PCI Compliance Primer

PCI applies to a wide range of corporations and companies that deal with credit card transactions, and it can be a useful tool for other organizations as well.  The PCI specification was created by credit card companies such as Discover, American Express, Visa, and MasterCard to protect the individual from credit card fraud and identity theft through standardization of security controls surrounding the protection of credit card information.  Similar to ISO standards, PCI is not a government regulation full of fines for non-compliance.  Rather, the rule thrives under positive reinforcement by allowing companies to demonstrate that they have achieved a level of information assurance suitable to protect customer credit card information.  However, it should be mentioned that there can be fines if an organization has a loss of credit card information and they are not PCI compliant.

Compliance is recommended for all companies that process, store or transmit credit card data.  Some ask why they should expend the time and resources to become compliant if the process is voluntary.  Firstly, PCI compliance can give customers more confidence in your ability to protect their data.  Second, a company that is compliant with PCI will be better equipped to comply with other regulations and standards such as HIPAA, COBIT, or ITIL since many of the requirements overlap. Thirdly, the recommendations in PCI are reasonable and practical for many companies who take information security seriously, and they can bring significant benefit to the organization’s ability to safeguard systems and data.

What’s required for PCI compliance?

The PCI requirements are comprised of six categories called control objectives.

Control ObjectivesPCI Requirements
Build and Maintain a Secure Network1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy12. Maintain a policy that addresses information security

Excerpt from the PCI 1.2 standard

How does one become PCI certified?

For many companies, the pci complaince process is a somewhat ambiguous and what little is known of the process is often representative of the outliers rather than the norm.  Compliance seminars and information security speakers often talk of the penalties for non-compliance or the immense costs of compliance initiatives, and this can make the activity seem quite frightening.  However, the PCI process is relatively straightforward.

After implementing controls to satisfy the objectives above, a company then must complete periodical reports outlining their compliance with PCI.  Small businesses can complete a self-assessment and then pass a vulnerability scan performed by an approved scanning vendor.  Larger companies go through an audit by qualified security assessors.  An annual review is required to maintain your PCI standing.

Wrapping up PCI

This entry regarding PCI covered who needs to comply with it, what is required, and how the process works.  As you can see, the process is not as complicated as some believe.  Organizations can improve the security of handling credit card information and provide an increased level of assurance to customers that their credit card information is being protected.


About The Author

Eric Vanderburg

Eric Vanderburg is an author, thought leader, and consultant. He serves as the Vice President of Cybersecurity at TCDI and Vice Chairman of the board at TechMin. He is best known for his insight on cybersecurity, privacy, data protection, and storage. Eric is a continual learner who has earned over 40 technology and security certifications. He has a strong desire to share technology insights with the community. Eric is the author of several books and he frequently writes articles for magazines, journals, and other publications.

Leave a Reply