PCI Security Standards Council®

How to Secure with the PCI Data Security Standard

The best way to maximize security of cardholder data is to continuously monitor and enforce the use of controls specified in the PCI Data Security Standard.

Many organizations treat compliance as a one-time, annual event. But only focusing on an annual compliance assessment can create a false sense of security.

Forensic investigators have discovered that security controls deployed by organizations that had passed an assessment were often out of compliance when breaches occurred at a later date. It’s only by achieving and maintaining compliance that your cyber defenses will be adequately primed against attacks aimed at stealing cardholder data.

Validation of compliance with the PCI Data Security Standard is determined by individual payment brands. All have agreed to incorporate the PCI Data Security Standard as part of the technical requirements for each of their data security compliance programs. The payment brands also recognize qualified security assessors and approved scanning vendors qualified by the PCI Security Standards Council.

The Council does not enforce compliance; this is done by individual payment brands or acquiring banks.

The PCI 3-Step Process

Compliance Procedures

Card Brands

Specific questions about compliance validation levels and what you must do to validate should be directed to your acquiring financial institution or payment card brand.

Learn more:

PCI Data Security Standard Scoping

Implementing the PCI Data Security Standard starts with scoping. This process involves identifying all system components that are located within or connected to the cardholder data environment (such an environment is comprised of people, processes, and technology that handle cardholder data or sensitive authentication data).

Scoping is an annual process and must occur prior to the annual assessment. Merchants and other entities must identify all locations and flows of cardholder data to ensure all applicable system components are included in scope for the PCI Data Security Standard.

Assessment

A Qualified Security Assessor is a data security firm that is qualified by the PCI Council to perform on-site PCI Data Security Standard assessments.

The Assessor will:

  • Verify all technical information given by merchant or service provider
  • Use independent judgment to confirm the standard has been met
  • Provide support and guidance during the compliance process
  • Be onsite for the duration of the assessment as required
  • Adhere to the PCI Data Security Standard Assessment Procedures
  • Validate the scope of the assessment
  • Evaluate compensating controls
  • Produce the final Report on Compliance

See a list of all Qualified Security Assessors

View List

An Approved Scanning Vendor is a data security firm that uses a scanning solution to determine whether or not the customer meets the external vulnerability scanning requirement. Approved Scanning Vendors are qualified by the PCI Security Standards Council to perform external network and system scans as required by the PCI Data Security Standard.

See a list of all Approved Scanning Vendors

View List
Reporting

Reports are the official method by which merchants and other entities report their compliance status with the PCI Data Security Standard to their respective acquiring financial institutions or payment card brand.

Quarterly submission of a report for network scanning may also be required. Individual payment card brands may require submission of other documentation; see their web sites for more information.

Depending on payment card brand requirements, merchants and service providers may need to submit a Self-Assessment Questionnaire for self-assessments, or a Report on Compliance for on-site assessments.

Learn More