PCI Compliance Requirements: Network Security

Payment card industry (PCI) compliance is a set of rules that ensures the safety of a customer’s credit card information. All businesses that receive, store, or transfer credit card information must maintain a secure environment.

Major card companies—including AMEX, MasterCard, Visa, JCB, and Discover—established the Payment Card Industry Security Standard Council (PCI SSC) to develop and manage payment card security. The SSC has many standards and supporting materials, like frameworks, tools, and resources to help organizations ensure that cardholder information is always safe.

Maintaining PCI compliance lowers the risk of data breaches, protects confidential data, and helps businesses boost their brand name. A credit card company’s security protocol is incomplete without PCI compliance, and these companies typically require and mention this in their agreements when working with one another.

PCI compliance steps for an organization

Any business that accepts credit card payments, big or small, must be PCI compliant. This means that the organization must follow the rules set by the PCI Standards Council.

This typically involves following these five steps.

Step 1: Understand your organization’s PCI level

Any organization’s PCI level is determined based on the number of annual transactions it processes. There are four levels of PCI compliance, each with its own set of requirements, starting from level one and going up to four:

  • Level 1: An organization with more than 6 million transactions per year that has also been the victim of a breach that compromised card holders’ confidential data.
  • Level 2: An organization processing between 1 to 6 million transactions annually.
  • Level 3: An organization that conducts 20,000 to 1 million transactions annually.
  • Level 4: An organization with an annual processing volume of under 20,000 transactions.

Step 2: Learn the 12 PCI standards

Your organization must comply with these 12 PCI Data Security Standards (DSS) to be PCI compliant:

  • Use and maintain a firewall to ensure that cardholder data is protected.
  • Instead of using default settings, protecting passwords with security measures that users can change and are unique to each user.
  • Implement both physical and virtual protection to prevent data breaches.
  • Encrypt any data about the cardholder sent through open or public networks.
  • Install, maintain, and update antivirus software.
  • Develop and maintain secure systems and apps in a way that actively searches and fixes vulnerabilities.
  • Minimize people in the organization who can access cardholder data to avoid data theft and security issues.
  • Make sure your systems authenticate and thoroughly identify users with access to sensitive information.
  • Limit access to cardholder data that you physically keep.
  • Monitor and track network resources and cardholder data using logs.
  • Test security systems and their resources regularly.
  • Ensure that all employees know and follow a firm data security policy.

Step 3: Complete self-assessment questionnaire (SAQ)

The SAQ thoroughly examines your organization’s compliance with the 12 standards specified above. Each questionnaire is a set of yes or no questions to establish how closely your firm complies with the PCI DSS criteria.

For a PCI level one organization, a PCI-approved auditor verifies its compliance with the standards. Based on your SAQ, your organization can hire an approved scanning vendor (ASV) to look for security flaws and ensure that it meets all the standards. The questionnaires differ for different businesses for levels two to four, guided by the level of compliance you must meet and the number of transactions you have per year.

Step 4: Protect cardholder data and your network

At its core, preventing untrusted parties from gaining access to sensitive data is the most fundamental aspect of PCI compliance. After installing and configuring the security system, have your employees set up a strict password policy. Tokenizing sensitive card data allows businesses to keep it safe and secure.

Step 5: Complete official attestation of compliance (AOC) form and submit documentation to credit card companies

Last but not least, step five is crucial for completing the PCI compliance process. Organizations use the AOC form to certify that their PCI DSS evaluation—as indicated in an SAQ or PCI compliance report—has been a success.

Then, you submit SAQ, ASV, and AOC reports to financial institutions, such as banks and credit card firms, and to all the companies with which your organization does business.

You must carry out a yearly PCI audit with a qualified security assessor (QSA) or the company’s internal security assessor. A PCI audit evaluates the security of your company’s payment software from all aspects.

To be compliant, your organization must meet up to 281 standards listed in the 12 PCI DSS requirements to receive a Report on Compliance (ROC). Initial audits can take two years, and self-assessment can take up to a year.

The PCI audit process has three steps.

1. Scoping

Scoping defines the assessment parameters for your PCI audit. The organization’s crucial task is to pin down all sites and workflows with cardholder data. Annually scope all systems before your assessment, as PCI Audit is yearly.

2. On-site audit assessment

To analyze network security, along with all its devices, policies, and protocols, QSA carries out a comprehensive onsite audit evaluation.

The QSA’s duties are to:

  • Guide and approve the evaluation scope.
  • Document and verify all organizational and technical documentation.
  • Ensuring the use of PCI data security protocols.
  • Guide your organization through the audit process.
  • Determine whether PCI DSS standards are satisfied.
  • Attend the whole audit process.
  • Submit a detailed final report.

3. Continue monitoring PCI standards

To maintain compliance with the PCI DSS, organizations must regularly monitor their network systems, policies, and activities. Many organizations perform routine PCI scanning, pen testing, and event log monitoring to ensure that all PCI data security measures are according to standards.

Trend Micro Cloud One – All in One Cloud Security meets the needs of your cloud and security teams alike with CNAPP capabilities that provide connected protection throughout your entire cloud environment. Part of the Trend Micro One unified cybersecurity platform, Trend Micro Cloud One™ delivers thoughtful application security from commit to runtime across all major providers, esnsures compliance, audit readiness, and integrates with the DevOps tools your organization already uses.