PCI-DSS (Payment Card Industry Data Security Standard) is a compliance standard established to reduce credit card fraud by increasing controls around credit card holder data that help protect the safety of that data. They set the operational and technical requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.
PCI-DSS, one of the most commonly known credit card standards, was established by the PCI SSC (PCI Security Standard Council). PCI SSC was itself created in 2006 by VISA, MasterCard, American Express, JCB International and Discover with the goal of developing common standards across payment processing companies.
PCI-DSS (and the other PCI standards) emphasizes the physical and digital security controls that are to be implemented during payment transactions. These include storing, processing and transmitting cardholder data. PCI DSS applies to organizations, vendors and merchants who deal with cardholder data.
To be PCI-DSS compliant, there are 12 controls that need to be fulfilled.
These requirements cover organizational policies and procedures, secure device management, access control and authentication mechanisms, physical security procedures, cardholder data management, payment application management, monitoring and testing, and a strong vulnerability management process.
The 12 requirements are:
Installing and maintaining a firewall configuration to protect cardholder data
Replacing vendor-supplied defaults for system passwords and other security parameters
Protecting stored cardholder data
Encrypting the transmission of cardholder data across open, public networks
Using and regularly updating antivirus software or programs
Developing and maintaining secure systems and applications
Restricting access to cardholder data according to a need-to-know basis
Authenticating access to system components
Restricting physical access to cardholder data
Tracking and monitoring all access to network resources and cardholder data
Regularly testing security systems and processes
Maintaining an information security policy for employees, contractors and all personnel
In addition, PCI-DSS also clarifies which cardholder data can be stored. This includes the Permanent Account Number (PAN), Cardholder Name, Service Code and Expiration Date.
PCI-DSS strictly forbids the storage of sensitive authentication data like the CVV, CVC, CV2 data or the PIN. For example, when returning to an e-commerce website you’ve made a purchase on before, the site may have stored the card details and display the last 4 digits of your card, but the CVV/CV2 code will need to be entered manually each time to complete the transaction.
Organizations that store, process or maintain payment card data must comply with the PCI-DSS standard. They can achieve compliance by performing the audit and submitting a Report of Compliance (ROC) or by going through a full fledged onsite audit performed by an authorized external party.
Complying with PCI is a continuous process. It requires constant efforts to maintain the security posture of systems through established policies and procedures and making sure they are followed at every stage.
There are several different stages involved in complying with the PCI standard. They include:
Building a secure network around the systems that hold or process cardholder data, with an emphasis on avoiding the use of any system’s default credentials provided by the vendor.
Enforcing controls to protect cardholder data at all stages of the data lifecycle through the basic security principle of following the CIA triad – Confidentiality, Integrity and Availability. Cardholder data must be encrypted during the communication phase, while in transit or when at rest. Encryption keys/decryption keys are to be stored and secured in certified hardware models designed specifically to handle this process, by using intensive mathematical computations that leverage the HSM-hardware security modules.
Implementing strong access control measures with industry-standard IAM tools, to enforce the principle of least privilege.
Continuous monitoring of resources and actions taking place across networks, while identifying anomalies and mitigating threats.
Segregating production networks from test networks as a means to avoid data mishandling.
Developing and implementing a strong security policy to incorporates all the measures already mentioned.
Keeping systems up-to-date with relevant security patches and having a robust vulnerability management program to efficiently identify and resolve perpetually evolving security threats.
Zero trust is a revolutionary security approach fit for modern, distributed networks. At the core of the zero trust model is the principle that no identity or device should be inherently trusted, regardless of its location or connection to the corporate network.
The zero trust model directly challenges the traditional approach in which network controls or layers were given a trust level. For example, the traditional method of firewalls by Cisco or Palo Alto Networks required to assign a trust level to the interface. More specifically, the internal network side was provided a 100% percent trust level, whereas the ISP or the internet interface was assigned a 0% trust level and the DMZ level, where both public access and internal user access was required, was usually set at a 75% level.
In the zero trust framework, by contrast, every connection and request for access is verified through strong authentication and continuous authorization. The network credentials that once guaranteed access are no longer sufficient.
Here’s how implementing zero trust can help achieve PCI-DSS compliance:
Application segmentation – PCI-DSS requires network segmentation to protect cardholder data. Zero trust authorizes access to each application and system in order to protect data and critical applications. This is a more advanced level of segmentation.
Password replacement – The Cyolo zero trust access solutionreplaces centralized password databases with a personal vault, keeping attackers from having a single resource to exploit if they want to compromise passwords. Cyolo also offers a passwordless user experience, rendering password attacks obsolete. In any case, it is strongly recommended to use MFA.
Protecting cardholder data – The zero trust model protects data by securing access to critical applications and through encryption.
Maintaining device posture – When authorizing a device, Cyolo checks its antivirus, encryption status, if it’s up-to-date, etc.
The principle of least privilege – Zero trust is based on this principle and grants access only to identities that have proven they need access at this time.
Monitoring and testing – Cyolo provides auditing and monitoring capabilities, enabling real-time tracking of users and systems as well as audit logs to investigate incidents or track access.
Adopting zero trust security can help organization achieve PCI-DSS compliance and implement strong network controls. For a commitment-free demo of the Cyolo zero trust access solution, sign up here.
Author
Dedi Yarkoni is CTO and co-founder of Cyolo. Prior to Cyolo, Dedi worked as the Cyber Lab Research Team Leader at GE Digital and the Applicational Security Technical Program Manager at AWS. He is also a certified ethical hacker and a veteran of the Israeli Navy.