A detailed explanation of the Payment Card Industry Data Security Standard (PCI DSS), focusing on the stringent requirements of Level 1 compliance.
What is this?
The Payment Card Industry Data Security Standard (PCI DSS) is a mandatory set of security requirements for any organization that stores, processes, or transmits cardholder data. It was created by the major payment card brands (Visa, MasterCard, American Express, Discover, and JCB) to reduce credit card fraud. This guide focuses on Level 1, the most stringent level of compliance.
The 12 Core Requirements of PCI DSS
PCI DSS is highly prescriptive, outlining 12 main requirements with over 300 sub-requirements. The goals are to:
- Build and Maintain a Secure Network and Systems
- Req 1: Install and maintain network security controls.
- Req 2: Apply secure configurations to all system components.
- Protect Cardholder Data
- Req 3: Protect stored account data.
- Req 4: Protect cardholder data with strong cryptography during transmission over open, public networks.
- Maintain a Vulnerability Management Program
- Req 5: Protect all systems and networks from malicious software.
- Req 6: Develop and maintain secure systems and software.
- Implement Strong Access Control Measures
- Req 7: Restrict access to system components and cardholder data by business need to know.
- Req 8: Identify users and authenticate access to system components.
- Req 9: Restrict physical access to cardholder data.
- Regularly Monitor and Test Networks
- Req 10: Log and monitor all access to system components and cardholder data.
- Req 11: Test security of systems and networks regularly.
- Maintain an Information Security Policy
- Req 12: Support information security with organizational policies and programs.
Understanding Compliance Levels
PCI DSS has four levels of compliance, based on the volume of transactions an organization processes annually.
- Level 1: For merchants processing over 6 million card transactions per year, or any merchant that has suffered a data breach.
- Levels 2, 3, and 4: For merchants with progressively lower transaction volumes.
The key difference for Level 1 is the validation requirement. A Level 1 entity must undergo an annual Report on Compliance (ROC) performed by an independent Qualified Security Assessor (QSA). Lower levels can often complete a Self-Assessment Questionnaire (SAQ). This external audit makes Level 1 compliance a significantly higher bar to clear, providing the greatest assurance of security.
Any data science project or storage system that touches unencrypted Primary Account Numbers (PANs) brings the entire supporting infrastructure into the scope of a PCI DSS audit.