October is Cyber Month – get 20% off our new e-learning course using code: CYBERMONTH

PCI DSS: Securing Card Holder Data

The protection of financial data has become more critical for organizations. As societies embrace cashless transactions and businesses undergo digital transformation, the cyber threat landscape continues to expand, presenting increased risk to both individuals and organizations. The Payment Card Industry Data Security Standard (PCI DSS) was created to safeguard sensitive cardholder data. This and other cybersecurity standards and frameworks help secure critical data.

Melissa Parsons

An article from

Melissa Parsons
Technical Writer
Published
August 13, 2024
Updated
Reading time
minutes
PCI DSS - C-Risk

What is PCI DSS v.4.0?

The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive set of security requirements designed to ensure that companies handling credit card information maintain a secure environment. The Payment Card Industry Security Standards Council, a global forum that developed the PCI DSS standard, was founded in 2006 by major credit card companies including American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. PCI DSS applies to any entity that processes, stores, or transmits cardholder data, regardless of its size or transaction volume.

At its core, PCI DSS outlines technical and operational requirements to protect sensitive financial information. These include network security measures, cardholder data protection protocols, vulnerability management practices, access control measures, continuous network monitoring and testing, and the implementation of robust information security policies. Managed by the PCI Security Standards Council, the standard is not a one-time compliance checkbox but a continuous process of assessment, remediation, and reporting. While not legally mandated, PCI DSS compliance is often mandated through contracts between merchants and payment processors or banks, serving as a critical defense against credit card fraud and data breaches in our increasingly digital world.

 

PCI DSS Requirements

The PCI DSS standard documentation provides a high-level overview of requirements that organizations should adopt to secure account data. It is divided into 12 high-level requirements.

According to the standard, this is the minimum set of requirements for card processors. Additional controls and risk reduction methods will be required depending on geographies or other regulatory and legal requirements.

 

PCI DSS 12 Requirements

The Payment Card Industry Data Security Standard outlines 12 requirements that organizations must meet to ensure compliance and the security of cardholder data. These requirements form the framework of the standard with the goal of protecting sensitive financial information.

  1. Install and maintain network security controls
  2. Apply secure configurations to all system components
  3. Protect stored account data
  4. Protect card holder data with strong cryptography during transmission over open, public networks
  5. Protect all systems and networks from malicious software
  6. Develop and maintain secure systems and software
  7. Restrict access to system components and cardholder data by business need to know
  8. Identify users and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Log and monitor all access to system components and cardholder data
  11. Test security of systems and networks regularly
  12. Support information security with organizational policies and programs
PCI DSS 12 Requirements

PCI DSS Scope

Compliance with PCI DSS is mandatory for entities that store, process, or transmit cardholder data and/or sensitive authentication data or could impact the security of the cardholder data environment. This includes merchants, processors, acquirers, issuers, and other service providers. Any entity that processes, stores or transmits cardholder data can fall within the scope, regardless of their size or the number of transactions they process.

In the Guidance for PCI DSS Scoping and Network Segmentation documentation published by PCI Security Standards Council, organizations can gain a clearer understanding of scoping and segmentation for PCI DSS compliance. According to the PCI Security Standards Council, before determining what is in or out of scope, best practice is to start with the assumption that everything is in scope.

 

Consequences for non-compliance

Non-compliance with the Payment Card Industry Data Security Standard can have severe consequences, especially in the event of a cyber attack. Organizations that fail to meet these standards can face a range of penalties as well as experience long-term impacts that can significantly affect operations and viability.

Some of the immediate consequences for non-compliance include:

  • Operational disruptions
  • Financial penalties
  • Increased transaction fees
  • Lawsuits 

The long-term consequences for non-compliance include:

  • Reputational damage with financial institutions and customers
  • Long-term financial impact
  • Increased regulatory scrutiny 
Consequences for non-compliance

Don't Wait for a Breach: Strengthen Your First & Third-Party Defenses

C-Risk enables organizations to operationalize and automate their first and third-party cyber risk management program with the Safe One CRQ Platform.

Learn more

Change Healthcare Incident - PCI DSS Implications

The February 2024 cyberattack on Change Healthcare serves as a stark reminder of the critical importance of robust cybersecurity measures and compliance with standards like PCI DSS, even in sectors primarily focused on healthcare data.

Change Healthcare, a major healthcare technology company, detected unauthorized activity on its systems in February 2024. The company's decision to take its systems offline to contain the threat led to widespread disruptions in healthcare payments and operations across the United States for weeks. Pharmacies were unable to fill prescriptions for patients. Doctors were unable to access patient data. Personal information, payment details, insurance records, and other sensitive information were stolen by the ALPHV/BlackCat ransomware gang.

 

Key PCI DSS Lessons from the Change Healthcare Incident

Integrated Security Approach

The attack highlighted the need for an integrated approach to security, especially when dealing with both healthcare and financial data. PCI DSS compliance should not be treated in isolation but as part of a comprehensive security strategy. 

Incident Response Effectiveness

PCI DSS requires organizations to have an incident response plan. The Change Healthcare incident demonstrated the real-world importance of such plans in rapidly detecting and responding to breaches.

System Segmentation Importance

The widespread impact underscored the critical nature of proper network segmentation, a key component of PCI DSS, in limiting the spread of potential breaches.

Effective Third-Party Risk Management

The incident emphasized the need for effective third-party risk management, as required by PCI DSS. Many healthcare providers and insurers relying on Change Healthcare's services were affected, illustrating the far-reaching consequences of a breach in interconnected systems.

Business Continuity Planning

The prolonged outage demonstrated the vital importance of business continuity and disaster recovery planning, both of which are addressed in PCI DSS requirements.

 

The Change Healthcare incident is likely to have long-lasting effects on how the healthcare industry secures personal health data and patient payment data. It may lead to increased scrutiny of compliance practices, especially for organizations handling both health and payment data. The interconnected health and payment systems demonstrate the need for robust and effective cybersecurity strategies to protect critical data, including PII and PHI.

Key PCI DSS lessons from the Change Healthcare Incident

Adopting Cybersecurity Standards and Frameworks

Adopting cybersecurity standards provides enterprises with benefits that exceed regulatory compliance. Standards and frameworks such as NIST CSF, PCI DSS and MITRE ATT&CK for building a robust cybersecurity program. Standards and frameworks provide a common language and set of best practices, which enable organizations to streamline their security efforts, make informed decisions, and effectively manage risks.

Cyber Risk Management using the FAIR Standard

While the standards and frameworks mentioned above suggest security controls and best practices, the Factor Analysis of Information Risk (FAIR) Standard takes a different approach by measuring the impact of risk and security controls to help drive data-driven decisions.

The Open FAIR Body of Knowledge is an open standard that provides a model for understanding, analyzing, and quantifying information risk in financial terms. Its key features include:

  1. Quantitative approach: FAIR allows organizations to estimate the financial impact of cyber risks, moving beyond qualitative assessments.
  2. Common risk language: It establishes a standardized taxonomy for describing risk, facilitating clear communication across different business units and with executive leadership.
  3. Data-driven decision-making: By providing a structured method for risk analysis, FAIR enables organizations to make more informed decisions about cybersecurity investments and resource allocation.
  4. Alignment with business objectives: The financial quantification of risk allows cybersecurity efforts to be directly tied to business outcomes and priorities.
  5. Scenario modeling: FAIR supports the creation and analysis of various risk scenarios, helping organizations prepare for a range of potential cyber threats.
  6. Compatibility: FAIR can be used in conjunction with other frameworks like NIST CSF to provide a more comprehensive risk management approach.

By implementing the FAIR Standard alongside other cybersecurity frameworks, organizations can develop a more holistic approach to cyber risk management. This combination allows for both the implementation of strong security controls and the ability to quantify and communicate the financial implications of cyber risks effectively.

The adoption of cybersecurity standards, frameworks, and risk quantification models like FAIR provides enterprises with a robust toolkit for managing their cybersecurity posture. These tools help meeting regulatory requirements and build resilient, data-driven organizations capable of navigating the complex and constantly changing digital landscape.


C-Risk cybersecurity and risk management experts use the Open FAIRTM Risk Analysis (O-RA) Standard and the Risk Taxonomy (O-RT) Standard. Using the FAIR framework, it is possible to map quantified risk scenarios to control frameworks to establish meaningful financial thresholds for risk-based decisions.

If you would like to learn more, schedule a call with a C-Risk expert.

In this article
Improve decision-making with Cyber Risk Quantification

We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.

Book a free strategy session

Related articles

Read more on cyber risk, ransomware attacks, regulatory compliance and cybersecurity.

See all articles
ISO 27001 - C-Risk

ISO 27001: a lever for your cybersecurity strategy?

By improving the security of sensitive information, ISO 27001 contributes to your cybersecurity strategy. Definition, operation and benefits.

Melissa Parsons

29/6/2023
DORA regulation - C-Risk

DORA: mitigating ICT risks and strengthening digital resilience

Gain insights into the EU's Digital Operational Resilience Act: its implications for financial entities, challenges for compliance and achieving digital operational resilience.

Melissa Parsons

4/4/2024
Ebios method dark - C-Risk

A guide to the EBIOS methodology: definition, procedure, limitations

What is the EBIOS cyber risk analysis method? Which structures can make use of it? What are its benefits and drawbacks?

Léa Goichon

18/9/2023

C-Risk is a recognized expert in Cyber Risk Quantification using the FAIR™ methodology. We provide CRQ solutions, advisory services and training.

Our solutions
CRQ as a ServiceSAFE One CRQ PlatformCRQ Enablement ServicesCRQ Consulting & Advisory Services
Your role
Executive ManagementCISORisk Professionals
Use cases
Communicate to the Board & Executive ManagementThird-Party Risk ManagementMerger & AcquisitionOptimize Cyber Insurance CoverageSize, Allocate and Justify an Infosec BudgetFacilitate Regulatory ComplianceCISO Top Risks and Control Prioritization
Ressources
BlogNewsVideos
Company
About C-RiskCareersPartnersC-Risk in the News
Formation
CRQ Training
Contact
Contact us
Language
Created by Sales Odyssey
Legal noticeData Privacy