What is PCI DSS Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements intended to safeguard credit and debit cards. The PCI Security Standards Council, an organization created by the major credit card brands (Visa, MasterCard, American Express, Discover and JCB International), created the PCI DSS standard after a series of very public security breaches. Most if not all banks and other organizations that manage financial transactions — including businesses, government agencies and institutions — have adopted the PCI DSS as a normal course of business practice to ensure security conditions are met for systems that manage credit and debit card transactions. Compliance with PCI DSS requirements reduces the likelihood of identity theft and other forms of fraud. PCI DSS V.3.1 is the current version of the standard, taking effect in 2015.
VENDOR DEFAULT CONTROLS
DATA TRANSMIT ENCRYPTION
ANTI-VIRUS / ANTI-MALWARE CONTROL
SYSTEM / APP SECURITY
DATA ACCESS CONTROLS
PHYSICAL ACCESS CONTROLS
MONITORING AND AUDIT
INFO SECURITY POLICY
Report on PCI DSS Compliance with ease; Compliance assurance achieved
How Is PCI Enforced?
It is a common misconception that PCI DSS compliance is a regulated standard or enforced by a government regulatory commission or body. On the contrary, PCI is completely optional at this point. However this optional nature does not imply it’s not important. While there is no government regulation that would be violated for non-compliance, it would likely be all but impossible to operate a business that processed or accepted credit or debit cards since the bank or credit brands that would be accepted would likely require PCI compliance stipulated in their contract to process the transaction. As an example, if you had an online store that accepted VISA payments, VISA would require you to ensure your online processor (you or third party processor) to comply with PCI DSS V.3.1. If you were to be found in non-compliance you might get fined or have your merchant processing suspended or worse terminated. While there is no PCI police rest assured the last thing you want during a breach is to prove you are PCI compliant to your bank. The moral of the story: get PCI DSS Compliance assurance before any signs of compromise surface.
How is the PCI DSS standard structured?
PCI DSS has the typical structure of a technical standard whereby it defines common terminology, provides some guidelines for implementing the standard and then describes the technical requirements organizations must adhere to. PCI DSS v.3.0 has six major security control areas, with 12 top-level requirements directly under those six areas and hundreds of detailed technical requirements in a hierarchy under the top-level requirements. It is important to note that compliance with PCI is subjective to what you should be reasonably required to be accountable for. As an example if you are a merchant that does not process, store, have access or directly transmit card holder data, then you would like not be required to yourself be completely PCI compliant but rather just a subset, however you would still need to account for full compliance to any outsourcer or third party that was processing card holder data.
The standard is compromised of the following 12 requirements:
|PCI DSS 3.1 Requirement||Promisec Endpoint Manager||Other EDR Solutions||SIEM|
|1||Install and Maintain a Firewall Configuration to Protect Cardholder Data||1.4||yes|
Promisec support for PCI requirement 1
|2||Do not use vendor-supplied defaults for system passwords and other security parameters||2.2||yes|
Promisec support for PCI requirement 2
|5||Protect all systems against malware and regularly update anti-virus software or programs||5.1||yes|
Promisec support for PCI requirement 5
|6||Develop and maintain secure systems and applications||6.1||yes|
Promisec support for PCI requirement 6
|7||Restrict access to cardholder data by business need to know||7.1||yes|
Promisec support for PCI requirement 7
|10||Track and monitor all access to network resources and cardholder data||10.5.5||yes|
Promisec support for PCI requirement 10
ADVANCED USE CASE SUPPORT
PCI DSS COMPLIANCE