How to Become PCI Compliant in Six Steps

So the results from your latest audit are in, and it turns out your organization no longer meets the full requirements of the Payment Card Industry Data Security Standard—or even worse, you’ve just learned your previously out-of-scope network now is subject to more than 300 security controls, and you have no idea where to begin. Either one of those revelations is enough to ruin a day, but let’s focus on finding a PCI compliance solution.

To help, we’ve created a step-by-step guide for PCI compliance based on the Payment Card Industry Security Standards Council’s “Prioritized Approach to Pursue PCI DSS Compliance,” a useful document that recommends working toward six goals to help achieve PCI compliance. It’s designed to help organize a cohesive, incremental strategy that outlines a logical progression of milestones for addressing risks to cardholder data and your cardholder environment. These goals are as follows:

  1. Remove sensitive authentication data and limit data retention

  2. Protect network systems and be prepared to respond to a system breach

  3. Secure payment card applications

  4. Monitor and control access to your systems

  5. Protect stored cardholder data

  6. Finalize compliance efforts and ensure all controls are in place

Source: PCISecurityStandards.org

 

Remove sensitive authentication data and limit data retention

This initial step is designed to reduce the impact of a breach. By removing sensitive data from your internal systems, a breach of your environment would reveal no sensitive information. A good rule of thumb here is never to store anything you don’t absolutely need. The less data you’re responsible for protecting, the better.

Applicable controls: 1.1.2, 1.1.3, 3.1, 3.2, 3.2.1, 3.2.2, 3.2.3, 9.8.1, 9.8.2, 12.2

 

 

Protect network systems and be prepared to respond to a system breach

The second step involves restricting access to and hardening the security of access points commonly exploited during breaches. Additionally, in the event that a breach does occur, you’ll want to have a detailed process in place for responding.

Applicable controls: 1.1.4, 1.1.6, 1.2.1, 1.2.2, 1.2.3, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.4, 1.5, 2.1, 2.1.1, 2.2.3, 2.3, 2.4, 2.5, 4.1, 4.1.1, 4.2, 4.3, 5.1, 5.1.1, 5.1.2, 5.2, 5.3, 5.4, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.2, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.3.1, 8.3.2., 8.5.1, 9.1, 9.1.1, 9.1.2, 9.1.3, 9.3, 9.9.1, 9.9.2, 9.9.3, 11.1.2, 11.2, 11.2.1, 11.2.2, 11.2.3, 11.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.4.1, 11.4, 12.5.3, 12.8, 12.8.1, 12.8.2, 12.8.3, 12.8.4, 12.8.5, 12.9, 12.10.1, 12.10.2, 12.10.3, 12.10.4, 12.10.5, 12.10.6, A2.1, A2.2, A2.3

 

Secure payment card applications

Step 3 addresses controls for elements related to payment applications and the security of those applications themselves. Like Step 2, the idea here is to defend against a potential breach by strengthening commonly targeted areas to prevent them from becoming compromised.

Applicable controls: 2.2, 2.2.1, 2.2.2, 2.2.4, 2.2.5, 2.6, 6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.4, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.5, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6, 6.7, A1.1, A1.2, A1.3, A1.4

 

Monitor and control access to your systems

This step is about controlling and tracking who has access to your network and monitoring what they’re doing while connected to your environment. The concept here is simple. You can’t respond to threats if you aren’t aware of their existence.

Applicable controls: 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2.1, 7.2.2, 7.2.3, 7.3, 8.4, 8.5, 8.6, 8.7, 8.8, 10.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.4, 10.4.1, 10.4.2, 10.4.3, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 10.5.5, 10.6.1, 10.6.2, 10.6.3, 10.7, 10.8, 10.8.1, 10.9, 11.1, 11.1.1, 11.5, 11.5.1

 

Protect stored cardholder data

If your organization must store primary account numbers (PANs), step 5 details the requirements for protecting that data in storage. This step can be simplified by storing PANs in only one segment of your network and isolating that area from the rest.

Applicable controls: 3.3, 3.4, 3.4.1, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.7, 9.2, 9.4.1, 9.4.2, 9.4.3, 9.4.4, 9.5, 9.5.1, 9.6.1, 9.6.2, 9.6.3, 9.7.1, 9.10

 

Finalize compliance efforts and ensure all controls are in place

The final step mostly entails housekeeping and paperwork items to document your organization’s adherence to its relevant regulatory compliance obligations. Examples of this include maintaining internal IT security policies and issuing regular employee training.

Applicable controls: 1.1.1, 1.1.5, 1.1.7, 6.4.5, 6.4.5.1, 6.4.5.1, 6.4.5.2, 6.4.5.3, 6.4.5.4, 6.4.6, 12.1, 12.1.1, 12.3, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7, 12.3.8, 12.3.9, 12.3.10, 12.4, 12.4.1, 12.5, 12.5.1, 12.5.2, 12.5.4, 12.5.5, 12.6, 12.6.1, 12.7, 12.11, 12.11.1

 

How TokenEx Helps

Our Cloud Security Platform was specifically designed by two former Qualified Security Assessors to help reduce the cost and complexity of PCI compliance. The solution they built—an industry-leading cloud-based tokenization model—uses data-minimization and Zero Trust security principles to maximize PCI scope reduction and virtually eliminate the risk of data theft.

By leveraging TokenEx’s Cloud Security Platform to remove sensitive cardholder data from your internal systems and safely store it outside of your environment, you can potentially reduce your compliance responsibilities to managing system passwords and other security parameters, user ID and access for employees, physical access to cardholder data, and an information security policy.

 

PCI Chart-Vertical-v2

 

Addressable controls*: All except requirements 2, 8, 9, and 12

* Based on an environment that qualifies for an SAQ A

 Another important consideration is to ensure that you’re meeting the PCI requirements as they were intended. In other words, you’re strengthening your security posture in the process. Although compliance is one of the primary reasons why organizations reach out to TokenEx, it’s important to understand that compliance does not always equate to security. So just because your environment meets all of the requirements of the PCI DSS doesn’t mean it’s invulnerable to breaches.

In order to best protect your environment and the sensitive data within, we recommend evaluating the strength of your internal security practices and to maintain compliance between assessments. Remember: You’re expected to meet regulatory obligations at all times, not just once a year when undergoing an audit. This can be done by documenting and regularly updating relevant systems and compliance procedures, which can then be presented to auditors as evidence of your efforts to satisfy your compliance obligations.

By entrusting much of your compliance to TokenEx, you can feel confident that these concerns are being addressed by security and compliance experts dedicated to protecting the world’s most sensitive data. For more information about PCI compliance and how TokenEx can help reduce its cost and complexity, check out our PCI compliance ebook and PCI descoping guide.

Topic(s): PCI DSS

Keep Up With Our PCI & Privacy Blog