Are You PCI-DSS 3.2 Compliant for 2020?

The PCI (Payment Card Industry) compliance standard applies to all organizations or merchants that accepts store, process or transmit or payment cardholder data. If any customer of an organization pays the merchant directly using a credit card or debit card, then PCI DSS compliance regulations apply.

The big changes for PCI DSS 3.2 involve safeguarding payment data and secure sockets layer/early transport layer security (SSL/early TLS). Updating these security controls was required by July 1, 2019. Specific PCI DSS v3.2 requirements include:

MFA for non-console administrative access to the CDE (8.3.1)

Change management processes to confirm requirements in place after changes (6.4.6)

Additional requirements for service providers
SSL/TLS migration

PCI Merchant Compliance Levels

All merchants that store, process or transmit payment cardholder data fall into one of four levels based on aggregrate Visa transaction volume over a 12-month period.

PCI Merchant Level 1: Any merchant processing over 6,000,000 Visa transactions per year.

PCI Merchant Level 2: Any merchant processing between 1,000,000 - 6,000,000 Visa transactions per year.

PCI Merchant Level 3: Any merchant processing between 20,000 - 1,000,000 Visa transactions per year.

PCI Merchant Level 4: Any merchant processing fewer than 20,000 Visa transactions per year.

PCI-DSS Compliance Steps

Validation of PCI DSS compliance is performed annually either internally or externally, depending on the volume of payment card transactions the business is handling. Businesses handling large volumes of transactions must have their compliance assessed by a Qualified Security Assessor (QSA), while companies handling smaller card transaction volumes can do PCI self-certification via a Self-Assessment Questionnaire (SAQ).

These are the broad steps required to become PCI-DSS compliant:

1. Complete the PCI Self-Assessment Questionnaire (SAQ) according to the information contained in the Self-Assessment Questionnaire Instructions and Guidelines document.

2. Complete a successful network vulnerability scan with a PCI DSS Approved Scanning Vendor (ASV), and submit a Network Scan Report showing evidence of a passing scan from the ASV.

3. Complete the relevant Attestation of Compliance document .

The 12 PCI DSS Requirements

Below are the 12 requirements for PCI DSS Compliance:

1: Install and maintain a firewall configuration to protect cardholder data

2: Don't use vendor defaults for system passwords and other security parameters

3: Protect stored cardholder data

4: Encrypt transmission of cardholder data across open, public networks

Use and regularly update anti-virus software

6: Develop and maintain secure systems and applications

7: Restrict access to cardholder data by business need-to-know

8: Assign a unique ID to each person with computer access

9: Restrict physical access to cardholder data

10: Track and monitor all access to network resources and cardholder data

11: Regularly test security systems and processes

12: Maintain a policy that addresses information security

PCI DSS Control Objectives

In addition, there are 5 main control objectives for PCI DSS compliance and validations:

1. Build and Maintain a Secure Network

2. Protect Cardholder Data

3. Maintain a Vulnerability Management Program

4. Implement Strong Access Control Measures

5. Regularly Monitor and Test Networks

PCI Network Vulnerability Scans

All merchants that electronically store payment cardholder data post-authorization or has external-facing IP addresses with Internet connectivity must submit to and complete a network vulnerability scan every 3 months by a PCI SSC Approved Scanning Vendor (ASV).

Approved Scanning Vendors (ASVs) are organizations that validate adherence to PCI DSS requirements by performing vulnerability scans of Internet-facing networks of merchants and service providers. The PCI Security Standards Council has approved more than 130 ASVs so far.

A network vulnerability security scan usually involves automated equipment that conducts a non-intrusive scan to remotely test networks and Web applications based on the external-facing IP addresses provided by the merchant or ASV. The vulnerability scan will identify vulnerabilities in all operating systems, services, and devices that could be used by hackers to exploit a company's private network. Merchants and ASVs must submit network scan reports to meet PCI documentation compliance.