PCI DSS Compliance

What is PCI DSS Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements intended to safeguard credit and debit cards. The PCI Security Standards Council, an organization created by the major credit card brands (Visa, MasterCard, American Express, Discover and JCB International), created the PCI DSS standard after a series of very public security breaches. Most if not all banks and other organizations that manage financial transactions — including businesses, government agencies and institutions — have adopted the PCI DSS as a normal course of business practice to ensure security conditions are met for systems that manage credit and debit card transactions. Compliance with PCI DSS requirements reduces the likelihood of identity theft and other forms of fraud. PCI DSS V.3.1 is the current version of the standard, taking effect in 2015.



Maintain a firewall to protect cardholder data


Change vendor-supplied default security controls


Protect stored cardholder data


Encrypt cardholder data across networks


Use and Update AV and Anti-Malware Software


Secure system and applications


Restrict access by business need


Identify / authenticate user access


Restrict physical access to cardholder data


Track all access to resources and cardholder data


Regularly test systems and controls


Maintain an information security policy

Report on PCI DSS Compliance with ease; Compliance assurance achieved

How Is PCI Enforced?

It is a common misconception that PCI DSS compliance is a regulated standard or enforced by a government regulatory commission or body. On the contrary, PCI is completely optional at this point. However this optional nature does not imply it’s not important. While there is no government regulation that would be violated for non-compliance, it would likely be all but impossible to operate a business that processed or accepted credit or debit cards since the bank or credit brands that would be accepted would likely require PCI compliance stipulated in their contract to process the transaction. As an example, if you had an online store that accepted VISA payments, VISA would require you to ensure your online processor (you or third party processor) to comply with PCI DSS V.3.1.  If you were to be found in non-compliance you might get fined or have your merchant processing suspended or worse terminated. While there is no PCI police rest assured the last thing you want during a breach is to prove you are PCI compliant to your bank. The moral of the story: get PCI DSS Compliance assurance before any signs of compromise surface.

How is the PCI DSS standard structured?

PCI DSS has the typical structure of a technical standard whereby it defines common terminology, provides some guidelines for implementing the standard and then describes the technical requirements organizations must adhere to. PCI DSS v.3.0 has six major security control areas, with 12 top-level requirements directly under those six areas and hundreds of detailed technical requirements in a hierarchy under the top-level requirements. It is important to note that compliance with PCI is subjective to what you should be reasonably required to be accountable for. As an example if you are a merchant that does not process, store, have access or directly transmit card holder data, then you would like not be required to yourself be completely PCI compliant but rather just a subset, however you would still need to account for full compliance to any outsourcer or third party that was processing card holder data.

The standard is compromised of the following 12 requirements:

PCI DSS 3.1 Requirement Promisec Endpoint Manager Other EDR Solutions SIEM
1 Install and Maintain a Firewall Configuration to Protect Cardholder Data 1.4 yes
Promisec support for PCI requirement 1
PCI DSS Requirement Value Provided

Promisec verifies that all firewalls are active and configured to organizational standards and not alterable by employees.

2 Do not use vendor-supplied defaults for system passwords and other security parameters 2.2 yes
2.4 yes
Promisec support for PCI requirement 2
PCI DSS Requirement Value Provided

Promisec can enforce a golden image based on CIS, NIST, SANS policy or standard. This allows customers to quickly determine which endpoints are exceptions to the definition of the golden image and then enable the customer to correct the misconfiguration.


Promisec can identify all HW and SW components installed on a network. Promisec allows custom definitions to be included in inventory listings.

5 Protect all systems against malware and regularly update anti-virus software or programs 5.1 yes
5.2 yes
Promisec support for PCI requirement 5
PCI DSS Requirement Value Provided

Promisec can verify that anti-virus software is installed on all PCs, laptops and servers, is fully operational and running. Promisec can remediate inoperative AV solutions. Promisec can also augment and verify malicious running and installed applications.


Promisec can verify that anti-virus software is current and actively running.

6 Develop and maintain secure systems and applications 6.1 yes
Promisec support for PCI requirement 6
PCI DSS Requirement Value Provided

Promisec can determine the installed software on a system and then determine the list of vulnerabilities for that software and related risk scores of these vulnerabilities based on accepted CVSS standards. Furthermore, Promisec can determine which systems do not have the current security patches installed on each system.

7 Restrict access to cardholder data by business need to know 7.1 yes
Promisec support for PCI requirement 7
PCI DSS Requirement Value Provided

Promisec can validate specific users and local policies in effect on a per endpoint basis and determine deviations from a global group policy. Promisec can then enforce any required changes as required by the customer.

10 Track and monitor all access to network resources and cardholder data 10.5.5 yes
Promisec support for PCI requirement 10
PCI DSS Requirement Value Provided

Promisec can perform FIM on any defined data set in the file system. In the case of logs, we can determine when they change and who changed them and when the change took place. In the case of change, we have the ability to fire an security event alert.

NEXT STEP: Get a demo or get your trial started

(or you can read more about how Promisec can help with PCI compliance to the right)