Understanding PCI DSS (Payment Card Industry Data Security Standard)

Did you know pineapples were so rare in 18th century England that farmers hired security guards to protect their crops? Growing pineapples in the unforgiving British climate was a risky endeavor then, so this had a profound impact on the market price. One luscious fruit could set you back £60 to £80 (about $17,000 to $23,000 today) – a handsome fortune by any standard. While wholesale pineapple heists are passe, thefts aren’t. Modern criminals now target cardholder data (CHD), making PCI DSS compliance the gold standard for secure payments across digital platforms.  

If you’re in business, you already comply with this security standard. 

Below, we talk about the origin of PCI DSS, what’s new in Version 4.0.1, and how you can keep your organization compliant. 

What is PCI DSS and its Purpose? 

Definition of PCI DSS

So, what is the PCI DSS? 

The Payment Card Industry Data Security Standard (PCI DSS) sets the global standard for the secure handling of cardholder data. 

In 2004, five (5) major credit card companies joined forces to create PCI DSS: VISA, Discover, American Express, Mastercard, and JCB.  

We have VISA to thank for the popularity – and security – of online shopping today. Back in 1999, it pioneered the Cardholder Information Security Program (CISP), the first of several precursors to PCI DSS. 

And in 2001, it introduced the “Verified by VISA” service, an additional layer of security to protect ecommerce transactions from fraud and security breaches. 

Not to be outdone, the other card brands introduced their own security standards. However, by the turn of the century, it became clear that a unified standard was desperately needed. 

So, the founding members of PCI DSS came together to create PCI DSS 1.0 in 2004.  

To manage the continued evolution of the standard, they also formed the PCI Security Standards Council (PCI SSC) in 2006. Today, the PCI SSC is a centralized forum dedicated to bold, industry-driven resources for securing worldwide card transactions. 

The current iteration of the standard is Version 4.0.1, which made its debut in June 2024. Although there aren’t any specific new requirements for this version, several updates will help your organization maintain a more robust security posture (more on this below). 

Importance of PCI DSS

For businesses, PCI DSS compliance is a critical tool in preventing unauthorized transactions, which can be financially devastating. 

According to Juniper Research, the combined losses from global online payment fraud will exceed $343 billion (about $1,100 per person in the US) by 2027. 

In 2024, your business is at risk from these ecommerce fraud threats: 

• Chargeback abuse: Many scammers order goods only to return them. They get their money back AND get to keep the products. Meanwhile, chargeback fees and costs related to marketing, product development, and business operations eat into your revenues. This type of fraud costs merchants $88 billion (about $270 per person in the US) annually. 
• Promo abuse: If your business offers sign-on gifts, special discounts, and referral bonuses, you may have already suffered financial losses from your generosity. Perhaps, you’ve discovered scammers opening multiple fake accounts to receive more than one sign-on gift or referral bonus. If so, you aren’t alone: this scam costs the average merchant 1.2% of revenues.
• Account takeovers (ATO): This is a popular attack, where fraudsters use stolen credentials to take over ecommerce accounts. In 2023, merchants lost over $635 billion (about $2,000 per person in the US) to ATO attacks. ATO spiked 808% across loyalty and crypto platforms, while the food & beverage industry saw a 485% increase.
• Triangulation fraud: Here, the fraudster sets up a counterfeit online marketplace. When someone makes an order, they harvest the victim’s PII (Personally Identifiable Information) and charge their card. Then, they use another set of stolen payment credentials to place an order with a legitimate retailer, so the victim is none the wiser. The process is then repeated with another victim. This card-not-present attack is now costing merchants a whopping $660 million to $1 billion monthly.
• Generative AI-based scams: It’s no secret scammers are leveraging AI to perpetrate credit card fraud at an unprecedented scale. However, both VISA and Mastercard are helping you fight back with their own AI-powered fraud solutions. VISA’s new VAAI (Visa Account Attack Intelligence) tool can now better detect card-not-present fraud in real-time, reducing false positives by 85%. Meanwhile, Mastercard’s Decision Intelligence Pro solution is already boosting average fraud detection rates by 20% and as high as 300%.

Despite this, non-compliance with the most up-to-date requirements of PCI DSS can still leave your business liable.  

You know that penalties built into contracts between your organization, payment processors, and card companies can lead to direct financial losses. Fines up to $500,000 for PCI DSS non-compliance have already affected many SMBs negatively. 

With compliance being an absolute necessity, our spotlight on the newest updates below can help you remain compliant. 

Protecting sensitive cardholder data

In 2023, $466 million fraudulent transactions were made via credit and debit cards. 

PCI DSS not only helps your business protect stored cardholder data (CHD) and sensitive authentication data (such as PINs and card validation codes) but also ensures the software systems supporting online payments are secure. 

In 2008, the PCI Security Standards Council (PCI SSC) introduced PA-DSS (Payment Application Data Security Standard) to help software vendors create secure platforms for the storage, processing, and transmission of cardholder data. 

The Council also introduced the role of the QSA (Qualified Security Assessor) and its accompanying requirements. 

As the threat landscape evolved, the Council formally retired PA-DSS in 2022 and replaced it with the PCI SSF (PCI Software Security Framework).  

A more comprehensive framework, PCI SSF includes the PCI Secure Software Standard (PCI SSS) and the PCI Secure Software Lifecycle (PCI Secure SLC) Standard. 

Here’s how PCI SSF differs from PA-DSS:  

• The PCI SSS supports a much larger set of payment software architectures and software development methodologies.
• The PCI Secure SLC defines the standards for secure software lifecycle development, with continuous testing a key means of improving the resilience of payment systems.

Key Principles of PCI DSS 

Understanding the 6 core principles

First, we’re going to answer an important question, “What are the four PCI pillars or what are the four things PCI DSS covers?” 

In a nutshell, the PCI DSS framework rests on four foundations: 

• Increasing industry participation and knowledge by providing free payment security resources, holding global security events, and hosting interest groups tackling industry-identified payment security challenges
• Creating security standards and validation programs that reflect the global role of the PCI Security Standards Council (PCI SSC)
• Collaborating with payments industry stakeholders through a Mobile Task Force and RFC process to secure emergent payment channels
• Increasing alignment and consistency in global payment standards by training, testing, and validating security professionals

Ultimately, the PCI DSS Version 4.0.1 consists of six (6) core principles. 

1. Build and maintain a secure network and systems: This involves securing infrastructures where credit card data is transmitted, processed, and stored.

2. Protect Account data: Organizations must protect stored account data and encrypt transmission of cardholder data over open, public networks.

3. Maintain a vulnerability management program: Organizations must develop, maintain, and secure all systems from malicious software or cyber-attacks.

4. Implement strong access control measures: This involves strong identification, authentication, and authorization measures to ensure only authorized personnel can access card payment data. 

5. Regularly monitor and test networks: All access must be monitored, and the security of systems and networks tested regularly.

6. Maintain an information security policy: This involves supporting information security with comprehensive organizational policies and programs.

Implementing security controls

Business-as-usual (BAU) – the status quo that’s both comforting and affirming – is the enemy of change. 

BUT change is critical to proactive payment risk management. 

Due to emerging, more virulent threats, the importance of integrating PCI’s six core principles or security controls into BAU processes can’t be understated. 

Version 4.0.1 provides several ways to integrate security controls into your BAU processes: 

• Assigning accountability for PCI-DSS compliance to a team that maintains direct communication with leadership
• Developing performance metrics to measure the efficacy of security initiatives
• Implementing continuous monitoring of network security controls to ensure their optimum performance
• Regularly analyzing log entries to identify potential threats
• Identifying and mitigating security control failures promptly
• Performing regular risk assessments to identify new security risks that could impact PCI DSS compliance, such as the addition of new systems or system configurations

Maintaining a secure network

Maintaining a secure network is critical to PCI DSS compliance.  

A key aspect of this is applying secure configurations to all system components.  

According to PCI DSS 4.0.1, all changes to network configurations must be in accordance with Requirement 6.5.1, which includes: 

• Documenting the security impact of the changes
• Documenting approval of the changes by authorized parties
• Testing to verify that changes don’t result in a negative impact on system security
• Implementing procedures to address failures and return to a secure state

Requirements of PCI DSS 

Overview of the 12 key requirements

By now, you may be wondering, “Is PCI DSS a cybersecurity framework?” 

The answer is yes. 

PCI DSS provides a comprehensive set of requirements for protecting global payment processing platforms.  

AND it aligns with President Biden’s directive (EO 14028) on Zero Trust by emphasizing continuous monitoring, risk management, vulnerability assessment, and strong access controls. 

This alignment with Zero Trust can be seen in the following 12 key requirements, which expand upon the six (6) core principles we discussed earlier: 

1. Install and maintain network security controls (NSC), such as firewalls and network security technologies, to protect sensitive areas like the cardholder data environment (CDE) from exposure to untrusted networks.  

2. Apply secure configurations to all system components.

3. Protect stored cardholder data.

4. Protect cardholder data with strong cryptography during transmission over open, public networks. PCI DSS 4.0.1 includes a new Customized Approach Objective for using keyed cryptographic hashes to render Primary Account Numbers (PAN) unreadable during transmission.

5. Use antivirus software to protect all systems and networks from malware.

6. Develop and maintain secure systems and applications. In particular, custom software must be developed securely, security vulnerabilities addressed, public-facing web applications protected, and system component changes managed securely. Note that PCI DSS 4.0.1 reverts to PCI DSS v3.2.1 language that installing patches within 30 days applies only for critical vulnerabilities. Also new are notes on enforcing the integrity of payment page scripts, which can be manipulated to exfiltrate cardholder data from browsers.

7. Restrict access to systems components and cardholder data by “business need to know.” This aligns with the least privilege principle, which provides the minimum level of access necessary for the effective completion of tasks.

8. Assign a unique ID to personnel and authenticate access to system components. Multi-factor authentication (MFA) is strongly recommended for secure access into the CDE. However, PCI DSS 4.0.1 adds an applicability note that this requirement doesn’t apply to user accounts that utilize phishing-resistant authentication factors such as FIDO2.

9. Restrict physical access to cardholder data.

10. Log and monitor all access to systems components and cardholder data. Audit log history must also be retained, reviewed for suspicious activity, and protected from unauthorized modifications.

11. Regularly test security systems and processes. Wireless access points must be monitored. Unauthorized wireless access points, unexpected file changes, network intrusions, and changes to payment pages must also be identified and addressed.

12. A comprehensive security policy should include risk management for the cardholder data environment (CDE), PCI DSS compliance by third-party service providers, employee security awareness training, and regular screening for insider threats. The policy must be reviewed at least once every 12 months and updated to reflect any risks to the cardholder data environment (CDE). Note that PCI DSS 4.0.1 has added new applicability notes on how third-party service providers (TPSP) can support their customers’ PCI DSS compliance.

A full summary of the changes from PCI DSS 4.0 to 4.0.1 can be found here.  

*Note that new Report on Compliance (ROC), Attestations of Compliance (AOC), and Self-Assessment Questionnaires (SAQ) documents are slated to be published in Q3 2024. * 

Securing cardholder data by addressing external and internal vulnerabilities

According to Requirement 11.3.1, internal vulnerability scans should be a key part of a comprehensive vulnerability management plan. 

It's recommended that these scans are performed at least once every three months by qualified internal personnel or an external third party. 

Requirement 11.4.1 also recommends regular penetration testing based on a formal methodology that includes: 

• industry-accepted practices
• testing both inside and outside the CDE perimeter from trusted and untrusted networks
• testing to identify vulnerabilities at the application and network layers

Implementing strong physical access controls

Strong access control measures are critical for limiting access to cardholder data.  

According to Requirement 9, physical access to facilities that contain cardholder data must be authorized and managed. Badge readers and locks should be utilized, along with security cameras to identify any attempts at disabling physical access controls. 

In addition, any media that contains cardholder data must be securely stored, accessed, and distributed. Point of interaction (POI) devices must also be protected from unauthorized modifications. 

Levels of PCI DSS Compliance 

Different compliance levels

PCI DSS Version 4.0.1 has four (4) levels of compliance, based on your organization’s annual credit card transaction volume: 

• Level 1: for organizations processing over 6 million transactions per year. This level requires a comprehensive audit by a Qualified Security Accessor (QSA), who will review your point-of-sale system, identify vulnerabilities, and provide a list of remediations.
• Level 2: for organizations processing one to six million transactions yearly. 
• Level 3: for organizations handling 20,000 to one million transactions annually.
• Level 4: for organizations processing fewer than 20,000 ecommerce transactions and up to one million non-ecommerce transactions per year. 

Determining your organization's level

So, who needs to be PCI compliant? 

PCI DSS compliance applies to you if you’re an online merchant, service provider, payment processor, or payment gateway provider. 

To determine your organization’s compliance level, consult with a QSA to clarify which security controls apply based on your organization’s risk profile and scope of the cardholder data environment (CDE).  

A QSA can also help you determine which Self-Assessment Questionnaire (SAQ) documents to submit to the PCI Council (more below). 

Meeting compliance obligations

For businesses, achieving PCI DSS compliance involves the following key steps: 

• Filling out a Compliance Self-Assessment Questionnaire (SAQ) *
• Completing an Attestation of Compliance (AoC) document
• Submitting all PCI DSS compliance documentation to the PCI Council
• Proving your compliance with regular vulnerability scans by an Approved Scan Vendor (ASV) **

Larger organizations (Levels 1 & 2) that process an extensive volume of online transactions must also fill out a Report on Compliance (ROC). 

All levels (1–4) must fill out an Attestation of Compliance (AoC) and ensure quarterly scans are performed by an Approved Scan Vendor (ASV). 

*There are currently ten (10) types of SAQs available, and you can download them from the Document Library.* 

**Choose from the PCI Council’s list of Approved Scan Vendors and provide feedback on the services received. This can aid the quality assurance process, verifying that external vulnerability scans are being performed in accordance with PCI DSS Requirement 11.3.2.** 

Benefits and Challenges of PCI DSS Compliance 

Advantages of compliance

Compliance with PCI DSS enhances consumer trust and provides a competitive advantage.  

Trust has emerged as a key issue in light of rising incidents of credit card theft.  

According to a 2024 TrustedSite study, 90% of consumers now worry about identity theft, while 87% have abandoned their carts due to concerns about business legitimacy and the security of payment platforms. 

Consumers define trust as a strong commitment to solving problems, especially when it comes to keeping their money and PII safe. According to Newsweek’s 2024 survey on the Most Trustworthy Companies in America, customers define trust in four (4) ways: 

• Fair treatment
• Consistent quality in the company’s products and services 
• Complaints being addressed to the customer’s full satisfaction
• The credibility of the company’s advertising and communication claims

Notably, Newsweek excluded companies that are currently involved in significant lawsuits or scandals from the list. AT&T, still grappling with a class-action lawsuit from its massive March 2024 data breach, is absent from the list. 

YET, data breaches have become increasingly prevalent, affecting even the most security-conscious organizations. 

So, trust should also be evaluated based on how businesses respond to a breach, the ongoing proactive measures they take to protect their customers, and their consistent delivery of robust security controls. 

In that vein, PCI DSS compliance is a crucial means of earning and keeping the trust of your customers. In 2024 and beyond, it’s the single most important thing you can do to maintain your competitive edge. 

Common challenges and how to overcome them

In navigating the path to PCI DSS compliance, you may recognize these challenges: 

• Implementing the entirety of the standard’s 12 requirements 
• Allocating adequate financial and personnel resources to maintain the necessary security controls
• Identifying all systems that interact with cardholder payment data, especially in a hybrid on-premises and cloud environment
• Implementing continuous monitoring and completing the required assessments to prove compliance

The situation is dire but there are five (5) key steps you can take to ease your compliance journey: 

• If you have a CISO (Chief Information Security Officer) on staff, work with them to get buy-in from the rest of the C-suite.
• Use free open-source vulnerability scanning tools like OpenVAS to identify and address vulnerabilities before engaging an ASV (Approved Scanning Vendor) for a formal scan.
• Use free open-source penetration testing tools like Metasploit to perform initial tests and identify vulnerabilities you can mitigate before engaging a qualified security professional to perform formal tests.
• Implement an incremental approach so you can allocate resources over time and achieve compliance more cost-effectively. 
• Seek grants from local or state agencies that support SMBs in combating cyber-attacks.

Reducing risks and enhancing reputation

According to a Forbes Advisor 2024 poll, consumers from all generations view integrity and transparency as key factors in deciding whether to engage with a brand. 

As such, the following three new updates to PCI DSS 4.0.1 can be leveraged to command greater trust and attention: 

• An annual scope confirmation exercise to ensure the cardholder data environment (CDE) and all systems components are appropriately secured (Requirement 12.5.2)
• Formal ASV vulnerability scans for merchants who must fill out the Self-Assessment Questionnaire (SAQ) A, complying with Requirement 11.3.2 for the first time
• Formal acknowledgements by PCI-compliant third-party service providers (TPSP) about their security responsibilities to customers like you 

Ultimately, documented compliance of PCI DSS 4.0.1 indicates a solid commitment to data protection, enhancing your organization’s reputation for integrity and transparency. 

Best Practices for PCI DSS Compliance 

Implementing effective security policies

If you’ve begun implementing the security controls discussed above, you’re well on your way to PCI DSS 4.0.1 compliance. 

To take your compliance to the next level, leverage these four (4) best practices to further strengthen your organization’s security posture: 

• Implementing regular risk assessments: Use these assessments to identify the most critical vulnerabilities to mitigate.
• Conducting regular malware scanning: Malware can move laterally inside a network, communicate with an external Command & Control (C &C) server, and exfiltrate data without your knowledge. PCI DSS 4.0.1 recommends real-time endpoint scanning, egress (outbound) traffic filtering, “allow” listing of approved applications, data loss prevention tools, and network security monitoring tools such as IDS/IPS to detect and block malware communication channels.
• Implementing a thorough incident response plan: This allows all stakeholders (employees, legal team, HR, and social media teams) to respond effectively during a suspected or confirmed security incident. PCI DSS 4.0.1 recommends incident response plans be reviewed every 12 months to identify ineffective processes that can jeopardize your organization’s ability to respond promptly and credibly to emerging threats.
• Protecting payment page scripts from cross-site scripting attacks: PCI DSS 4.0.1 Requirement 6.4.3 recommends that all payment scripts must be explicitly authorized, the integrity of each script protected, and an inventory of all scripts maintained (with technical justifications for their use). 

Two novel ways are recommended to protect payment script integrity: (1) A Content Security Policy (CSP), which ensures only approved scripts can be loaded and executed on your web pages (2) Subresource Integrity which allows you to match your cryptographic hash with that of a downloaded script. If the hashes don’t match, the payment script won’t execute. 

Regularly monitoring and testing security measures

Ongoing monitoring and testing of security systems is vital to maintaining compliance.  

PCI DSS 4.0.1 recommends daily reviews of the following: 

• All security events, such as invalid logical access attempts, all changes made by users with root or admin privileges, and any elevations of privileges
• Logs of all system components that store, transmit, or process cardholder data (CHD) and sensitive authentication data (SAD)
• Logs of all critical system components
• Logs of all servers and system components that perform security functions

In addition, engaging the services of a reputable penetration tester is critical: PCI DSS 4.0.1 recommends (1) annual testing (2) testing after significant changes like infrastructure upgrades and security incidents. 

You’ll want to ensure penetration testers have the following qualifications: 

• Industry certifications like CEH (Certified Ethical Hacker), Offensive Security Certified Professional (OSCP), and GIAC Certified Penetration Tester (GPEN)
• Experience conducting tests with technologies in the target environment
• Experience with application or network layer penetration testing
• References from satisfied customers

Ensuring ongoing compliance

PCI DSS 4.0.1 highlights the continuous monitoring of security controls and testing of code vulnerabilities throughout the software lifecycle development process (SLDC). 

This ensures secure code development of applications for the CDE. 

Such an approach perfectly aligns with Shift Left Data Governance – the practice of testing early and continuously – which complements the Zero Trust emphasis in EO 14028.  

Here’s how: 

• Shift Left catches data security issues early, while Zero Trust minimizes their impact through the least privilege principle. This hinders lateral movements, even if attackers manage to gain initial access through compromised credentials.
• Shift Left ensures data quality & proper classification, which Zero Trust uses to ensure that the right people have the right permissions at the right time.
• Shift Left embeds governance early in the SLDC, which Zero Trust enforces through strong access controls.

Ultimately, a culture of continuous security enables ongoing compliance with PCI DSS 4.0.1. 

Staying PCI DSS Compliant with LastPass 

Secure password management

80% of data breaches are caused by weak, reused, or stolen passwords. 

PCI DSS Requirement 8 focuses on identification and authentication controls. This includes secure password management practices.  

At LastPass, we support PCI DSS compliance through: 

• Strong password generation that aligns with NIST requirements
• Access controls that help you enforce least privilege access and promote secure identity & access management, a key part of the White House’s emphasis on Zero Trust.

Security tips

The crown jewels of a LastPass Business account are FIDO2 passwordless authentication and phishing-resistant MFA (Multi Factor Authentication). 

With FIDO2 passwordless authentication and MFA, you have powerful weapons in aligning with PCI DSS requirements for strong authentication mechanisms. 

Worried about vendor-supplied default passwords on new equipment or software? 

With passwordless authentication, your employees no longer need to remember ANY passwords, thus contributing to a happier, more productive workforce. 

Want to comply with PCI DSS requirements 8.3 and 8.4, which call for MFA for remote access to the CDE (cardholder data environment)? 

With LastPass, you get phishing-resistant MFA with any of the following methods: 

• LastPass Authenticator app with passkey support
• Microsoft Authenticator app with passkey support
• Biometric identity verification (fingerprint scan, facial recognition, or retina scans)
• Contextual authentication (access based on environmental conditions like working hours, IP address, and location)
• Authentication via FIDO-certified hardware keys like Feitian or YubiKey

Encrypted storage

PCI DSS Requirement 3 requires your organization to protect stored cardholder data. This includes Primary Account Numbers (PAN), cardholder names, card verification codes, expiration dates, and PIN numbers.  

Remember that sensitive authentication data (SAD) such as card verification codes, track data from magnetic strips, and PINs must NOT be stored after authorization, even if encrypted. 

There’s a caveat, however: PCI DSS 4.0.1 permits storage of SAD in non-persistent or RAM memory for legitimate business needs – if it’s removed after the business purpose is accomplished. 

As LastPass, we support storage of PANs, cardholder names, and expiration dates in our Zero Knowledge encrypted vaults. This means neither LastPass nor hackers can decrypt your vault, keeping all sensitive authentication data (SAD) safe from unauthorized use. 

If you’re ready to explore how we can help with PCI DSS compliance, sign up for your free, no-obligation LastPass Business trial today.