IAMRoadmapIAMRoadmap
Back to Compliance
Financial Compliance

PCI-DSS

Payment Card Industry Data Security Standard

Global
Effective: December 15, 2004
Updated: March 31, 2024

Overview

PCI-DSS is a global security standard for organizations that handle credit card data. It provides a framework for developing robust payment card data security processes, including prevention, detection, and appropriate response to security incidents. Version 4.0 introduces enhanced authentication requirements and emphasizes a customized approach to security.

IAM Requirements

Requirement 7: Restrict Access

  • Limit access to system components and cardholder data to only those whose job requires access
  • Establish access control systems for systems components
  • Access rights based on least privilege principle
  • Document and maintain access control policies

Requirement 8: Identify Users

  • Assign unique ID to each person with computer access
  • Implement strong authentication for all access to cardholder data
  • Multi-factor authentication for all access into CDE
  • MFA for all non-console administrative access
  • Manage passwords/passphrases with minimum complexity requirements
  • Do not use group, shared, or generic accounts

Requirement 10: Track and Monitor

  • Implement audit trails to link access to individual users
  • Record user identification, event type, date/time, success/failure
  • Secure audit trails so they cannot be altered
  • Review logs daily for security events
  • Retain audit trail history for at least one year

Compliance Checklist

1
Define cardholder data environment (CDE) scope
2
Install and maintain network security controls
3
Apply secure configurations to all system components
4
Protect stored account data with encryption
5
Protect cardholder data during transmission
6
Deploy anti-malware solutions
7
Develop and maintain secure systems and software
8
Implement strong access control measures
9
Restrict physical access to cardholder data
10
Log and monitor all access to network resources and cardholder data
11
Regularly test security systems and processes
12
Maintain information security policy

Penalties for Non-Compliance

Non-compliance fines: $5,000-$100,000 per month. Additional penalties include increased transaction fees, loss of card processing privileges, and liability for fraud losses

Quick Facts

Region
Global
Effective Date
December 15, 2004
Enforcing Body
PCI Security Standards Council

Related Certifications

Related Vendors

Related Solutions

Resources

Official Website

Related Regulations & Frameworks

SOX

United States

Sarbanes-Oxley Act

Back to All Compliance