Companies that store, process, or transmit cardholder data are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). This standard defined by the Payment Card Industry Security Standards Council (PCI SSC) specifies technical and operational requirements established to protect cardholder data, in-scope data includes the sensitive authentication data (stored on magnetic stripe data or equivalent on a chip, CVC2, CVV2, CID, PINs, PIN blocks) and the primary account number (PAN).
Through our Software Compliance Testing service for PCI DSS, we assess and test vendors’ software solutions to ensure they support PCI DSS requirements. After a thorough evaluation, we feature these solutions on our website.
PCI DSS Compliance Testing Controls
Compliance Testing for PCI DSS relies on credible, objective testing controls based on the intent of PCI DSS requirements. This approach incorporates insights from former QSAs (Qualified Security Assessors), auditors, and various specialists, including affected software vendors, developers, users, and industry groups, to align with organizational needs. The PCI DSS compliance testing controls cover the following software controls categories:
Application and DevOps Security
Requirement 6: Develop and Maintain Secure Systems and Software: This requirement emphasizes secure software development practices, including secure coding for custom software, vulnerability management for third-party components, and secure change management processes.
Asset Inventory and Management
Requirement 12.5: PCI DSS scope is documented and validated: This requirement mandates maintaining accurate documentation of the cardholder data environment (CDE) scope, including all systems, networks, and applications that store, process, or transmit cardholder data. Appendix B: Sample Inventory (from PCI SSC Cloud Guidelines): Provides a sample system inventory template specifically for cloud computing environments, highlighting the importance of asset inventory in cloud contexts.
Awareness and Training
Requirement 12.6: Security awareness education is an ongoing activity: This requirement mandates regular security awareness training for all personnel involved with cardholder data to ensure they understand their roles in protecting this sensitive information.
A3.1.4 Personnel with responsibility for PCI DSS compliance are appropriately trained: (Designated Entities Supplemental Validation) emphasizes specialized training for personnel handling PCI DSS compliance, going beyond general security awareness.
Backup and Recovery
While not directly addressed as a separate topic, PCI DSS implicitly covers backup and recovery within various requirements, such as:
Requirement 12.3: Risk Assessment and Management – Entities should include backup and recovery processes in their risk assessment.510.
Requirement 10: Log and Threat Detection – Log data retention policies should consider backups and recovery.
Audit and Compliance Management
Requirement 12.4: PCI DSS compliance is managed: This requirement mandates assigning responsibility for maintaining PCI DSS compliance to a designated individual or team. Regular reviews of security policies and procedures are also required.
A3.1: A PCI DSS compliance program is implemented: (Designated Entities Supplemental Validation) This section emphasizes the importance of a formal PCI DSS compliance program, including methodologies for ongoing monitoring and management of the program.
Data Security
Requirement 3: Protect Stored Account Data: This requirement covers the protection of cardholder data at rest, including encryption requirements, access restrictions, and secure storage practices.
Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks: This requirement focuses on securing cardholder data in transit, mandating strong encryption for data transmitted over public networks.
Endpoint and Device Protection
Requirement 2: Apply Secure Configurations to All System Components: This requirement mandates applying secure configurations to all system components, including endpoints, to minimize vulnerabilities.
Requirement 5: Protect All Systems and Networks from Malicious Software: This requirement focuses on implementing and maintaining malware protection mechanisms on all systems, including endpoints, to prevent and mitigate malware threats.
Identity Management and Access Control
Requirement 7: Restrict access to cardholder data by business need-to-know: This requirement focuses on restricting access to cardholder data based on least privilege principles, ensuring only authorized personnel with a business need have access.
Requirement 8: Identify and authenticate access to system components: This requirement mandates strong authentication mechanisms for all users accessing cardholder data, including multi-factor authentication (MFA) as a best practice (becoming mandatory).
Incident Response
Requirement 12.10: Suspected and confirmed security incidents that could impact the CDE are responded to immediately: This requirement emphasizes having a documented incident response plan to handle security incidents promptly and effectively.
Logging and Threat Detection
Requirement 10: Track and monitor all access to network resources and cardholder data: This requirement mandates logging and monitoring all access to cardholder data and critical system components to detect and respond to security events.
Network Security
Requirement 1: Install and Maintain Network Security Controls: This requirement focuses on establishing and maintaining network security controls, including firewalls, to protect the cardholder data environment.
Requirement 2.3: Wireless environments are configured and managed securely: This section specifically addresses securing wireless networks to prevent unauthorized access.
Posture and Vulnerability Management
Requirement 11: Regularly test security systems and processes: This requirement mandates regular security assessments, including vulnerability scanning and penetration testing, to identify and address vulnerabilities.
Requirement 6.3: Security vulnerabilities are identified and addressed: This requirement focuses specifically on identifying and addressing vulnerabilities in systems and software.
Risk Assessment and Management
Requirement 12.3: Risks to the cardholder data environment are formally identified, evaluated, and managed: This requirement mandates conducting a formal risk assessment to identify and evaluate risks to the CDE.
Software Bill Of Materials (SBOM)
Requirement 6: Develop and Maintain Secure Systems and Applications: This requirement heavily emphasizes secure software development practices. While not explicitly mentioning SBOM, maintaining an inventory of bespoke and custom software, including third-party components, aligns with the core principles of SBOM.
Zero Trust Network Access
While not explicitly mentioned, Zero Trust principles align with several PCI DSS requirements:
Requirement 7: Restrict access to cardholder data by business need-to-know: Zero Trust promotes least privilege, aligning with this requirement.
Requirement 8: Identify and authenticate access to system components: Zero Trust emphasizes strong authentication, including MFA, which PCI DSS requires.
Continuous Evaluation Process
Compliance Labs has developed the compliance continuous testing process as a fundamental aspect of the PCI DSS compliance testing controls. The continuous evaluation process will monitor new cybersecurity regulations and standards compliance requirements or frameworks best practices and update testing criteria to drive software compliance effectiveness and quality over the long term.