What does PCI-DSS stand for?
The Payment Card Industry Data Security Standard (PCI DSS) is an industry requirement for securing cardholder data worldwide. Established by the Payment Card Industry Security Standards Council (PCI SSC)—which consists of American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.—the PCI DSS must be followed if an organization wishes to process, store, or transmit the cardholder data of their customers issued by these card brands.
To whom does PCI-DSS apply?
The people, processes, and technology within your organization that interact with or are exposed to payment card information are subject to the PCI DSS. To ensure your organization is PCI compliant, you’ll need to adhere to the 12 requirements, including more than 300 security checks, within the PCI DSS.
REQUIREMENTS
PCI-DSS Controls & Requirements
To achieve PCI compliance, organizations need to follow 12 requirements laid out in the PCI DSS. These PCI compliance requirements fall under six overarching categories that provide an overview of the security controls necessary for PCI compliance.
Build and maintain a secure network and systems
- Install and maintain a firewall configuration to protect payment card data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Maintain protection of cardholder data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
- Use and regularly update anti-virus software or other threat detecting and prevention programs
- Develop and maintain secure systems and applications
Implement strong access control measures
- Restrict access to cardholder data by businesses
- Assign a unique ID to each person with computer access
- Restrict physical access to credit card data
Regular monitoring of test networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an information security policy
- Maintain a policy that addresses information security for all personnel
HOW WE HELP
How NordLayer helps get you PCI-DSS compliant
NordLayer’s adaptable security solutions can create a cloud infrastructure with secure access to your vital resources — suited to organizations of all sizes.
Network security
Improve your security architecture to protect your business against advanced threats and malware — our adaptable solutions are made for organizations of all sizes.
SSE
A multi-layered framework that brings together modern security capabilities such as Secure Web Gateway, Zero Trust Network Access, Cloud Access Security Broker and more.
Network segmentation
You can set user permissions to limit access to specific resources through network access control.
As a merchant, you have to know where the cardholder's data is going and how it will be stored.
Traffic encryption
Whenever customer data or other sensitive information is sent between networks, it may be vulnerable to many attacks. NordLayer encrypts this traffic using AES 256-bit encryption, the most optimal solution to avoiding security incidents and data breaches.
Your system should be tested against vulnerabilities that would allow the execution of malicious code.
Threat prevention
Stop threats before they reach your people and respond quickly when things go wrong. NordLayer automatically restricts untrusted websites and users, preventing potentially harmful malware or other cyber threats from infecting your device.
Jailbroken device detection
NordLayer detects devices that are vulnerable to attack and alerts admins immediately.
According to PCI DSS, every user should be assigned unique credentials for accessing critical systems.
Identity & Access Management
Identity & Access Management ensures all remote users on the network have the correct verification level for using resources, secure data access, and additional information they need — nothing more.
Zero Trust Network Access
ZTNA focuses on removing implicit trust from any user or device that attempts to gain entry to a company network with a ‘trust none, verify all' approach.
Network Access Control
Implement a series of security solutions that expand visibility and access management via device and user policies to protect and connect all reaches of the corporate infrastructure.
Virtual Private gateways
Establish a safe tunnel to connect and transport encrypted data between devices, the cloud, and enterprise servers across the internet.
It’s always a good bet to assume that your company’s network is in someone’s sights.
Activity Monitoring & Visibility
Activity monitoring allows admins to react quickly if someone from the organization breaches company security requirements. It also collects helpful information for compliance audits.
Your cybersecurity policy should cover employees, management, and third-party responsibilities.
2FA
Provides an additional layer of protection on your device by setting up multi-factor authentication to log in to NordLayer.
Biometrics
An additional layer of security through face recognition and fingerprint scanning.
SSO
Single sign-on allows you to use one set of security credentials to access your multiple cloud applications.
User provisioning
In addition to creating user identities in cloud apps, automatic provisioning also includes the maintenance and removal of such user identities as status or role changes.
Network segmentation
If a certain part of the network is compromised, segmentation ensures that attackers can’t move laterally to continue the harmful activity.
OTHER BENEFITS
PCI-DSS Resources
OUR INSIGHTS
NordLayer helps to be regulatory compliant
Achieve regulatory compliance with NordLayer
ADDITIONAL INFO
Frequently asked questions
To get PCI compliant, you will need first to determine which self-assessment questionnaire (SAQ) you should follow. Depending on your SAQ, you will need to implement a set of requirements and controls as outlined in the PCI data security standard.
SecurityMetrics assists small to large businesses identify and implement their PCI requirements.
SAQ stands for self-assessment questionnaire. Depending on an organization’s card transaction volume and the types of transactions it performs, it may be able to use an SAQ to self-evaluate its compliance with the PCI Data Security Standard.
SAQs contain questions about card data security. SAQs range in size from 22 questions (SAQ A) to 329 questions (SAQ D).
There are five risks you face with PCI DSS non-compliance and policy violation:
Monetary fines. Non-compliance can lead to fines from payment processors. Fines range from $10 per month to $1,000 per month or more.
Forensic audits. An organization must provide compliance documents to a forensic examiner during a data breach. In the event an organization has no compliance documentation, the examiner is also required to perform an assessment of the entity controls to determine compliance status in addition to the forensic exam of the data breach.
Payment brand restrictions. Payment brands can place restrictions on organizations such that non-compliant merchants will accept no-card processing. Brands may also completely terminate service in the event an organization does not obtain compliance.
Brand reputation. A data breach will significantly jeopardize brand reputation and customer loyalty. Organizations will be subject to public scrutiny and may lose customer loyalty due to poor credit card information control.
Reactive compliance. Expanding into new technologies without considering compliance, often requires re-engineering or new equipment to become compliant.
There are four PCI compliance levels, which are determined by the number of transactions the organization handles each year.
Level 1: Merchants that process over 6 million card transactions annually. Level 2: Merchants that process 1 to 6 million transactions annually. Level 3: Merchants that process 20,000 to 1 million transactions annually. Level 4: Merchants that process fewer than 20,000 transactions annually.