Disclaimer: Organizations are not required as a matter of law to comply with this document, unless legislation, or a direction given under legislation or by some other lawful authority, compels them to comply. This document does not override any obligations imposed by legislation or law. Furthermore, if this document conflicts with legislation or law, the latter takes precedence.
The Payment Card Industry Data Security Standard (PCI DSS) was established to promote cardholder data security and foster the adoption of consistent data security measurements on a global scale. The baseline technical and operational requirements are applied to all entities involved in credit card processing, including merchants, processors, acquirers, issuers, and third-party service providers. Further, the requirements also apply to all other entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD). The approach looks to protect account data through the following control families:
|Principal PCI DSS Requirements - High Level Overview|
|Build and Maintain Secure Network and Systems|
1. Install and maintain network security controls.
2. Apply secure configurations to all system components.
|Protect Cardholder Data|
3. Protect stored account data.
4. Protect cardholder data with strong cryptography during transmission over open, public networks.
|Maintain a Vulnerability Management Program|
5. Protect all systems and networks from malicious software.
6. Develop and maintain secure systems and software.
|Implement Strong Access Control Measures|
7. Restrict access to system components and cardholder data by business need to know.
8. Identify users and authenticate access to system components.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Log and monitor all access to system components and cardholder data.
11. Test security of systems and networks regularly.
|Maintain an Information Security Policy||12. Support information security with organizational policies and programs.|
LogRhythm’s PCI DSS 4.0 Compliance Suite provides augmented and direct support of control objectives through pre-bundled Investigations, Alarms, AIE Rules, and Reports. Alarms and Reports are automatically associated with the correct PCI DSS asset categories. You can then schedule Reports for periodic generation and delivery, or generate them on demand. To identify areas of non-compliance in real-time, you can leverage Investigations and Alarms for immediate analysis of activities that impact your organization's cardholder data systems. The following sections provide highlights of these module components and also provide all content included within the module.
The PCI Security Standards Council (PCI SSC) website (www.pcisecuritystandards.org) provides the following additional resources to assist organizations with their PCI DSS assessments and validations:
- Document Library, including:
- PCI DSS Summary of Changes
- PCI DSS Quick Reference Guide
- Information Supplements and Guidelines
- Prioritized Approach for PCI DSS – Report on Compliance (ROC) Reporting Template and Reporting Instructions
- Self-Assessment Questionnaires (SAQs) and SAQ Instructions and Guidelines
- Attestations of Compliance (AOCs)
- Frequently Asked Questions (FAQs)
- PCI for Small Merchants website
- PCI training courses and informational webinars
- List of Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs)
- Lists of PCI approved devices, applications, and solutions
- Guidance for PCI DSS Scoping and Network Segmentation
- PCI SSC Cloud Computing Guidelines
- Multi-Factor Authentication Guidance
- Third-Party Security Assurance
- Effective Daily Log Monitoring
- Penetration Testing Guidance
- Best Practices for Implementing a Security Awareness Program
- Best Practices for Maintaining PCI DSS Compliance
- PCI DSS for Large Organizations
- Use of SSL/Early TLS and Impact on ASV Scans
- Use of SSL/Early TLS for POS POI Terminal Connections
- Tokenization Product Security Guidelines
- Protecting Telephone-Based Payment Card Data
Refer to the Document Library at www.pcisecuritystandards.org for information about these and other resources.