hands on a laptop with a padlock

What is PCI-DSS?

If your business handles online sales and transactions made with credit and debit cards, ensuring that you comply with the legal requirements of eCommerce are essential. You learn to respect, understand, and satisfy the demands of PCI-DSS.

We thought we’d put together a little summary of what you need to know about PCI-DSS… and what it means for your business.

What is PCI-DSS?


What is PCI-DSS?

PCI-DSS stands for Payment Card Industry Data Security Standard. It’s a set of regulations relating to online commercial transactions and, specifically, the protection of a consumer’s card details and personal information.

It is a global standard that enables businesses to process card payments securely. This covers the storage, transmission and processing of cardholder data.

While PCI-DSS is not a legal requirement in of itself, most of the data related to it does fall under the umbrella of the Data Protection Act. So if you’re a business that handles card payments online, you’ll need to utilize the standards.

The Payment Card Industry Security Standards Council, who developed and maintain PCI-DSS, states that the regulations should cover “all system components included in or connected to the cardholder data environment”. Failure to satisfy the requirements, at least in terms of the Data Protection Act, can lead to serious repercussions, including fines and revoked credit card processing capabilities.

New call-to-action

The 12 Requirements of PCI-DSS

The PCI-DSS standard is organized into 12 requirements split across six categories.

Category 1: Build and Maintain a Secure Network

There are two requirements that fall under Category 1:

Requirement 1 – install and maintain a firewall configuration that protects cardholder data.

This ultimately incorporates the use of advanced firewalls to prevent unauthorized access. Firewalls are responsible for the communication across the company’s trusted internal networks and untrusted external networks.

Requirement 2 – avoid the use of vendor-supplied defaults when handling system passwords and security parameters.

The defaults are often commonly known and easy to exploit, but changing those defaults instantly makes it harder for hackers and criminals to attack and compromise the data systems.

Category 2: Protect Cardholder Data

Two requirements fall under Category 2:

Requirement 3 – protect the data you’ve stored from the cardholder.

Only the necessary minimal data should be stored, and it should be protected by encryption, truncation, masking and hashing. Meanwhile, details from the chip or magnetic strip, as well as CVN and PIN data should never be stored by the company.

Requirement 4 – the transmissions of cardholder information across open and public networks must be encrypted.

Security protocols like TLS, IPSec, and SSH are needed to protect sensitive data while the security policies related to the transmission of data in public networks should be clearly published and documented.

Category 3: Maintain a Vulnerability Management Program

Category 3 covers two requirements:

Requirement 5 – ensure all systems are suitably protected against malware and updated with antivirus software.

This means using the cybersecurity tools to detect and remove all malware… on a 24/7 basis. Disabling them should only occur when authorized for a certain process.

Requirement 6 – develop and maintain secure applications and systems.

Vulnerabilities need to be identified and ranked by their risk factor, while any software updates and patches from the specific vendors should be installed within 30 days of release. The maintenance aspects relate to internally and externally developed applications.

Category 4: Implement Strong Access Control Measures

Three requirements fall under category 4:

Requirement 7 – restrict access to cardholder data.

The abuse of user privileges is one of the most common forms of online attack and can be very difficult to identify too. Limiting the access rights to sensitive data should involve setting the access control defaults to deny access. The access can then be given on a need-to-know basis.

Requirement 8 – identify and authenticate access to the system.

Documented policies and procedures should be used across all system components with a special focus on non-consumer users and administrators. All users should have user Ids while two-factor authentication should be implemented for access via remote networks.

Requirement 9 – limit access to cardholder data on a physical level.

This means restricting the access to server rooms, data centers, and other locations that house sensitive data. Media should be secured while storage, access and distribution must be handled in a controlled environment. Once media is no longer needed, it should be disposed of.

Category 5: Regularly Monitor and Test Networks

Category 5 has two requirements:

Requirement 10 – track and monitor access to the network and cardholder data.

Data logging prevents, detects, and minimizes the damage, which is why audit trials need to be implemented in a secure manner. A 3-month real-time analysis should be made available to the security team when requested, while all data should be held for one year minimum.

Requirement 11 – test security elements on a regular basis.

This should cover systems and processes. Most issues relating to unauthorized wireless access points or Internal and external network vulnerability scans can be used on a quarterly basis. Also, weekly critical file comparisons can quickly alert staff to unauthorized system modifications.

Category 6: Maintain an Information Security Policy

Category 6 contains just a single requirement:

Requirement 12 – maintain a policy that addresses data protection and information security.

The security policy should be established, published, maintained and disseminated for the best results. Risk assessments, usage policies, and incident response plans must also be established so that any attacks or breaches can be dealt with efficiently.

Are You PCI-DSS Compliant?

PCI-DSS is a collection of requirements that ultimately create the globally accepted standards regarding the handling of sensitive cardholder data, including personal details and payment information.

If you’re concerned about whether your e-commerce platform is compliant or secure, we’d love to have a short conversation. At BitLyft, we specialize in securing the data of both organizations and the customers who trust them. Reach out today and we can determine what steps, if any, are needed to keep you PCI-DSS compliant.

New call-to-action

Jason Miller

Jason Miller, Founder and CEO of BitLyft Cybersecurity, has dedicated his 20-year IT career, including co-founding SaaS pioneer Reviora, to removing cybersecurity barriers for mid-sized enterprises. Establishing BitLyft in 2016, Jason set out to unburden security teams with innovative, approachable, and affordable solutions, a vision which has made BitLyft a respected managed detection and response provider. Outside his cybersecurity pursuits, Jason is an avid tree farmer and outdoor enthusiast, planting nearly 300 trees on his ten-acre plot and finding joy in hiking, hunting, and driving his white Tesla Model 3. His diverse passions mirror the balanced blend of expertise, dedication, and joy he brings to BitLyft.

More Reading

compliance padlock with stars circling around it
man in a suit pointing at a with a gear and checkmark
What is NERC CIP and Why is it Important?
The NERC CIP, otherwise known as the North American Reliability Corporation’s critical infrastructure plan, is a highly important course of actions set forth to protect, secure and maintain the...
Internet of Things IoT
How the Internet of Things Cybersecurity Improvement Act is the First Step Toward Complete IOT Security
While a variety of highly visible newsworthy events were occurring during 2020, a critical advancement in the world of cybersecurity quietly passed through the House and Senate to be signed into law....