The Payment Card Industry Data Security Standard (PCI DSS) developed by the PCI Security Standards Council (PCI SSC) comprises of 12 security controls that need to be implemented to combat theft of cardholder data. It applies to all organizations that accept, capture, store, transmit, or process payment card data. Organizations must secure sensitive customer data to ensure compliance and protect against data breaches.
Privacy regulations like PCI DSS aim to protect the user's right to their collected data. However, most organizations have mandates to protect personally identifiable information (PII) of their customers.
PII refers to any information that identifies an individual, such as name, Social Security number, date of birth, phone number, address, passport number, primary account number, and biometric records. The scope of PII is wide and PCI DSS covers only PII related to payment cards, which falls under two categories: cardholder data and sensitive authentication data.
Cardholder data includes primary account numbers, cardholder names, card expiration dates, and service codes.
Sensitive authentication data includes full data in the magnetic strip, pin number, and CVV/CVC.
It is important to protect such information when it enters the cardholder data environment.
Having a robust IAM process in your organization is essential, as international regulations like ISO, the GDPR, and PCI DSS define IAM as an important aspect of compliance. IAM ensures sensitive data is secured by enabling IT admins to manage user access to critical information using methods such as role-based access control so that they have the benefit of controlling who can (and cannot) access data within their organization.
IAM addresses PCI DSS requirements by ensuring organizations restrict access to the card data environment to only those who pass the strong authentication mechanisms that are in place and are authorized to access it.
The best way to protect cardholder data is to minimize the handling of PII. Listed below are some of the best practices for handling PII related to payment cards. Let's also look at how some PCI DSS requirements map to each of these practices.
| PCI DSS requirements | Best practice | IAM capability |
|---|---|---|
| Requirement 9.9 - Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. | Collection: Collect only the required information. If you don't need it, don't collect it. Secure PII at collection points such as websites and point-of-sale (POS) machines. | Life cycle management: The entire life cycle of customer information is properly managed, from collection and processing to distribution and removal. |
| Requirement 1.2 - Do not use vendor-supplied defaults for system passwords and other security parameters. | Password policy: Enforce password complexity that requires a combination of letters, symbols, and numbers across the entire user group. | Enforce a strong password policy: Having a strong and complex password that is both easy to remember and difficult to crack is a firm barrier against data theft. |
| Requirement 3.2 - Do not store sensitive authentication data after authorization (even if it is encrypted). Requirement 3.3 - Mask the primary account number (PAN) when displayed so that only authorized people with a legitimate business need can see more than the first six/last four digits of the PAN. |
Storage: It is important how you handle cardholder data once it is inside the system. Always mask sensitive information. | Encrypted directory: All personal data is securely stored in a fully encrypted directory. Dynamic authorization gives you control over who has access to data and actions after assessing the attributes. Access is then granted or denied. |
| Requirement 4.1 - Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks. | Transmission: Safeguarding sensitive information as it is sent over public networks is crucial. Encrypt the transmission of cardholder data across open, public networks. | A centralized directory encrypts data in every state (at rest, in motion, and in use) to help avoid data breaches. API security: APIs are the prime target for bad actors as data flows through them. An effective IAM solution ensures access to APIs is not abused. |
| Requirement 9.8 - Destroy media when it is no longer needed for business or legal reasons. | Destroy: Only store data that has a business purpose. Don't store any other sensitive data. | Time-bound access management helps in determining how long access is granted and how long the information needs to be stored. Automated stale accounts cleanup enables the timely deletion of user accounts, which can serve as the backdoor through which hackers can steal data. |
PCI DSS provides a comprehensive framework to protect PII and alleviate any security vulnerabilities in areas such as POS systems, online portals, databases, and call recording software. Maintaining PCI DSS compliance by following the best practices of IAM is crucial to protecting PII.