses of technology, all annual risk analysis processes, operational security procedures etc. Data hosting providers should do documentation of all such processes.

Goal- to streamline the information security policy.

How Hackerguardian helps companies ensure PCI Compliance...

  • Offers a fully configurable vulnerability assessment and reporting service for any network or web server.
  • Runs remote audits, with over 60,000 individual security tests done on an organization's servers and then provides expert advice to help fix vulnerabilities.
  • Provides free access to Hackerguardian Online SAQ (Self Assessment Questionnaire), with live support. Helps companies submit their annual SAQ on time along with their Attestation of Compliance.
  • Simplifies PCI DSS compliance reporting processes by providing official 'PCI Compliant' report after every successful scan.