Frequently Asked PCI DSS Compliance Questions

PCI DSS compliance doesn’t have to keep you up at night. Learn how to overcome the complexity and prepare for your next assessment with our Payment Card Industry Data Security Standard (PCI DSS) compliance in the cloud frequently asked questions (FAQ).

Any organization that handles primary account numbers (PAN) in any way is required to comply with PCI DSS regulations. This includes banks, financial institutions, insurance companies, lenders and brokerage firms, as well as merchants and service providers of all sizes. Basically, if your company interacts with financial information in any way, you’re likely accountable to PCI DSS standards.

The PCI DSS standards are very prescriptive, giving specific guidance as to what organizations need to do to be considered compliant.

The regulations cover 12 specific requirements, each of which falls within six overarching goals:

Build and Maintain a Secure Network and Systems

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

  1. Protect stored cardholder data.
  2. Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

  1. Protect all systems against malware and regularly update anti-virus software or programs.
  2. Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

  1. Restrict access to cardholder data to an as-needed basis.
  2. Identify and authenticate access to system components.
  3. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security systems and processes.

Maintain an Information Security Policy

  1. Maintain a policy that addresses information security for all personnel.

For organizations that require a third-party PCI DSS assessment, passing said assessment involves proving compliance with the 12 PCI DSS security requirements. A yearly self-assessment is all that is required for most organizations with PCI data.

To do that, you’re going to need to be prepared. Here are a few common steps taken by successfully compliant organizations prior to their assessments:

  • Do a self-assessment test run:
    Self-assessing your organization is the best way to ensure that proper procedures are consistently followed.
  • Make sure you have an electronic trail:
    Have a log of all users and how they have interacted with PCI DSS-regulated data. Those users should include all employees as well as any vendors or secondary users.
  • Get up to date on the regulations:
    Have the PCI DSS regulations been updated recently? Find out. When technology and regulations change, your security controls should too.
  • Prepare employees:
    Make sure employees are aware of the upcoming assessment. Refresh their memory on appropriate policies and procedures.
  • Have your documentation ready:
    Anticipate all the possible questions an assessment or might ask and be prepared.
  • Maintain compliant practices post-assessment
    Many organizations put themselves at risk by slacking between assessments. Threat actors can exploit these lax security practices.

The costs of non-compliance can be high with fines reaching up to $100,000 per month1. In addition, your organization could also face civil cases from customers or financial institutions might decide they don’t want to work with you anymore. Not to mention that the damage to your reputation if customer data is compromised.

Released April 2016, PCI DSS 3.2.1 doesn’t break any new ground in terms of security requirements, but it does expand current requirements in many areas.

Changes to note:

  • Organizations must ensure security controls after a change in the card holder data environment
  • Service providers must report failures of critical security control systems
  • Quarterly reviews required for personnel
  • Expanded multi-factor authentication requirements
  • New change control processes
  • Penetration testing

The best security programs are those that are built for overall cloud protection, rather than only focusing on PCI DSS compliance.

An effective security solution begins with the following components:

  • A proactive risk assessment to identify the possible threats to your organization
  • Application of threat intelligence to determine how those threat actors operate
  • Active monitoring and analysis of your network environment

However, an effective security solution doesn’t stop there. Threat actors are constantly evolving their strategies and sometimes, beaches occur. The true effectiveness of your security program is determined by how quickly the breach is detected, the amount of time it takes to respond to a breach and how quickly the threat actors are removed from the environment. The measurement of time between detection and removal of a threat actor is called dwell time.

No. Being “compliant” isn’t enough to protect you from cyber threats in the cloud.

That’s because compliance standards, such as PCI DSS serve as the bare minimum for what you must do with regards to your data security, not what you should do.

If you’re finding it challenging to dedicate the time and resources just to be compliant, you’re probably leaving your data vulnerable to sophisticated threats.

The act of being secure isn’t about checking compliance boxes, it’s about the process of employing a multi-layered web of protection to all the infrastructure, applications and processes that touch your data.

Protecting critical data in the cloud requires a different or additional set of tools than protecting the information stored in your legacy, on-premises resources.

  • If you maintain your own data center, you’re responsible for establishing physical access controls, including a log of who enters that data center and when.
  • As technology advances, hardware needs to be updated more frequently, which means you need to update the physical hardware of your data center.
  • If your legacy systems utilize outdated or unsupported hardware, it may not be patchable against new threats.

And while being able to see and touch your data center may provide a feeling of control, you also must consider the cost, scalability and accessibility of the stored information.

Simplified cloud compliance is a key benefit of entrusting your cloud data workloads and applications with Armor.  Our solutions are purpose-built to meet the specific needs of organizations subject to PCI DSS compliance.

  • Extend Your Security Team: The proven talent in our security operations center (SOC) extend your security resources with 24/7/365 hands-on support and expertise.
  • Streamlined Compliance: Armor solutions not only help you manage PCI DSS compliance, they significantly reduce time and capital spent passing a PCI DSS assessment.
  • End-to-End Cloud Security: Armor-protected environments are defended by multiple security layers, diligently monitored by our SOC.
  • Purpose-Built for the Cloud: Scalable security solutions that reduce your burden of shared responsibility in the cloud.

Learn how our Totally Secure approach to cloud security simplifies PCI DSS compliance in the cloud.