This website uses cookies for advertising and analytics purposes as described in our cookie policy. For more information and to set preferences, please click here. By continuing to browse this website, you accept our use of cookies.
PCI DSS Cloud Compliance
Cloud security and privacy in context of PCI DSS
What is the Payment Card Industry Data Security Standard (PCI DSS)?
The Payment Card Industry Data Security Standard (PCI DSS) is an international, comprehensive standard outlining the minimum security requirements for cardholder data. The standard is not a law, but any service provider that processes or handles payment card data must adhere to the regulation’s requirements. The top requirements include building and maintaining a secure networks system, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy. The regulation explicitly mandates encryption of payment card data and of the communication paths the data traverses. Validation of compliance with the PCI DSS is determined by individual payment brands.
The individual payment card companies develop personalized regulations and enforce compliance of the PCI DSS for entities that process their forms of payment. The de-standardized nature of the compliance standard requires entities that process payment card information ensure understanding of and adherence to the regulations defined by each payment card brand that they process. Penalties for breaches can include fines per cardholder data compromised, suspension from processing networks, significant reputational damage, potential litigation, and loss of customer trust.
Who does it apply to?
- All companies that accept, process, store or transmit payment card information
What data are protected?
- Cardholder data
- An individual’s Primary Account Number (PAN) alone or along with:
-
-
- Cardholder’s name
- Expiration date
- Service code
-
-
- Sensitive Authentication Data (i.e. CVC, CVV, PIN, etc.) must also be protected
- An individual’s Primary Account Number (PAN) alone or along with:
Requirements
Network security
Install and maintain a firewall configuration to protect cardholder data, and do not use vendor-supplied defaults for system passwords and other security parameters.
Cardholder data protection
Ensure sufficient protection of stored cardholder data, including encrypting the transmission of cardholder data across open, public networks.
Vulnerability management
Develop and maintain a vulnerability management program that includes using and regularly updating anti-virus software or programs and developing and maintaining secure systems and applications.
Access controls
Access control measures to be deployed include restricting access to cardholder data by a need-to-know policy, assigning a unique ID to each person and restricting physical access to cardholder data.
Network records
Maintain records of all access to network resources and cardholder data and regularly test security systems and processes.
Information security policies
Ensure the implementation of a policy that addresses information security for employees and contractors.
A Preliminary Checklist for Compliance
Trusted by leading companies
Top CASB Use Cases for Financial Services — ebook
Learn about the top 3 CASB use cases for financial services firms to secure cloud usage.
Learn more20 Examples of Smart Cloud Security — eBook
Learn about the top 20 use cases for smart cloud security and what to consider in terms of functional and architectural requirements for each use case.
Learn moreWant to see Netskope in action?
Request a Demo