PCI Data Security Standard (DSS)
What are the Payment Card Industry Data Security Standard?
The Payment Card Industry Data Security Standard (PCI DSS) is an evolving global framework for safeguarding payment card data, such as primary account number (i.e. credit card number), expiration date, card verification code, and other associated data. It is published and maintained by the Payment Card Industry Security Standards Council (PCI SSC) along with other standards and supplemental resources. PCI DSS is enforced contractually by payment brands such as Visa, MasterCard, Discover, and American Express, as well as financial institutions that process payment transactions on behalf of merchants. PCI DSS defines 12 high-level requirements for protecting payment card data, each of which includes multiple sections, requirements, testing procedures, and supporting guidance.
Who is the intended audience?
Per PCI DSS v4.0, this standard is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD), or that could impact the security of the cardholder data environment (CDE). This includes all entities involved in payment card account processing — including merchants, processors, acquirers, issuers, and other service providers. Whether any entity is required to comply with or validate their compliance to PCI DSS is at the discretion of those organizations that manage compliance programs (such as payment brands and acquirers).
Where can I find more information?
The following resources can be found on the PCI Security Standards Council website:
How can runZero help me with these controls?
The following illustrates how runZero aligns with each of the 12 high-level requirements defined in PCI DSS v4.0. Where Strong alignment is noted, runZero can play a significant role in helping an organization implement safeguards. Where Partial alignment is noted, runZero can play a complementary role in helping an organization implement safeguards.
|Install and Maintain Network Security Controls
|Apply Secure Configurations to All System Components
|Protect Stored Account Data
|Protect Cardholder Data with Strong Cryptography During Transmission
|Protect All Systems and Networks from Malicious Software
|Develop and Maintain Secure Systems and Software
|Restrict Access to System Components and Cardholder Data by Business Need to Know
|Identify Users and Authenticate Access to System Components
|Restrict Physical Access to Cardholder Data
|Log and Monitor All Access to System Components and Cardholder Data
|Security of Systems and Networks Regularly
|Support information security with organizational policies and programs