Guides: PCI Compliance

PCI Compliance: Merchant Levels, 12 Requirements, and PCI in the Cloud

What Is PCI DSS Compliance?

PCI DSS (Payment Card Industry Data Security Standard) is a set of security measures to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.

Initiated by major credit card companies, PCI DSS aims to reduce credit card fraud by enhancing data security practices. Compliance with these standards is mandatory for organizations processing credit card transactions, and is crucial for protecting sensitive information and maintaining consumer trust.

PCI DSS comprises 12 requirements, covering aspects from maintaining secure networks and systems to monitoring and testing networks regularly. These requirements enforce controls on data security within organizations, and adherence to them signifies a commitment to safeguarding customer information against breaches and unauthorized access.

For organizations running cardholder data workloads on Kubernetes or other containerized platforms, container security practices are an important part of meeting these PCI DSS controls.

This is part of an extensive series of guides about managed services.

In this article:

Is PCI Compliance Required by Law?

While PCI DSS compliance itself is not mandated by law, it is enforced through contractual obligations by major credit card networks such as Visa, MasterCard, and American Express.

Businesses that fail to comply with PCI standards can face penalties, increased transaction fees, and may even lose the ability to process credit card payments. Hence, compliance with PCI DSS is crucial for any entity dealing with card payments to avoid significant financial and operational repercussions.

Additionally, non-compliance can result in data breaches, leading to lawsuits, fines, and loss of reputation. Compliance with PCI DSS helps mitigate these risks, providing a structured approach to security that aligns with many international compliance standards.

Benefits of PCI Compliance

Adhering to PCI DSS compliance standards offers several benefits:

  • Enhances security of cardholder data by enforcing data protection measures. This minimizes the risk of data breaches and associated costs, ensuring customer trust and loyalty.
  • Provides a competitive advantage, because organizations that achieve PCI compliance demonstrate a commitment to data security.
  • Supports legal and regulatory compliance across various jurisdictions, as many of the PCI DSS requirements align with other data protection regulations. This alignment simplifies compliance management, reduces complexity, and ensures security measures are in place.

PCI DSS Merchant Levels

PCI DSS classifies merchants into four levels based on the volume of credit card transactions they process annually. These levels determine the compliance requirements and validation procedures that each merchant must follow:

Level 1:

  • Transaction volume: Merchants processing over 6 million transactions per year across all channels or those that have experienced a data breach.
  • Compliance requirements: Annual Report on Compliance (ROC) conducted by a Qualified Security Assessor (QSA), or internal audit if signed by an officer of the company. Additionally, quarterly network scans by an Approved Scanning Vendor (ASV) are required, along with an Attestation of Compliance (AOC) form.

Level 2:

  • Transaction volume: Merchants processing 1 million to 6 million transactions per year across all channels.
  • Compliance requirements: Annual Self-Assessment Questionnaire (SAQ) and quarterly network scans by an ASV, along with an AOC form.

Level 3:

  • Transaction volume: Merchants processing 20,000 to 1 million e-commerce transactions per year.
  • Compliance requirements: Annual SAQ and quarterly network scans by an ASV, along with an AOC form.

Level 4:

  • Transaction volume: Merchants processing fewer than 20,000 e-commerce transactions per year, or up to 1 million transactions across all channels.
  • Compliance requirements: Annual SAQ and quarterly network scans by an ASV, as required by the acquiring bank, along with an AOC form.

Understanding the 12 PCI Compliance Requirements

The 12 PCI DSS requirements form the core of the standard and cover a set of security controls aimed at protecting cardholder data.

1. Use and Maintain Firewalls

Firewalls are crucial for blocking unauthorized access to networks. Implementing firewall configurations ensures that only legitimate traffic is allowed, safeguarding sensitive data from external threats. Regularly updating and maintaining firewalls helps in adapting to emerging threats and ensuring continuous protection of the network infrastructure.

Properly configured firewalls are mandatory under PCI DSS to segment the network and protect cardholder data. Organizations should conduct regular audits and updates to their firewall configurations to ensure compliance and security. Firewalls are a fundamental component in creating a secure perimeter around sensitive data systems.

2. Proper Password Protections

Effective password management is essential for restricting access to sensitive systems and data. Implementing strong, complex passwords and changing them regularly reduces the risk of unauthorized access. PCI DSS rules require the use of multifactor authentication for accessing cardholder data, adding an additional layer of security.

Organizations must educate employees on secure password practices and enforce policies that prevent the use of easily guessed passwords. Regularly updated password policies that adhere to PCI DSS standards ensure that only authorized individuals can access sensitive information.

3. Protect Cardholder Data

PCI DSS mandates measures for protecting stored cardholder data. This includes encrypting data at rest, implementing access controls, and regularly monitoring access to ensure that data is only available to authorized users. Protecting stored data minimizes the risk of data breaches and unauthorized exposure.

Organizations should also implement tokenization to replace sensitive data with non-sensitive equivalents during storage or transmission. Regular audits and assessments are crucial to ensure compliance and the continued security of cardholder data.

4. Encrypt Transmitted Data

Encryption is essential for securing cardholder data during transmission over public networks. PCI DSS requires encryption protocols to ensure that intercepted data cannot be read or utilized by unauthorized parties. Implementing encryption methods like TLS and SSL is crucial for maintaining the integrity and confidentiality of transmitted data.

Organizations must ensure that encryption keys are managed securely and updated periodically to maintain the highest level of security. Regularly reviewing and updating encryption practices ensures continuous compliance and protection against evolving threats.

5. Use and Maintain Anti-Virus

Deploying and maintaining antivirus software is crucial for protecting systems from malware and other malicious threats. PCI DSS mandates the use of antivirus solutions to detect and eliminate harmful software that could compromise cardholder data. Regular updates and scans are essential to keep the antivirus software effective against the latest threats.

Organizations should ensure that antivirus programs are configured to perform regular scans and updates without manual intervention. Automating these processes helps maintain continuous protection and reduces the risk of malware-related breaches.

6. Regularly Update Software

Keeping software up to date is essential for mitigating vulnerabilities that could be exploited by attackers. PCI DSS requires regular updates and patches to all systems and applications that handle cardholder data. Failure to update software can leave systems vulnerable to known exploits and compromises.

Organizations must have a patch management process to ensure timely updates and minimize downtime. Regularly scheduled maintenance and monitoring help ensure that all software remains secure and compliant with PCI DSS standards.

7. Restrict Data Access

Access to cardholder data should be limited to individuals with a legitimate business need. PCI DSS enforces the principle of least privilege, ensuring that employees only have access to the data necessary for their role. Implementing access controls helps minimize the risk of unauthorized access and data breaches.

Organizations should regularly review access permissions and promptly revoke access for employees who no longer require it. Automated access control systems can streamline this process, ensuring that data access policies remain up-to-date and effective.

8. Unique IDs for Access

Assigning unique IDs to individuals accessing cardholder data is a requirement under PCI DSS. This ensures accountability and traceability, making it easier to track and monitor access to sensitive information. Unique IDs prevent unauthorized access and make it easier to detect and respond to potential security incidents.

Organizations should enforce policies that prohibit sharing of IDs and credentials. Regular audits and monitoring of access logs help ensure compliance and quickly identify any unauthorized access attempts.

9. Restrict Physical Access

Physical security measures are as important as digital ones. PCI DSS requires that access to areas where cardholder data is stored be restricted to authorized personnel only. Implementing physical access controls such as badges, locks, and surveillance can prevent unauthorized individuals from accessing sensitive data.

Organizations should regularly review and update physical security protocols to adapt to changing threats. Conducting physical security audits ensures that all measures are in place and effective, maintaining compliance with PCI DSS requirements.

10. Create and Maintain Access Logs

Maintaining detailed access logs is vital for monitoring and auditing access to sensitive systems and data. PCI DSS requires logs of all access to cardholder data to ensure accountability and facilitate forensic analysis in case of a breach. Regularly reviewing access logs helps in identifying unusual or unauthorized access attempts.

Organizations should implement automated logging systems to ensure comprehensive and continuous tracking of access. Regular audits and reviews of these logs help maintain compliance and enhance security.

11. Scan and Test for Vulnerabilities

Regular vulnerability scanning and penetration testing are essential for identifying and mitigating security weaknesses. PCI DSS requires both internal and external scans to ensure that systems are secure from threats. Regular testing helps organizations to proactively address vulnerabilities before they can be exploited by attackers.

Organizations should integrate vulnerability scanning into their regular maintenance routines and address identified issues promptly. Conducting thorough and frequent scans ensures continuous protection and compliance with PCI DSS.

12. Document Organizational Policies

Documenting security policies and procedures is crucial for ensuring that all PCI DSS requirements are adhered to. These documents provide a clear framework for implementing and maintaining security measures. Regularly updated policies ensure that all personnel understand their roles and responsibilities regarding data protection.

Organizations should ensure that security policies are communicated to all relevant stakeholders and reviewed periodically. Documentation helps maintain compliance and provides a reference for audits and assessments.

Risks of Non-Compliance with PCI DSS

Non-compliance with PCI DSS can have severe consequences for businesses. Financial penalties imposed by credit card companies can be substantial and affect the bottom line significantly. Additionally, non-compliant organizations are more susceptible to data breaches, which can lead to further financial losses, legal actions, and a tarnished reputation.

The cost of non-compliance is not just monetary. The loss of consumer trust can have long-term effects, potentially driving customers to competitors. Organizational resources may also be strained as efforts are redirected towards managing and mitigating the aftermath of a data breach.

What Is PCI Compliance as a Service?

PCI Compliance as a Service (CaaS) is a solution where third-party providers help businesses achieve and maintain PCI DSS compliance. These services typically include assessments, gap analysis, and continuous monitoring to ensure that all compliance requirements are met. CaaS is beneficial for organizations that lack the internal resources or expertise needed for PCI DSS compliance.

Using CaaS providers allows businesses to focus on their core operations while ensuring that their data security practices meet industry standards. These providers bring specialized knowledge and tools tailored for compliance, often offering a cost-effective and efficient solution compared to maintaining PCI DSS standards internally

PCI Compliance in the Cloud: Key Challenges

Ensuring PCI DSS compliance in the cloud presents unique challenges due to the shared responsibility model between cloud service providers (CSPs) and their customers. Unlike traditional on-premises environments where businesses have full control over their infrastructure, cloud environments involve a division of responsibilities. This division can complicate compliance efforts as it requires clear understanding and coordination between the CSP and the customer.

One of the primary challenges is the need to secure data across a dynamic and scalable environment. In the cloud, resources are often spun up and down rapidly, making it difficult to maintain consistent security controls and monitoring. Additionally, data in cloud environments can easily move across different regions and services, which can introduce complexities in ensuring that all instances of cardholder data are properly secured and comply with PCI DSS requirements.

Another challenge is the potential for misconfigurations. Cloud environments offer a high degree of flexibility, but this can lead to mistakes, such as exposing sensitive data due to improper access control settings or failing to encrypt data in transit and at rest. These misconfigurations can quickly lead to non-compliance and increase the risk of data breaches.

PCI Compliance in Leading Cloud Platforms

To help customers manage these challenges, leading cloud providers like AWS, Microsoft Azure, and Google Cloud offer tools and services designed to support PCI DSS compliance:

  • Amazon Web Services (AWS): AWS provides a wide array of services and features to help customers achieve PCI compliance. AWS services that align with PCI DSS requirements include EC2, ECS, EBS, CloudWatch, Cognito, VPC, and CodeBuild. The AWS Artifact tool provides access to compliance reports and documentation. AWS also offers security services such as AWS Config for monitoring resource configurations, Amazon GuardDuty for threat detection, and AWS Key Management Service (KMS) for encryption keys.
  • Microsoft Azure: Azure offers built-in PCI DSS-compliant services and provides detailed compliance blueprints to guide customers in deploying secure environments. Major compliant services include Azure Advisor, API Management, Migrate, and IoT Hub. Azure Policy helps enforce organizational standards and assess compliance, while Azure Security Center provides continuous security monitoring and recommendations to enhance security posture. Additionally, Azure offers encryption services and identity and access management controls to help secure cardholder data.
  • Google Cloud: Google Cloud’s PCI-compliant services include API Gateway, Backup and DR Service, VPC, and Workload Manager. Google Cloud’s security tools, such as Google Cloud Armor for threat detection, Cloud Key Management for encryption key management, and Access Transparency for audit logging, are designed to support PCI DSS compliance. Google Cloud also emphasizes secure-by-default configurations to reduce the likelihood of misconfigurations that could lead to non-compliance.

While CSPs offer pre-configured, compliant infrastructure and tools to monitor and manage security, organizations must still be proactive in understanding their responsibilities, including proper configuration, access control, and ongoing monitoring of their cloud environment.

Read our related guides:

AWS PCI Compliance
Azure PCI Compliance

Best Practices for Maintaining PCI DSS Compliance

Implement Strong Access Controls

Implementing access controls is essential for securing cardholder data. This involves defining and enforcing policies to ensure that only authorized users have access to sensitive information. Multi-factor authentication, role-based access controls, and regular reviews of access permissions are key components of this strategy.

Regularly auditing and updating access controls helps organizations stay compliant and secure. Ensuring that access controls are stringent minimizes the risk of unauthorized access, safeguarding sensitive data effectively.

Maintain a Secure Network

A secure network forms the foundation of PCI compliance. This includes configuring firewalls, using secure protocols, and segmenting networks to isolate sensitive data. Regular network monitoring and vulnerability scans are crucial for detecting and mitigating potential threats.

Updating and patching network devices helps ensure that all security measures are current and effective. Maintaining a secure network is vital for protecting cardholder data and maintaining compliance with PCI DSS requirements.

Maintain an Organizational Security Policy

A security policy provides a clear framework for implementing and maintaining data security measures. Regularly reviewing and updating this policy ensures that it remains effective against evolving threats. All personnel should be aware of and adhere to these policies to ensure a consistent security posture.

Documenting and communicating security policies is crucial for educating employees and stakeholders. Regular training and awareness programs help maintain a security-conscious culture within the organization.

Ensure Third-Party Compliance

Ensuring that third-party vendors comply with PCI DSS is crucial for overall security. This involves conducting due diligence when selecting vendors and regularly assessing their compliance status. Contracts should include clauses that mandate PCI compliance and regular audits.

Maintaining open communication with vendors and conducting periodic assessments helps ensure that third-party practices align with your compliance requirements. This ensures a comprehensive and secure ecosystem.

Implement Data Retention Policies

Effective data retention policies help minimize the risk of data breaches and ensure compliance with PCI DSS. This involves defining how long data should be retained and implementing secure disposal methods. Regularly reviewing and updating data retention policies helps maintain compliance and security.

Automating data retention processes can streamline management and ensure that data is securely handled throughout its lifecycle. This reduces the risk of unauthorized access and data breaches.

Regularly Test and Monitor Security Controls

Regular testing and monitoring of security controls is essential for maintaining PCI DSS compliance. This includes conducting vulnerability scans, penetration testing, and continuous monitoring of security systems. Regular testing ensures that security measures are effective and up-to-date.

Automating monitoring and testing processes helps maintain continuous security and compliance. Timely identification and mitigation of vulnerabilities reduces the risk of data breaches and ensures that security controls remain robust.

Container and Kubernetes Compliance with Calico

Calico supports major compliance standards including PCI DSS, HIPAA, GDPR, SOC 2, CCPA, and any custom frameworks. Calico Cloud provides Kubernetes users with the following features to address compliance requirements:

  • Continuous compliance – Monitor and log changes to security policies based on your organization’s time-based requirements. Maintain your security posture to meet compliance requirements.
  • Compliance reports – Define customer compliance reports and run reports on demand to provide proof of compliance.
  • Policy implementation – Create policies that are Kubernetes-native and based on metadata and labels instead of IP addresses.
  • CIS Benchmark reports – Get out-of-the-box CIS benchmark compliance reports. Use the GlobalReport resource to schedule reports and set compliance thresholds.

Next steps:

See Additional Guides on Key Managed Services Topics

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of managed services.

CDN

Authored by Imperva

Splunk SIEM

Authored by Exabeam

What is Cloud Hosting

Authored by Atlantic

X