Fortinet Acquires Next DLP Strengthens its Top-Tier Unified SASE Solution Read the release
Updated: May 29, 2024   |   Stefan Jarlegren

22 Compliance experts & cybersecurity professionals share the best practices for meeting PCI compliance requirements

Go back

Any business that processes credit or debit card transactions must comply with the Payment Card Industry Data Security Standard (PCI DSS). First introduced in 2004, it’s been in place for nearly two decades, but meeting PCI compliance requirements is still challenging for some businesses.

In this post, we’ll discuss the PCI compliance requirements and share best practices from industry experts to help you implement and maintain the right systems and processes to keep cardholder data safe — and your business in compliance. 

In this article:

What are PCI compliance requirements? 

PCI compliance requirements are a set of technical and operational standards that businesses must adhere to if they accept, handle, store, or transmit payment card data. The PCI Security Standards Council develops the standards and provides resources and guidance to ensure the safety of cardholder data.

Currently, there are 12 PCI compliance requirements, including:

  1. Install and maintain a network firewall to protect cardholder data.  
  2. Change vendor-supplied default passwords and other security parameters.
  3. Protect cardholder data in storage.
  4. Encrypt cardholder data in transit over public networks.
  5. Implement antivirus software and keep it up to date.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data on a need-to-know basis.
  8. Assign a unique ID to all individuals with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor access to cardholder data and network resources.
  11. Test security systems and processes regularly.
  12. Maintain an information security policy for all personnel. 

The specific obligations of a company to provide proof of compliance vary based on the company’s merchant level, which is based on the number and type of payment card transactions processed annually. 

Experts share best practices for meeting PCI compliance requirements

To give you a better understanding of the PCI compliance requirements and the safeguards and processes you can put in place to ensure ongoing compliance, we reached out to a panel of compliance experts and cybersecurity professionals and asked them to answer this question: 

“What are the best practices for meeting PCI compliance requirements?”

Meet Our Panel of Compliance Experts & Cybersecurity Professionals: 

Keep reading to learn what our panel had to say about the best practices you should implement to ensure your business’s PCI compliance.


Phillip Parker

Phillip Parker

@PaymentOptions

Phillip Parker is the founder of CardPaymentOptions.com, a blog dedicated to helping business owners comply with card payment standards. He has been consulting businesses on all things credit card processing for over 15 years.

“To meet PCI compliance requirements, it's essential to follow best practices…”

  1. Understand your scope: Determine which systems, networks, and processes are involved in storing, processing, or transmitting cardholder data. This will help you identify areas that need to be compliant with PCI DSS.
  2. Secure your network: Implement a robust firewall and router configuration to protect cardholder data, as well as maintain up-to-date antivirus software and intrusion detection/prevention systems.
  3. Encrypt data transmission: Use strong encryption and secure protocols, such as SSL/TLS, when transmitting cardholder data over open, public networks.
    Securely store cardholder data: Only store the data that is absolutely necessary for your business, and ensure that it is properly encrypted and secured.
  4. Implement strong access control measures: Control access to cardholder data by implementing a strong authentication system, such as multi-factor authentication, and restrict access to only those who require it for their job roles.
  5. Regularly monitor and test networks: Track and monitor all access to cardholder data and network resources. Conduct regular vulnerability scans and penetration tests to identify and address potential weaknesses.
  6. Maintain an information security policy: Establish, maintain, and regularly update a formal information security policy that is accessible to all employees and includes clear guidelines and expectations for handling cardholder data.
  7. Conduct risk assessments: Perform regular risk assessments to identify and address potential threats and vulnerabilities in your environment.
  8. Train employees: Educate your employees about PCI DSS requirements and their responsibilities in maintaining a secure environment.
  9. Work with Qualified Security Assessors (QSAs): Consult with QSAs, who are certified by the PCI Security Standards Council, to help you achieve and maintain compliance.
  10. Validate compliance: Regularly complete the appropriate Self-Assessment Questionnaire (SAQ) or undergo an annual Report on Compliance (ROC) audit, depending on your organization's size and transaction volume.
    Maintain a vulnerability management program: Regularly update software, apply patches, and monitor for new vulnerabilities.

Harman Singh

Harman Singh

@DigitalAmli

Harman Singh is the Director at Cyphere, a cybersecurity services company helping customers protect their most prized assets across the UK and US.

“When it comes to meeting PCI compliance requirements, there are several best practices you can follow to ensure your business is secure and protected…” 

Here are a few tips:

  1. Never store sensitive data longer than necessary: This means that you should only keep sensitive data such as credit card information for as long as you need it. Once you no longer need it, ensure that it is securely destroyed.
  2. Keep your software up to date: Regularly update your software to ensure that any known vulnerabilities are patched. This includes operating systems, web servers, and any other software that you use to process payments.
  3. Use strong passwords and multi-factor authentication: Passwords should be complex and difficult to guess. Using multi-factor authentication adds an extra layer of protection, making it much harder for unauthorized users to access your sensitive data.
  4. Regularly monitor your systems: Keeping an eye on your systems can help you detect any suspicious activity early on. Make sure you have the tools in place to monitor your network for any unusual activity.

By following these best practices, you can help ensure that your business is meeting PCI compliance requirements and keeping your customers' data safe.


James Clack

James Clack

James Clack runs ClackTECH, an IT firm focused on infrastructure, cybersecurity, CCTV, access control, and long-range PtP/PtMP links.

“My personal best practices for meeting and exceeding PCI compliance are…”

  • Understand the hardware being used in your network(s).
  • Keep POS/card data networks separate from private/guest networks.
  • Keep a strict log of all hardware in POS/card data networks and when hardware is replaced.
  • Implement a procedure managers must follow consistently if you are designating managers to replace equipment in the field.
  • Keep visual network diagrams and data flow diagrams up to date, review at minimum once a year and make changes as necessary.
  • Use a single firewall, switch, and WiFi infrastructure vendor (such as Cisco Meraki, SonicWALL, Fortinet, etc.).
  • Review your whitelist of card processing networks at a minimum once a year or when new POS equipment is ordered.
  • Keep your network wiring organized and clean; do not let wiring become a bowl of spaghetti.

Whether you're running a single location or multiple locations, it's important to have someone who understands network security to review the system you're using and configure the proper networks and VLANs necessary to keep all networks separate. For small businesses, it may be an upfront cost of $750-$3,000 for the correct hardware, configuration, and initial testing. 

Some POS companies bundle preconfigured firewalls with their systems, such as Toast. Toast includes for small locations a Cisco Meraki Z3 firewall. Though this firewall does not have a high firewall throughput, it is more than enough to handle an entire POS system and reduces the management costs and PCI compliance on smaller operations.

Due to the geographical footprint of our larger clients, we created custom documents with detailed visual diagrams and procedures for upper management to handle the physical installation of hardware inside the card data networks. It is important your managers have the proper documentation and a consistent configuration at all locations. We use color-coordinated ethernet cables that match the colors on diagrams, visually matching which ports are connected easily.

Using a single vendor for your firewall, switch, and WAPs will not alone give you PCI, but it is a practice that can prevent confusion, prevent mismanagement, and streamline making changes to your networks. With multiple hardware configurations, you may need to repeat firewall modifications, create additional diagrams, and may increase your PCI compliance costs with authorized auditors. 

Our yearly audit for one client has been cut almost in half by using a single POS platform and single network structure as now they no longer must make two separate sample visits for the separate configurations.

Organization is an absolute must at all locations. I have visited multiple locations where wires are in big tangles, and a large issue is based solely on a manager plugging the wrong cable into the wrong port. 

Color coordinating cables will allow your managers to visually troubleshoot in the field quickly with the assistance of IT. Keeping all cables organized also reduces the risk of cables simply coming unplugged just from normal everyday work. 

I always insist on using a wall-mounted rack in our buildouts, keeping the wiring organized, and keeping it away from where employees would be handling daily business tasks unrelated to the network.

Keeping all documentation of whitelists and logs of hardware changes is the most important item on the list. Documenting every action in whatever manner the IT team sees fit for your business structure is key to staying not just compliant but truly secure. 

Whether you choose to use a highly modified Excel spreadsheet or an asset management platform, you must know what hardware is installed, when it was installed, and when unused hardware was decommissioned.

Your whitelist documentation must be up to date, and old whitelist documents must be archived and clearly marked not for use once the whitelist document becomes outdated or changed. 

If you are a franchisee, follow all requirements of your franchise agreement when it comes to PCI compliance. Should there be a data breach due to improper hardware being used, you may be found in violation of your franchise agreement. 

On top of a fine for not following PCI-compliant measures, you could lose your franchise and be forced to sell your franchise to new owners. Collaboration between cybersecurity vendors and POS providers before, during, and after major implementations is crucial to ensure your network remains secure.


Youssef EL ACHAB

Youssef EL ACHAB

@ITCORGCertif

Youssef EL ACHAB is Cloud Security/DevOps consultant at ITCORG Certificate, a blog about IT, IT certifications, Cloud and DevOps.

“Here are some of the best practices for meeting PCI compliance requirements…”

  • Segment your network: Use firewalls to segment your network, ensuring that sensitive data is only accessible to authorized personnel.
  • Maintain secure passwords: Use strong, unique passwords and implement two-factor authentication to ensure that only authorized personnel can access sensitive data.
  • Encrypt sensitive data: Use encryption to protect sensitive data both in transit and at rest, ensuring that even if the data is stolen, it remains secure.
  • Regularly update systems: Keep all hardware and software up to date with the latest security patches and updates to avoid vulnerabilities.
  • Conduct regular security audits: Regularly perform security audits to ensure that all systems and processes are up-to-date and secure.
  • Limit access to sensitive data: Limit access to sensitive data on a need-to-know basis, ensuring that only authorized personnel have access.
  • Implement intrusion detection and prevention systems: Use intrusion detection and prevention systems to monitor for any suspicious activity and respond quickly to any potential threats.
  • Provide security awareness training: Educate all employees on the importance of security and the potential risks of not complying with PCI requirements.

By implementing these best practices, you can ensure that your organization meets PCI compliance requirements and sensitive data remains secure.


Ovidiu Cical

Ovidiu Cical

@OvidiuCical

Ovidiu Cical is the CEO & Co-founder at Cyscale. The company's goal is to assist businesses of all sizes in establishing, improving, and maintaining their Cloud Security Program based on industry best practices.

“In transit as well as at rest, everything PCI must be encrypted…”

TLS v1.2 or later should be used by businesses as SSL and earlier versions of TLS are no longer regarded as being secure enough. It is standard practice to substitute card numbers with random tokens to encrypt them, rendering them illegible to unauthorized parties.

To prevent the data from being intercepted by attackers when dealing with PCI in transit, you might want to think about using point-to-point encryption (P2PE) technology. Scanning your repository for any PCI that is not encrypted regularly is a smart idea.


Alexandre Robicquet

Alexandre Robicquet

Alexandre Robicquet is the CEO and co-founder of Crossing Minds. He holds two Master’s degrees from ENS Paris Saclay in Mathematics and Machine Learning and has since received a third in Artificial Intelligence. 

“Restricting access only to need-to-know parties is one best practice for PCI compliance…”

The PCI DSS strictly mandates that access to any cardholder information must be restricted to only those parties that need to know it.

These roles must also be tightly documented and updated frequently to stay compliant. Unless the party is part of the need-to-know group, cardholder data never should be shared otherwise.


Percy Grunwald

Percy Grunwald

Percy is the co-founder of Hosting Data with 6+ years’ experience delivering and maintaining applications on the web, including architecture design, full stack development as well as infrastructure management and automation.

“PCI DSS (Payment Card Industry Data Security Standard) is a set of guidelines and requirements designed to ensure the security of credit card transactions and protect cardholder data…”

Here are some best practices to meet PCI compliance requirements:

  • Use a secure network: To ensure a secure network, you should use a combination of encryption and firewalls to protect cardholder data during transmission and prevent unauthorized access. This can include using strong encryption protocols such as TLS to secure cardholder data during transmission over networks, implementing firewalls to prevent unauthorized access to your network, and disabling unnecessary network services and protocols that could increase the risk of vulnerabilities.
  • Implement secure coding practices: Secure coding practices are critical in ensuring that your payment system is secure and meets PCI compliance. This includes regularly testing your code for vulnerabilities using tools like static and dynamic code analysis, using secure coding practices such as input validation, output encoding, and access controls, and keeping your code up-to-date with the latest security patches and software updates to reduce the risk of vulnerabilities.
  • Restrict access to cardholder data: Access to cardholder data should be limited to authorized personnel only. To achieve this, you should implement access controls to limit access to cardholder data based on roles and responsibilities, log access to cardholder data and regularly review access logs to ensure that only authorized personnel have accessed it, and use two-factor authentication for access to cardholder data where possible.
  • Regularly update and patch systems: Keeping your systems up-to-date with the latest security patches and software updates is essential to reduce the risk of vulnerabilities. This includes regularly updating your operating system, applications, and firmware to the latest versions and implementing a patch management process to ensure that all security patches are applied on time.
  • Use strong passwords: Strong passwords are essential to prevent unauthorized access to your payment system. To ensure strong passwords, you should require complex passwords with a mix of upper and lowercase letters, numbers, and special characters, implement password expiration policies to ensure that passwords are regularly changed, and use two-factor authentication for user accounts where possible.
  • Regularly monitor and test systems: Regularly monitoring and testing your payment system is critical to identify any security vulnerabilities or breaches. This includes implementing regular vulnerability scanning and penetration testing to identify any security vulnerabilities, monitoring your network for unusual activity and implementing intrusion detection and prevention systems, and regularly reviewing security logs and incident reports to identify any security incidents.
  • Develop and maintain information security policies: Developing and maintaining information security policies is essential to ensure that all personnel understand their roles and responsibilities in protecting cardholder data. This includes developing policies that clearly outline how cardholder data is handled and protected and regularly reviewing and updating policies to ensure that they remain relevant and effective.
  • Train employees on information security: Regularly training employees on information security best practices is critical to prevent data breaches. This includes training employees on how to identify and prevent social engineering attacks, providing regular training on security policies and procedures, and regularly testing employees' knowledge of information security best practices.

By following these best practices, you can help ensure that your payment system meets the PCI compliance requirements and that you are protecting cardholder data from unauthorized access and breaches.


Camila Serrano

Camila Serrano

Camila is the Chief Security Officer of MediaPeanut.

“The best practices for meeting PCI compliance requirements involve…”

Implementing a comprehensive security framework that safeguards sensitive cardholder data throughout its lifecycle. Are we maintaining a secure network infrastructure to protect cardholder data? Are we regularly monitoring and testing our systems?

Let’s explore some scenarios from work to illustrate these practices.

  • One example is ensuring that all network connections and systems are properly segmented and isolated to prevent unauthorized access to cardholder data. By implementing strong network segmentation measures, we can minimize the risk of an attacker gaining widespread access to sensitive information.
  • Another essential practice is implementing robust access controls and authentication mechanisms. This includes utilizing multi-factor authentication, enforcing strong password policies, and regularly reviewing and revoking unnecessary privileges. These measures help ensure that only authorized individuals can access and handle cardholder data.
  • Regularly monitoring and testing systems is crucial. Conducting vulnerability assessments and penetration testing can identify and address any vulnerabilities in our infrastructure and applications. By proactively detecting and patching potential weaknesses, we can mitigate the risk of data breaches and maintain a secure environment.
  • Maintaining comprehensive logging and log management processes is also essential. It allows us to monitor system activity, detect suspicious behavior, and investigate any potential security incidents effectively. By reviewing and analyzing logs, we can identify and respond to threats promptly.
  • Establishing and maintaining an information security policy that covers all aspects of PCI compliance is critical. This policy should outline roles and responsibilities, security awareness training, incident response procedures, and ongoing compliance monitoring. Regular employee training and awareness programs help foster a security-conscious culture across the organization.
  • Last, engaging an external Qualified Security Assessor (QSA) can provide an objective evaluation of our compliance efforts. Their expertise can help validate our practices, identify any gaps, and provide recommendations for improvement.

By implementing these best practices, we show our commitment to protecting cardholder data, build customer trust, and maintain compliance with PCI standards. Safeguarding sensitive information is not just a regulatory requirement; it is our responsibility as custodians of data to prioritize security at every level of our operations.


“Meeting PCI compliance requirements necessitates implementing several best practices…”

  1. Build and maintain a secure network: Implement firewalls and network segmentation. Reduce unauthorized access by 70%.
  2. Protect cardholder data: Utilize encryption protocols (e.g., AES-256 or TLS 1.3) Decrease data compromise risk by 80%.
  3. Maintain a vulnerability management program: Conduct regular vulnerability scans. Promptly patch known vulnerabilities to prevent 90% of breaches.
  4. Implement strong access control measures: Enforce multi-factor authentication. - Achieve a 99.9% reduction in account compromise risk.
  5. Regularly monitor and test networks: Employ intrusion detection systems. Perform penetration testing and proactively identify and address vulnerabilities.

By following these best practices, my first-hand experience demonstrates that organizations can effectively meet PCI compliance requirements.


Charlie Wright

Charlie Wright

Charlie Wright is an Operation Director at Epos Now.

“First, you must conduct an initial assessment of your environment and any other processes by which payment card data is obtained or stored…”

You also need to develop a plan for handling and protecting sensitive customer data through encryption and tokenization whenever possible.

Additionally, you should establish policies and procedures for regular security monitoring, testing, vulnerability scanning/management, incident response plans (for the unlikely event of a breach), backup/disaster recovery strategies, etc.

It's also important to implement adequate network segmentation to ensure that only authorized personnel can access certain systems or databases containing sensitive information. You must provide employees with proper training on security protocols such as how to handle and protect cardholder data during a transaction.

Furthermore, it's essential for organizations to maintain secure remote access protocols enabling authorization checks whenever cards are processed remotely over the Internet using strong authentication methods like multi-factor authentication tokens or biometrics, etc.

Last, but perhaps most important, is continuously strengthening cyber hygiene practices throughout your organization such as documentation of different processes associated with payment acceptance. Also:

  • Make sure all merchant accounts (if any) are up to date at all times.
  • Assess third parties regularly if they assist in cardholder data processing.
  • Review refund processes closely as well so not too many refunds occur within short periods of time (which can potentially indicate fraud activity).

These and other precautions must be taken into account in order to stay PCI compliant.


Paige Hanson

Paige Hanson

Paige Hanson is an expert in consumer and digital safety with over 15 years of experience in identity management. As a co-founder and Head of Communications and Partnership at SecureLabs, Paige has dedicated her career to protecting consumers and businesses from identity theft and cyber threats.

“Maintaining PCI DSS compliance is a continuous process, requiring regular review and updates of your security controls…”

  • Understand PCI DSS: Familiarize yourself with the 12 key requirements of PCI DSS, which span network security, data protection, vulnerability management, access control, network monitoring, and information security policies.
  • Scope Assessment: Identify all components, people, and processes that store, process, or transmit cardholder data.
  • Segmentation: Use network segmentation to isolate the cardholder data environment (CDE) from the rest of your network.
  • Data Minimization: Only store necessary cardholder data and ensure unnecessary data is not stored.
  • Encrypt Transmission: Use strong encryption for transmitting cardholder data across open, public networks.
  • Vulnerability Management Program: Regularly update and patch systems. Regularly use and update anti-virus software.
  • Access Control Measures: Restrict access to cardholder data by business need-to-know. Implement multi-factor authentication.
  • Monitor and Test Networks: Regularly test security systems and review logs for anomalies or suspicious activity.
  • Information Security Policy: Maintain an annually updated policy defining roles and responsibilities towards PCI DSS compliance.
  • Regular PCI DSS Audits: Regular audits can help identify areas of non-compliance and potential vulnerabilities.
  • Employee Training: Regularly train your employees about the importance of data security and their role in maintaining PCI DSS compliance.
  • Incident Response Plan: Develop and maintain a robust and regularly tested incident response plan.
  • Use a Platform to Manage All of the Controls: Many businesses lack adequate security frameworks and rely on outdated methods like spreadsheets. Use a company like SecureLabs, Drata, Hyperproof, OneTrust, etc. to help manage this for your business.

David Berube

David Berube

David Berube is a software developer, consultant, speaker, and writer. He is constantly researching, perfecting, and practicing his trade. His startup, "Casting Frontier," which produced a SaaS system used in the casting of commercials, television shows, and movies, was sold in 2020. He is now the president of Durable Programming, LLC, a company that focuses on maintaining custom software written by other firms.

“Listen to your vendors…”

Although the documentation from your payment processor may be dense and hard to read, carefully studying it is imperative. Using their APIs as intended and following their recommended best practices — not just what you see on StackOverflow or on Reddit — can save a lot of time and expense and quite possibly save you from an unfortunate security incident.


Diane McCarthy

Diane McCarthy

Diane McCarthy is a 20+ year transformative cybersecurity and risk management professional. Diane has held several senior information security positions in companies such as Wells Fargo, PWC, and BitSight. In her most recent role at Carbide, Diane leads the security advisory practice, working with customers to provide guidance, advisory, and workshops.

“Creating and upholding information security policies and frequent training and awareness initiatives are vital in ensuring adherence to PCI DSS responsibilities…”

Organizations can benefit from expert guidance and validation of their compliance endeavors by involving qualified security assessors (QSAs) or assistance from other PCI DSS professionals in annual PCI DSS compliance assessments.

To maintain ongoing compliance, it is important for organizations to consistently monitor, update, and enhance their security controls, conduct regular assessments, and stay informed about the latest PCI DSS requirements and modifications.

Referring to official PCI Security Standards Council resources is crucial for obtaining the most current and tailored information and guidance based on specific circumstances and compliance levels.


James Beecham

James Beecham

James Beecham is the Founder and CEO at ALTR.

“Most businesses will want to store and use PCI information to improve user experience…”

Think renewing a purchase automatically or acting as a liaison to purchases to collect coupon savings or reward points. If your user experience would be the same if you didn't have the PCI information, then you should look to outsource or offload the storage and processing of PCI information.

If your user experience would be degraded because you have to ask your user every 15 days to re-enter their CVV or PAN then storing PCI information is an advantage for your use case.

To simplify and smooth the way for PCI compliance, the first step is to limit the scope of the application or infrastructure that needs to be reviewed/approved. Choose a single database with a single container to be the sole access and processing point for PCI data.

This one decision can make the process much simpler, as there would be only one application service in scope for PCI assessment. To attain the highest PCI certification, ensure the data in that container is both secured and that the use or consumption of that data is logged and controlled.


Andrew Priobrazhenskyi

Andrew Priobrazhenskyi

Andrew Priobrazhenskyi is the CEO of DiscountReactor, an eCommerce Company.

“Encrypt cardholder data transmission over open, public networks…”

This requirement appears to be about safeguarding cardholder data when it is transmitted over open, public networks such as the internet, wireless technologies, cellular technologies, General Packet Radio Service (GPRS), and satellite communications.

When cardholder data must be shared over open, public networks, businesses should employ robust encryption to conceal the information from unauthorized users. PCI DSS also stipulates that PAN should never be transmitted unencrypted via end-user messaging such as email, instant message, SMS, and chat.


Faizan Ahmed Khan

Faizan Ahmed Khan

@Ubuyco

Faizan Ahmed Khan is a Sr. Content Marketing Specialist at UBUY Kuwait.

“Physically restrict PCI…”

Securing PCI against unauthorized users is, in my opinion, the finest method for achieving PCI compliance.

When storing personally identifiable information (PII) on a physical medium like paper, further precautions must be taken to prevent unauthorized access. This entails securing them in a location that is monitored by various means of surveillance technology.

Employees should ideally utilize ID badges to get entry to restricted areas.

All of these should be in place to safeguard servers and other devices storing PCI even if you are not storing PCI on a physical disk.


Hijab Sheikh

Hijab Sheikh

Hijab Sheikh is the Co-Founder of CXI Solutions, providing cyber security solutions.

“In terms of best practices, I emphasize a proactive and holistic approach to PCI compliance…”

From my experience, I have found that the following key elements significantly contribute to meeting and exceeding the stringent requirements:

  • Robust Network Segmentation: Implementing a well-defined network segmentation strategy to isolate cardholder data and minimize the scope of the environment subject to compliance.
  • Regular Vulnerability Scanning and Penetration Testing: Conduct frequent vulnerability scans and penetration tests to identify potential weaknesses and promptly address them.
  • Strong Access Controls: Employ stringent access controls and privileged access management practices to restrict access to cardholder data on a need-to-know basis.
  • Ongoing Employee Training and Awareness: Providing comprehensive training programs to employees, raising awareness about security risks, and fostering a security-conscious culture within the organization.
  • Continuous Monitoring and Log Management: Implementing robust monitoring systems and centralized log management solutions to promptly detect and respond to security incidents or breaches.

These are just a few of the key best practices I have found to be invaluable in achieving and maintaining PCI compliance.


Drew Romero

Drew Romero

@tkxel

Drew is a Senior Software Developer/Engineer at Tkxel, a software development and technology consulting company that offers custom software development, digital transformation, and more.

“Meeting PCI compliance requirements involves implementing several best practices to protect sensitive cardholder data…”

Some key practices include:

  1. Use Secure Networks: Maintain a secure network infrastructure with strong firewalls, intrusion detection systems, and regular network monitoring.
  2. Protect Cardholder Data: Implement strong encryption measures, both in transit and at rest, to safeguard cardholder information. Minimise data storage and ensure secure disposal of data when no longer needed.
  3. Maintain Vulnerability Management: Regularly scan and test for vulnerabilities, apply security patches promptly, and conduct penetration testing to identify and address potential weaknesses.
  4. Access Control: Restrict access to cardholder data on a need-to-know basis. Implement strong user authentication measures, such as unique IDs, strong passwords, and multi-factor authentication.
  5. Regularly Monitor and Test Networks: Implement comprehensive logging and monitoring systems to detect and respond to suspicious activities promptly. Conduct regular security assessments and penetration testing to identify vulnerabilities.
  6. Develop and Maintain Secure Systems: Follow secure coding practices, perform regular code reviews, and ensure that security features are built into applications and systems from the ground up.
  7. Implement Strong Security Policies: Develop and enforce security policies and procedures that cover areas such as data access, password management, network security, physical security, and incident response.

It is important to note that these practices provide a general overview, and organizations should consult with qualified cybersecurity and compliance experts to tailor their approach to specific PCI compliance requirements.


Perry Toone

Perry Toone

@thexyz

Perry, founder and developer at Thexyz, is dedicated to championing privacy rights through code. He strives to create a user-friendly cloud service that prioritizes user privacy and implements top-tier security practices, affirming his belief that we deserve better.

“As a cybersecurity professional, my key recommendations for meeting PCI compliance requirements are primarily focused on understanding your environment and maintaining robust security measures…”

First, know your systems, networks, and processes that handle cardholder data, as these are subject to PCI standards. It's essential to secure this data using methods such as encryption, tokenization, and masking.

Implement robust firewalls and maintain strong access controls, ensuring that only necessary personnel can access sensitive data, preferably with multi-factor authentication.

Regularly test, monitor, and audit your security systems for effectiveness and any unusual activity. Furthermore, it's vital to consistently update and patch all systems to mitigate known vulnerabilities.

Lastly, cultivating a strong security culture through regular staff training and clear policies is crucial. Remember, PCI compliance is a continuous process, not a one-time event.


Branden Korf

Branden Korf

Branden is a Marketing Associate specializing in Search Engine Optimization (SEO) and Graphic Design at EBizCharge.

“The best practices for meeting PCI compliance requirements are…”

1. Understand the PCI Data Security Standard (PCI DSS).

Familiarize yourself with the requirements outlined in the PCI DSS, which provides a comprehensive framework for protecting cardholder data. Ensure that you or your organization meets the necessary criteria and maintains compliance.

2. Protect cardholder data.

Implement strong security measures to protect cardholder data throughout its lifecycle. This includes using two important features, encryption and tokenization. Tokenization and encryption are both techniques used for data security, but they differ in how they protect sensitive information:

  • Tokenization: Tokenization replaces sensitive data with a unique identifier called a token. The original data is securely stored in a separate system called a token vault, while the token is used for transactional purposes. Tokens have no inherent meaning and are useless to anyone without access to the token vault. Tokenization helps minimize the exposure of sensitive data, reduces the risk of data breaches, and simplifies compliance efforts.
  • Encryption: Encryption transforms sensitive data into an unreadable format using an encryption algorithm and a key. The encrypted data, known as ciphertext, can only be decrypted back into its original form with the appropriate decryption key. Encryption protects data both during transmission and storage. It provides confidentiality and ensures that only authorized parties with the correct decryption key can access the information.

While both techniques enhance data security, there are notable differences:

  • Tokenization typically reduces the scope of sensitive data by storing it in a separate system, whereas encryption secures the actual data itself.
  • Tokenization allows for the use of tokens in transactions while keeping the original data secure. Encryption requires the decryption process to access and use the original data.
  • Tokenization relies on secure management of the token vault, while encryption requires secure management of encryption keys.
  • Tokenization can simplify compliance efforts, as it reduces the scope of sensitive data storage. Encryption alone may require additional measures to meet specific regulatory requirements.
  • Tokenization is often used for protecting payment card data during transactions, while encryption is employed for securing data at rest or in transit. Organizations may use a combination of both techniques depending on their specific needs.

3. Use secure network infrastructure.

Implement and maintain a secure network infrastructure to prevent unauthorized access to cardholder data. This includes using firewalls, secure wireless networks, and strong access control mechanisms to protect your systems from threats.

4. Regularly update and patch systems.

Keep all your hardware, software, and applications up to date with the latest security patches. This helps address vulnerabilities and reduce the risk of exploitation by malicious actors.

5. Implement strong access controls.

Restrict access to cardholder data and systems that process or store this data. Only provide access to authorized individuals who have a legitimate need to access such information. Use strong passwords, multi-factor authentication, and least privilege principles to ensure secure access.

6. Monitor and regularly test your systems.

Implement a robust system for monitoring and logging activities related to cardholder data. Regularly review these logs and conduct vulnerability scans and penetration tests to identify and address any weaknesses in your security controls.

7. Maintain a comprehensive security policy.

Develop and maintain a documented security policy that outlines your organization's approach to protecting cardholder data. Ensure that all employees are aware of the policy, receive proper training, and adhere to its guidelines.

8. Engage with PCI-compliant vendors.

When working with third-party vendors or service providers who handle cardholder data on your behalf, ensure that they are PCI compliant (like EBizCharge). Verify their compliance status and establish contracts that clearly define their responsibilities in maintaining the security of cardholder data.

9. Implement an incident response plan.

Develop and maintain an incident response plan that outlines the steps to be taken in the event of a security breach or data compromise. Regularly test and update the plan to ensure its effectiveness.

10. Engage with a Qualified Security Assessor (QSA).

When a business has a high volume of card transactions or complex systems, consider engaging with a QSA, a qualified -third-party organization that can assess your compliance with the PCI DSS and provide guidance on meeting the requirements.


Te Wu

Te Wu

Prof. Dr. Te Wu is the CEO of PMO Advisory. PMO Advisory is a professional project management consulting and training company. We provide a wide range of project management services including developing methods and tools, helping project teams get started on complex projects, conducting audits, and creating custom training programs.

“In my experience, finding and naming your PCI vulnerabilities is the most effective method for achieving PCI compliance…”

One of the most essential requirements of PCI-DSS is transparency with regard to the storage and location of payment card data. It goes without saying that you can't protect your information if you have no idea where it is stored.

If you want your data repositories to be automatically scanned for PCI and categorized, you need a data classification system. In a similar vein, implement a system that labels information as it is being created or updated.


Jon Morgan

Jon Morgan

@venture_smarter

Jon Morgan is the CEO and Editor-in-Chief of Venture Smarter, a leading consulting firm that specializes in helping startups and small businesses scale and grow. With over 9 years of experience in the industry, John has a wealth of knowledge and expertise in areas such as strategic planning, market research, and financial analysis.

“The best practices for meeting PCI compliance requirements are…”

  • Understand the PCI DSS requirements: Familiarize yourself with the current version of the PCI DSS standards and requirements. This will help you gain a comprehensive understanding of what is expected to achieve compliance.
  • Scope your environment: Identify and define the scope of your cardholder data environment (CDE), including systems, networks, and processes that store, process, or transmit cardholder data. By clearly defining the scope, you can focus your compliance efforts effectively.
  • Maintain a secure network: Implement robust network security measures, including firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS). Regularly monitor and test your network to identify vulnerabilities and promptly address any issues.
  • Protect cardholder data: Implement strong encryption for cardholder data in transit and at rest. Ensure that sensitive cardholder data is never stored in unencrypted form. Implement access controls and restrict access to cardholder data on a need-to-know basis.
  • Implement strong access controls: Restrict access to cardholder data by implementing strong authentication mechanisms such as unique usernames and passwords. Enforce the principle of least privilege, providing access only to individuals who require it to perform their duties.
  • Regularly monitor and test your systems: Implement logging and monitoring systems to detect and respond to security events. Conduct regular vulnerability scans and penetration tests to identify weaknesses in your systems and promptly address them.
  • Maintain an information security policy: Develop and maintain a comprehensive information security policy that addresses PCI DSS requirements. Regularly review and update the policy to reflect changes in your environment and evolving security threats.
  • Train and educate employees: Provide regular training and awareness programs to employees regarding their responsibilities for protecting cardholder data. Employees should be familiar with security policies, procedures, and best practices.
  • Engage with Qualified Security Assessors: If required, engage with a Qualified Security Assessor (QSA) to perform an independent assessment of your compliance. QSAs are authorized by the PCI Security Standards Council to validate compliance with the PCI DSS.
  • Maintain compliance through regular assessments: Achieving PCI DSS compliance is not a one-time event. Regularly assess your systems, processes, and controls to ensure ongoing compliance. Stay up to date with changes to the PCI DSS standards and promptly implement necessary adjustments.

Following these best practices will help you achieve and maintain PCI compliance, but it’s also important to keep an eye on the regulatory landscape as new data privacy regulations are emerging around the world. 

If your business takes PCI compliance seriously, a data loss prevention (DLP) solution like the Reveal platform by Next can help you streamline your compliance by enforcing your company’s PCI-compliant data handling policy and protecting cardholder data at rest, in motion, and in use.  

Reveal offers next-gen endpoint agents — the first to deliver machine learning on the endpoint — that enforce your data handling policy without connecting to a separate analysis engine and reinforces employee security awareness training by providing user training at the point of risk. 

Contact Next today or book a demo to learn how Reveal can help you maintain PCI compliance and build a security-conscious culture. 

Frequently asked questions

Who do PCI requirements apply to?

Any business that handles payment card data in any way, such as accepting payment cards, processing transactions, storing cardholder data, or transmitting cardholder data must comply with the PCI requirements.

Some businesses are required to undergo more rigorous assessments and provide more proof of compliance than others, depending on the company’s merchant level. The merchant level is determined by the payment card company (Visa, MasterCard, etc.) and is based on the number and type of payment card transactions the merchant processes each year.

What makes a company PCI compliant?

A company is PCI compliant when it has the appropriate security measures and privacy safeguards in place to protect cardholder data. 

Compliance requires:

  • Adherence to all 12 of the PCI DSS requirements.
  • Undergoing a formal audit conducted by a Qualified Security Assessor (QSA) and obtaining a signed PCI DSS Report on Compliance or completing a Self-Assessment
  • Questionnaire annually, depending on the business’s merchant level.
What happens if a company is not PCI compliant?

Noncompliance with PCI DSS can have several ramifications. In addition to monthly penalties ranging from $5,000 to $100,000 per month, companies that are not compliant with PCI DSS are at greater risk of a data breach. Suffering a breach can result in legal action, reputation damage, and a loss of revenue. 

What is a major challenge in meeting PCI DSS requirements?

Businesses face a few challenges in meeting PCI DSS requirements, including:

  • Implementing all controls and systems: One of the biggest and most common challenges for businesses subject to PCI DSS requirements is ensuring that all the controls and systems are installed and functioning properly to provide adequate protection of cardholder data.
  • Keeping up with the evolving threat landscape: Additionally, the evolving threat landscape means that new threats are always emerging. Companies must take a proactive approach to protect cardholder data.
  • Maintaining up to date security policies: Security policies that align with the PCI DSS requirements are some of the most important elements of PCI compliance, yet many companies find it challenging to keep their information security policies up to date. It’s not enough to merely update the policies; your employees must be informed of changes and regularly provided employee cybersecurity awareness training so they can play their part in protecting cardholder data. 
  • Understanding the scope: It’s important to understand your merchant level with all the major card companies to ensure that you provide the appropriate compliance documentation.
Demo

See how Next protects your employees and prevents data loss