PCI Compliance Program

What is PCI Compliance?

Simply put, companies that touch credit card data are required by the Payment Card Industry (PCI) Security Standards Council to adhere to certain data security standards. While this may seem like a hassle, the objective of this independent collaboration of financial institutions is good. Securing credit card data helps protect banks, consumers, and merchants alike.

Merchants that process, store, or transmit cardholder data are required to adopt the security protections (controls) detailed in the Payment Card Industry Data Security Standard (PCI DSS). This rigorous standard includes security policies, procedures, and other ongoing requirements aimed at securing cardholder data throughout its entire lifecycle in the merchant’s Cardholder Data Environment (CDE). Depending on annual credit card transaction volumes and the mandates of their acquiring bank, merchants may be required to demonstrate compliance in the form of an annual PCI self-assessment or by third party audit.

Unfortunately, many businesses struggle to correctly implement and maintain the controls set forth in the PCI DSS. These organizations may find themselves scrambling to prepare for PCI audits and at risk of hefty penalties for failing to prove compliance. Additionally, companies that are breached and are found non-compliant will also face these fines, and risk losing their ability to accept credit card transactions going forward.

Challenges of Managing PCI Compliance

Even with an optimal strategy, compliance is not a point-in-time undertaking. Beyond the initial implementation of PCI DSS controls, merchants are expected to maintain compliance by executing a variety of regular recurring processes. They must also be careful to maintain evidence of these activities in order to prove compliance in the event of an audit.


PCI DSS Requirements

Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

*Additional compliance requirements for software developers and manufacturers of applications and devices used in credit card transactions

The global standard for cardholder data security, the PCI DSS consists of six overarching goals broken into twelve high-level requirements, and supported by more than 220 detailed security sub-controls. However, it does not offer guidance for implementing these controls or ensuring audit success. As a result, merchants are first faced with the challenge of developing a compliance strategy that is well suited to their business practices and card processing use cases.

Why do I Need a PCI Compliance Program?

A “check-the-box” approach to PCI compliance is risky from both a business and a practical cyber security perspective. By attesting to PCI DSS compliance without confidence in control efficacy, merchants are at a significantly greater risk of suffering a credit card related breach. While a cyber breach can wreak havoc of its own, compounding it with fines for breach of compliance can be devastating. A programmatic approach to PCI compliance ensures that people, process, and technology are brought to bear thoughtfully and consistently to ensure meaningful CDE protection and repeatable audit success.

Alagen's PCI Compliance Program

Get the security leadership you need to not only achieve and maintain PCI compliance, but strengthen the overall security of your environment. Our information security experts are capable of guiding and executing all phases of PCI compliance program development, maturation, and management. They work with your team to create and implement a compliance strategy that conforms to your unique environment and operations. Pulling from years of experience and broad expertise, they help incorporate proven best practices into your PCI DSS control implementation. The result is a PCI Compliance Program that keeps you not only better protected, but well prepared to pass annual self-assessments and PCI audits with ease. Contact us for help.

Alagen Cybersecurity Solutions

Your ace in the cybersecurity foxhole. Follow us on all your social media platforms.


Become an

Alagen Insider

Subscribe today to our free eNewsletter for security insights, exclusive invitations, and more.

© 2020 Alagen, LLC. All rights reserved.