PCI Compliance. Detailed information security standards.

Pretty much everyone is aware of PCI these days. The Payment Card Industry Data Security Standard (PCI DSS) is one of the most detailed information security standards out there and in most cases has elevated the level of security within organizations.

Though the PCI DSS is made up of only 12 main requirements, they are divided into over 200 subrequirements, all of which must be satisfied in order to be considered fully compliant. Over 200 subrequirements! All of which must be satisfied to be compliant!

Anyone who is transmitting, storing, or processing credit cards must comply with the 200 subrequirements of the PCI DSS. I don’t know how to state it more plainly.

If you notice, I haven’t mentioned anything about your merchant level or service provider level yet. That’s because it doesn’t matter – everyone needs to comply with ALL of the standard. Unbelievably, I’ll be talking with a merchant level 3 or 4, that thinks that all they need to do is vulnerability scanning and check off the boxes on their SAQ (self assessment questionnaire). Well, that satisfies one subrequirement, but what about the rest of them?

The various merchant level buckets are merely there to provide validation requirements. You may be required to have an on-site validation assessment or you may do a self assessment questionnaire (SAQ). Either way, all the 200+ sub-requirements of the PCI DSS apply to everyone.

If you do suffer a breach at some point, you will be very glad you were fully compliant to the PCI DSS. There is much to be said for safe harbor.

Nancy Sykora
Sr. Account Executive

PCI DSS Requirements

PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel.

Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1

Unpacking the New PCI DSS Password Standards

Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?

What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?

What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?

PCI SSC Updates SAQ A: Removal of Key eCommerce Security and New Eligibility Criteria – Requirements 6.4.3, 11.6.1, 12.3.1

The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2

How PCI DSS 4.0.1 Tackles Service Account Vulnerabilities – Requirements 8.6.1, 7.2.5.1, 8.6.2, 8.6.3, 10.2.1.2

Are You Keeping an Inventory of Cipher Suites and Certificates for the New PCI DSS – Requirements 12.3.3, 4.2.1.1?

How to Analyze An Attestation of Compliance (AOC)

PCI Compliance New Requirements and Targeted Risk Analysis (TRA)