In today's digital environment, protecting cardholder data is critical. For any organization that is involved in storing, processing, or transmitting cardholder data or sensitive authentication data, including fintech companies, the Payment Card Industry Data Security Standards (PCI DSS) is applicable to you. The latest PCI DSS Standard (3.2.1) was released in May 2018.
PCI DSS compliance can feel overwhelming for decision makers. On this page, we breakdown the complexities of PCI DSS compliance, what it is, why it is important for organizations to be PCI DSS compliant, and the PCI DSS requirements that organizations in the cloud should be concerned with.
Why is PCI DSS Compliance Important?
Before we discuss PCI compliance standards in more depth, it's important to note that credit cards are safe and getting more secure everyday with new rules and regulations. However, even the biggest brands can still be at risk fo large data breaches related to credit cards.
Payment security is paramount. If a bad actor gains unlimited access to cardholder data and leaks it to the internet, repercussions for organizations for violating PCI compliance standard include:
- Steep fines for PCI DSS compliance violations
- Financial losses
- Reputational damage
- Exfiltration of customer credit card information and identities
Build and Maintain a Secure Network and Systems
If a payment system network is not secured, malicious individuals can access it and steal cardholder data and sensitive authentication data.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Firewalls are the first line of defense in protecting cardholder data. They should protect all systems from unauthorized access from untrusted networks. This requirement primarily impacts AWS VPCs and security groups, Azure virtual networks and network security groups, and Google Cloud VPCs and firewall rules.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
The failure to change default security parameters upon deployment is similar to leaving your store physically unlocked when you go home for the night. In AWS, this requirement is relevant to resources that can be used to ensure secure communications, such as ELB listeners, S3 bucket policies, and SQS policies. In Azure, this control is relevant to resources such as PostgreSQL database servers and App Service web apps. In Google Cloud, it's relevant to resources such as load balancers and SQL database instances.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
The more people who have access to cardholder data, the higher the risk of a breach is. Access should be granted on a need-to-know basis to ensure the data can only be accessed by authorized personnel.
Requirement 8: Assign a unique ID to each person with computer access
Each person with access to system components should be assigned a unique ID to ensure actions on critical data are only performed by authorized users. A secure password policy is imperative.