PCI DSS Cloud Compliance

Cloud security and privacy in context of PCI DSS

What is the Payment Card Industry Data Security Standard (PCI DSS)?

The Payment Card Industry Data Security Standard (PCI DSS) is an international, comprehensive standard outlining the minimum security requirements for cardholder data. The standard is not a law, but any service provider that processes or handles payment card data must adhere to the regulation’s requirements. The top requirements include building and maintaining a secure networks system, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy. The regulation explicitly mandates encryption of payment card data and of the communication paths the data traverses. Validation of compliance with the PCI DSS is determined by individual payment brands.

The individual payment card companies develop personalized regulations and enforce compliance of the PCI DSS for entities that process their forms of payment. The de-standardized nature of the compliance standard requires entities that process payment card information ensure understanding of and adherence to the regulations defined by each payment card brand that they process. Penalties for breaches can include fines per cardholder data compromised, suspension from processing networks, significant reputational damage, potential litigation, and loss of customer trust.

Who does it apply to?

  • All companies that accept, process, store or transmit payment card information

What data are protected?

  • Cardholder data
    • An individual’s Primary Account Number (PAN) alone or along with:
          • Cardholder’s name
          • Expiration date
          • Service code
    • Sensitive Authentication Data (i.e. CVC, CVV, PIN, etc.) must also be protected


Network security

Install and maintain a firewall configuration to protect cardholder data, and do not use vendor-supplied defaults for system passwords and other security parameters.

Cardholder data protection

Ensure sufficient protection of stored cardholder data, including encrypting the transmission of cardholder data across open, public networks.

Vulnerability management

Develop and maintain a vulnerability management program that includes using and regularly updating anti-virus software or programs and developing and maintaining secure systems and applications.

Access controls

Access control measures to be deployed include restricting access to cardholder data by a need-to-know policy, assigning a unique ID to each person and restricting physical access to cardholder data.

Network records

Maintain records of all access to network resources and cardholder data and regularly test security systems and processes.

Information security policies

Ensure the implementation of a policy that addresses information security for employees and contractors.

A Preliminary Checklist for Compliance

Security policies

Secure users and payment processing hardware and the cloud services they access.

Education and coaching

Provide education and coaching to employees about security best practices and protecting cardholder data.

Monitoring and auditing

Regularly monitor traffic within your network and test these systems and processes.

Access controls and security

Implement strong access control measures to restrict access to cardholder data on a need-to-know basis. Ensure appropriate security measures in place on cardholder data.

Trusted by leading companies

Top CASB Use Cases for Financial Services — ebook

Learn about the top 3 CASB use cases for financial services firms to secure cloud usage.

Learn more

20 Examples of Smart Cloud Security — eBook

Learn about the top 20 use cases for smart cloud security and what to consider in terms of functional and architectural requirements for each use case.

Learn more

Want to see Netskope in action?

Request a Demo