No items found.
Featured
Access Management

6 PCI DSS Controls & Their Requirements

Rohit Rao
November 4, 2024
SHARE ON :

To successfully achieve PCI DSS compliance certification, you need to apply PCI DSS controls relevant to your business setup. To implement the right set of controls, you will first need to have a proper understanding of all the PCI DSS controls. So, in this article, we've explained all 6 PCI DSS controls and their requirements for your better understanding.

In 2013, retail giant "Target" fell victim to one of the costliest data breaches, which resulted in them paying the $18.5 million settlement. You may ask, 'What was the cause?'

Target failed to implement the right set of PCI DSS controls to safeguard cardholder data, which caused cyber attackers to steal credentials from a third-party vendor and gain access to customer databases. Then, they installed malware and stole sensitive cardholder data, including payment card numbers, credit card verification codes, email addresses, phone numbers, and other sensitive data. The worst part is that this breach affected nearly 42 million customer payment card accounts, so Target ultimately had to pay a $18.5 million multistate settlement.

So, if you don't want your company in the headlines for such breaches, then you should definitely consider implementing the right set of PCI DSS controls (that are necessary for your setup). To help you find the right fit, we've listed all the PCI DSS controls and their requirements in detail.

Understanding 6 PCI DSS Controls & The Requirements They Mandate To Fulfill

Below, we’ve outlined a list of PCI DSS controls that mandate fulfillment of specific requirements to keep cardholder and payment data secure.

1: Maintenance Of Secure Network & Systems

This PCI DSS control puts emphasis on establishing a digital defense system to protect critical cardholder information from potential cyber threats. For this reason, such PCI DSS controls mandate implementing the following measures:

PCI DSS Requirement 1# Set Up Firewalls And Routers

Such PCI DSS controls mandates enforcement of network security controls like firewalls (network security bots that control network traffic based on pre-defined policies or rules) because by setting up firewalls, you create a barrier between your organization's internal network(s) and external network.

This barrier helps block malicious entities from accessing your database's cardholder and payment data. However, you can also set up internal firewalls to restrict internal teams or users from accessing cardholder data. For instance, you don't want your marketing department employees to access cardholder data. You can install and configure a firewall (set up rules) to restrict the marketing department from accessing cardholder data. This way, you can ensure that sensitive data like cardholder information remains off-limit to irrelevant users, groups, or departments.

In addition, such PCI DSS controls mandate organizations to configure and manage their routers (if applicable) to safeguard cardholder data.

Note: You must monitor your firewall traffic, review router configurations at least once every six months, and reconfigure them (if necessary).

PCI DSS Requirement 2# Change Vendor Supplied Default Credential & Security Configurations

Most SaaS apps organizations procure to manage and store cardholder data come with default settings like preset usernames, default passwords, and other insecure configurations. The issue is that malicious attackers often target these default credentials to compromise your system and exploit critical cardholder data. So, such PCI DSS controls recommend disabling all unnecessary default configurations and changing default credentials with new ones before using the vendor-supplied apps. This security practice helps reduce potential attack surfaces and secure your cardholder data.

2: Protection Of Payment Card And Cardholder Data

This PCI DSS controls emphasis on encrypting sensitive payment and cardholder data. This is because encryption makes data unreadable to unauthorized users, which helps keep data secure. For this particular reason, such PCI DSS controls mandates meeting the following requirements:

PCI DSS Requirements 1# Protect Cardholder Data Stored In Company’s Database With Encryption

Note: Do not store cardholder data (CHD) unless necessary.

If you decide to store CHD (businesses usually store CHD to provide seamless services, like e-commerce platforms saving CHD to make the transaction and refund process easier), PCI DSS provides you with suggestions on how to safeguard CHD. 

For example, it recommends creating a data disposal and retention policy, storing CHD in secure locations, and purging data quarterly (deleting cardholder data that is no longer needed). It also suggests rendering all authentication data unreadable through encryption, using a masking method (only displaying the first 4 or last three numbers of the primary account number like a PAN card), and restricting access to decryption keys. You can follow these practices to meet such PCI DSS controls requirements and stop unauthorized users and cyber criminals from exploiting CHD.

Note: Even if your organization is keeping the cardholder’s login or security-related details (like PINs) for authentication purposes, you must also keep those details safe.

PCI DSS Requirements 2# Use Cryptography To Protect Cardholder Data During Transmission Over Open Public Networks

This requirement is very similar to the previous PCI DSS requirement; the difference is that it demands safeguarding cardholder data while it is being transmitted over open and public networks.

To protect the CHD in transit, you must first determine where it is coming from and where it is being transferred (i.e., where it is being sent). Once the route is identified, encrypt the CHD using strong cryptography (a practice of counseling and securing data by changing it into a format that can only be understood by an individual with the right decryption key). This practice will help prevent hackers from accessing critical data, like primary account numbers, while they are in transit.

However, you should also ensure that the wireless networks are configured properly and that appropriate authentication protocols are in place before allowing users to transfer CHD. Any gaps or weaknesses in these areas can provide hackers with an opportunity to exploit data during transmission.

3: Establishment Of A Vulnerability Management System

This PCI DSS control focuses on identifying and addressing vulnerabilities in digital security systems to enhance their ability to withstand and respond to potential cyber-attacks. For this reason, such PCI DSS controls mandate fulfillment of the following requirements:

PCI DSS Requirements 1# Use Up-to-date Anti-Virus Software To Protect The Digital Security System From Malware 

Since digital security setups are highly prone to malware attacks (malware is designed to infiltrate and damage security systems without the owner’s knowledge or consent), PCI requires organizations to install anti-virus software. This anti-virus software acts as a defense mechanism against malware that instantly detects malicious software (when one enters your security system) and promptly takes action like removing them (it asks for your permission before performing such action). By meeting the security requirements (installing Anti-virus apps) of such PCI DSS controls, you can help ensure that cardholder data remains protected from malware attacks.

However, that’s not all — post installment, you must ensure your anti-virus software is kept up-to-date (to remain effective). You also need to conduct periodic scans of your digital security system to verify that your installed anti-virus software is performing as expected.

PCI DSS Requirements 2# Develop & Maintain System And Software Security

To meet such PCI DSS Controls, you have to ensure that your DevOps team uses code scripts during the system and app code development process to help prevent vulnerabilities from occurring. Once the apps are actively in use, you need to maintain them. To do this, you first need to run a review and find security vulnerabilities in your system and apps using trusted sources.

Once vulnerabilities are identified, rank them based on their risks—‘high,’ ‘medium,’ or ‘low.’ With these insights, you can decide which security vulnerabilities need to be addressed first and accordingly apply security patches. These practices will help create a strong security setup to effectively tackle security breaches and protect CHD.

Also Read: Top 8 Challenges of Cyber Security & How to Address Them

4: Implementation Of Strong Access Control Measures

This PCI DSS controls emphasis on controlling users’ access to cardholder data by assigning unique IDs to each of them. This is why such PCI DSS controls mandate fulfillment of the following requirements:

PCI DSS Requirements 1# Restrict Access To Cardholder Data By Business Need-to-know

You need to enforce high-level access control measures to effectively manage internal users' access (whether to allow or disallow access) to cardholder data and meet the mandatory requirements of such PCI DSS controls.

But which access control to enforce? You can implement — role-based access control (granting CHD access to users based on role), just-in-time access control (granting temporary access permissions), and 'need to know' basis/least privilege access (granting least amount of access to users). Why is there a need? PCI DSS mandates the implementation of these practices to protect CHD from being accessed by unauthorized personal or irrelevant groups or departments. 

For example, since HR department employees do not need access to CHD—it is irrelevant—it is suggested that policies like role-based access control be set up to restrict them from accessing CHD.

That's not all. To successfully meet such PCI DSS controls requirements, you also need to set up an approval system to ensure no user is granted access to CHD without proper authorization. Simply put, you need to have a secure system that ensures no users receive access to CHD until and unless they have the approved permission.

However, manually enforcing PCI DSS controls like access control policies can be time-consuming and prone to error, so you should consider opting for an identity access management solution like Zluri. Zluri's access management offers an automated workflow that allows your IT team to set up control policies and access rules without any hassle.

They just simply need to specify triggers like 'when,' 'condition,' and 'then,' and Zluri automatically runs those actions. For example, to restrict HR department employees' access, your team can set up – 'when' as 'the user is from the HR department,' 'condition'-- 'role' equals 'employee' and 'manager,' 'then' — 'revoke access of all apps that stored CHD.' Once specified, Zluri will automatically revoke app access from HR department members (when conditions are met). This setup simplifies the policy enforcement process and speeds it up.

PCI DSS Requirements 2# Assign A Unique ID To Each User

To meet PCI DSS controls' requirements, you must assign every individual a unique identification (ID). Moreover, assigning unique IDs to users allows you to easily track who is accessing cardholder data and detect suspicious activities/behavior. With these insights, you can further protect payment data or cardholder data from breaches and unauthorized users.

For example, in case any unauthorized access attempts are found, you can run a forensic investigation. This will help you find out which ID is responsible for the unauthorized access attempts, and accordingly, you can take necessary action (like restricting their access to CHD) to safeguard CHD from misuse.

To meet PCI DSS controls requirements, you also need to promote the use of strong and unique credentials/passwords and restrict the use of group or shared passwords (as hackers often target weak and shared passwords to infiltrate systems).

PCI DSS Requirements 3# Restrict Physical Access To Cardholder Data

To fulfill such PCI DSS controls requirements, you must restrict unauthorized users from entering areas and accessing physical devices where cardholder data is handled, processed, and stored.

To do so, you can follow practices like—only permitting entry to users who have a physical ID or key card to enter premises where CHD is being handled, using tools like video cameras or electronic access systems to track down who is entering and exiting data centers, and keeping records of logs and video footage for at least 90 days. Also, make sure to limit direct interaction with USB drives and external hard drives to authorized users only.

Please note that following the physical security practices meets PCI DSS controls mandates and protects CHD from theft, external damage, and misuse.

Also Read: 7 Data Loss Prevention Best Practices

5: Monitor & Test Security Setup

This PCI DSS control focuses on observing user access activities, conducting regular checks, and promptly addressing identified issues. To comply with such PCI DSS controls, you must follow the requirements outlined below.

PCI DSS Requirements 1# Monitor And Log All Access Attempts

To meet this requirement, you must track every user access attempt and record it along with additional details like the user's unique ID, date and time (when they accessed CHD), and which system.

After that, you have to send all the logs (records) to a centralized server (like a Syslog server). This server organizes all the logs properly, making it easier for your team to access the information, analyze them, and use them for troubleshooting or other security purposes. 

Also, you have to ensure these logs (records) are only accessed by authorized users and no one else to prevent the risk of data tampering.

However, these practices help meet PCI DSS controls mandates and identify anomalies or suspicious login attempts, allowing your team to take prompt action to address them and protect sensitive data like CHD against attacks.

Note: You can use security information and event monitoring tools to monitor and log access activities.

PCI DSS Requirements 2# Test Security Of Systems Regularly

Whenever you modify your security system, be it changing your firewall configurations or router settings, you potentially introduce new vulnerabilities (not necessary). Even software like anti-virus tools, which are designed to stop attacks, can also introduce vulnerabilities, threats, and attack gaps if not updated on time.

This is why this PCI DSS requirement mandates conducting a vulnerability scan and penetration test whenever changes are made or, if possible, on a periodic basis (at least every six months or annually). These checks/tests help ensure the new changes do not pose any risk to cardholder data security.

Also, in case these new changes pose a threat to CHD, these security checks seamlessly detect them, allowing you to promptly take follow-up actions to fix the issue and protect CHD.

Note: PCI DSS mandates that vulnerability scans be performed every three months by a certified vendor known as an approved scanning vendor (ASV).

Also Read: Top 14 Vulnerability Scanning Tools in 2024

6: Maintenance Of Information Security Policies

This PCI DSS control emphasizes on setting up clear information security standards/guidelines that everyone adheres to without fail. So, to comply with such PCI DSS controls, you need to fulfill the below-outlined requirements:

PCI DSS Requirements 1# Create And Enforce An InfoSec Policy

To comply with such PCI DSS controls, you need to create an InfoSec (information security) policy. In it, you have to clearly outline which security practices need to be followed to protect CHD, the roles and responsibilities of every person engaged in the CHD handling process, the risk mitigation procedure/security incident response process, and a few other relevant details.

Once the policy is created, you need to share the InfoSec policy with everyone (who is part of the CHD managing process) so that they are aware of the sensitivity of protecting payment account data/ CHD and their responsibilities in maintaining its security. Also, make sure to update the policy at least once a year (if necessary) to maintain its relevancy.

Also Read: Top 12 PCI DSS Compliance Checklist in 2024

Leverage Automated Solution To Meet PCI DSS Controls Requirements 

After going through the PCI DSS controls and their requirements, you may have realized that fulfilling each requires much effort, time, and undivided attention. Since the journey to PCI DSS certification is already quite intricate, relying on a manual approach will only add unnecessary complication and increase the risk of mistakes. It is simply not a viable choice!

You can focus on automating certain highly complex tasks that can help you achieve PCI compliance faster

For example, you can opt for Zluri – an automated access review solution that automates intricate user access review processes with just a few clicks. You just have to specify certain details like which app (that stores and manages CHD) you want to conduct review for, what type of users you want to review, and what actions to take when anomalies or misalignment are detected – and Zluri takes care of the rest. 

Let’s say you have your cardholder data in the Salesforce app and want to conduct a Salesforce access review to find out who has access to it. Now, what Zluri does is, it first integrates with Salesforce and lists all the users who are accessing Salesforce along with other relevant details in a centralized dashboard.

Then, based on the specified type of user—it can be a user, admin, or manager (you need to specify that)—it conducts an in-depth review to find out if any unauthorized user holds access to Salesforce or if anyone has excessive privileges. If any anomalies or misalignments are detected, it runs remediation action automatically, which helps secure your CHD stored in Salesforce from potential attacks or misuse.

Lastly, it generates a detailed UAR report outlining its actions to safeguard CHD. The best part is that this report acts as evidence that you can directly present to external PCI DSS auditors and successfully get your PCI DSS certification. You can have a look at the Salesforce access review tour to clearly understand how Zluri’s access review performs.

Frequently Asked Questions (FAQs)

1. Which Is The New PCI DSS Compliance Version?

The PCI DSS 3.2.1 version expired on March 31, 2024, and the new version, PCI DSS 4.0, was officially released.

2. What Is Compensating Control In PCI DSS?

Compensating controls are basically alternative security controls (security measures) that organizations can use when they struggle to meet specific PCI DSS controls requirements (often due to technical limitations or other valid reasons).

3. How Much Does It Cost To Get PCI DSS Certified?

The cost of PCI DSS certification varies depending on the organization's size. For example, small and medium organizations pay between $5,000 and $20,000, whereas large organizations pay between $50,000 and $200,000.

About the author

Rohit Rao

Rohit works in the Community and Marketing Team of Zluri and is a strong advocate of community led growth.

Table of Contents:

This is some text inside of a div block.
This is some text inside of a div block.

Related Blogs

Read More
Access Management
· 8 min read

12 IT Service Desk Metrics for Your Support Team

Sharavanan
November 19, 2024
Access Management
· 8 min read

OIDC vs SAML: What’s The Difference Between These Protocols?

Minu Joseph
November 10, 2024
Access Management
· 8 min read

IAM Compliance: Aligning With Organization Objectives & Regulatory Obligations

Sreenidhe S.P
November 9, 2024

Go from SaaS chaos to SaaS governance with Zluri

Tackle all the problems caused by decentralized, ad hoc SaaS adoption and usage on just one platform.

Get in Touch

691, S Milipitas Blvd, St 217 Milpitas 95035

Security

Recognition

Products

SaaS Management
Access Management
Access Reviews

Platform

Open APIs
Integrations
Desktop Agents
Browser Extensions

Industries

Gaming
Biotech

Company

Our Story
Careers
We're Hiring
Events
Pricing
Contact Us
Press kit
Partner with Zluri
Security & Compliance
Trust Center

Resources

Blog
Case Studies
White Papers
SaaS Whispers
Integrations Catalog
Self-Guided Demos
Community
Webinars
Resource Hub for CIOs
Sitemap

Compare

SaaS Management
Zluri vs Torii
Zluri vs Zylo
Zluri vs Productiv
Access Management
Zluri vs Lumos
Access Reviews
Zluri vs Okta
Zluri vs Sailpoint

Compliance Readiness

SOC 2
HIPAA
ISO 27001
PCI DSS
SOX ITGC
RBI Cyber Resilience
© 2024 Zluri, All Rights Reserved
Responsible Disclosure Policy
  -  
Terms & Conditions
  -  
Privacy Policy
  -  
Disclaimer
  -  
Terms of Service
  -  
Zluri AI Terms