- Cloud Protection
- Compliance
- Data Leak Prevention
- Data Risk Assessment
- File Analysis
- File Audit
PCI Compliance
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of mandates for organizations that deal with payment information. This mandate is supervised by the Payment Card Industry Security Standards Council (PCI SSC). Its objective is to control fraud happening in the payment processing industry and combat the malicious use of cardholder data, such as the payment account number, cardholder name, expiration date, and service code. By staying PCI compliant, businesses can prevent, detect, and remediate threats to cardholder data.
Who needs to be PCI DSS-compliant?
All the entities that access, process, store, and transfer cardholder data are required to be PCI DSS-compliant. A few actors involved in payment card transactions include cardholders, merchants, issuing banks, and card networks.
How does PCI DSS compliance work?
PCI DSS compliance is an ongoing process that requires organizations that fall under its purview to continuously perform audits with the below framework.
-
Assess
Organizations that store, process, and dispose of card data should locate the data and check for vulnerabilities that can be exploited. -
Repair
Rectify any security vulnerabilities present in the software and hardware systems that hold payment card information. -
Report
Record the methodologies used to detect and amend the vulnerabilities, and share the document with the stakeholders you are collaborating with.
PCI DSS compliance levels
Based on the number of transactions made annually, the compliance levels are categorized under four spectra.
- Level 1: Applies to entities that process over 6 million transactions per year.
- Level 2: Applies to entities that process 1–6 million transactions per year.
- Level 3: Applies to entities that process 20,000–1 million transactions per year.
- Level 4: Applies to entities that process less than 20,000 transactions per year.
PCI compliance requirements
The below objectives are mandated by the PCI SSC to protect payment card data in its entirety.
| Requirement no. | Objective | Description |
|---|---|---|
| 01 | Build and maintain a secure network and systems | Installation and maintenance of firewalls. |
| 02 | Change of vendor-supplied system credentials. | |
| 03 | Protect cardholder data | Implement a thorough action plan addressing what to store, its retention period, and the methodologies that will be used for its disposal. |
| 04 | Encryption of transmitted cardholder data across public networks. | |
| 05 | Maintain a vulnerability management program | Regular antivirus software updates. |
| 06 | Maintenance of applications and systems within the organizational network. | |
| 07 | Implement strong access control measures | Enforcement of appropriate roles to access cardholder data. |
| 08 | Issuance of unique user authentication identifiers. | |
| 09 | Monitor privileged users and enforce role-based access control to cardholder data. | |
| 10 | Regularly monitor and test networks | Issuance of unique user authentication identifiers. |
| 11 | Restriction of physical access to data centers storing cardholder data. | |
| 12 | Maintain an information security policy | Tracking and monitoring of network resources with file integrity monitoring and change detection software. |
How can DataSecurity Plus help you achieve PCI DSS compliance?
ManageEngine DataSecurity Plus is a data visibility and security solution that offers extensive compliance auditing capabilities. It helps you achieve PCI DSS compliance by:
- Locating and classifying sensitive cardholder data stored in the PCI environment through data risk assessment.
- Ensuring that card data is not stored beyond its intended retention period using ROT data analysis.
- Allowing you to spot unusual deletion, renaming, and file copy actions in files and folders using real-time file integrity monitoring.
- Detecting and isolating infected servers to stop the spread of malware using rapid ransomware detection and response capabilities.
- Prevent the leakage of critical data from the card data environment using data leak prevention.
- Verifying that the principle of least privilege is maintained using permission analysis.
Explore the other capabilities that comes with DataSecurity Plus—a PCI compliance software solution—with a free, fully-functional, 30-day trial.
Download a free, 30-day trial