Understanding PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a global standard for protecting payment (i.e., credit and debit) cards that applies to all merchants and service providers, even those that don’t directly handle the payment transaction itself. PCI DSS is a mature standard that just saw version 4.0 released in 2022; the latest version includes an extensive set of requirements to secure people, processes and technology from attacks that could compromise payment data.

Meeting PCI DSS is a complex, ongoing effort that requires clear commitment and direction from an organization’s executive level on down and can’t be relegated to merely an IT or compliance department problem. One of the most challenging aspects of PCI DSS is clearly identifying the scope of the environment: the scope is any network segment, facility or process that stores, processes or transmits payment card data or anything that connects to or affects the security of systems or networks that store, process or transmit.

Without careful network segmentation, PCI DSS scope could extend to include significant portions of a businesses’ network and systems.

The requirements themselves address governance and documentation, such as policies and risk assessment, as well as processes like user or vulnerability management and technologies such as system hardening or cryptography and key management.

When addressing your PCI DSS compliance obligations, here are the three strategies to get started:

  • Plan ahead – PCI DSS compliance cannot usually be achieved in days or weeks, but takes extensive cooperation throughout the organization and extensive effort.
  • Understand the scope – Scope is often larger than other compliance frameworks like SOC 2 or ISO 27001, and many organizations don’t take the time to understand all of the locations that handle payment data or the environments that have access.
  • Bring in expert help early – A complex compliance framework like this contains many corner cases and troublesome areas, and experienced assessors (called Qualified Security Assessors or QSAs) can help navigate some of the challenges. Get help in the form of readiness or gap assessment before engaging with PCI DSS the first time before undergoing actual assessment.