PCI DSS standards

[Mutt]

The PCI DSS (Payment Card Industry Data Security Standard) is an international set of data security requirements developed by the Payment Card Industry Security Standards Council (PCI SSC) to protect cardholder information during processing, storage and transmission. These standards are mandatory for all organizations that accept, process or store bank card data (Visa, MasterCard, American Express, Discover, JCB, etc.). Below I will explain in detail what PCI DSS is, its main requirements, structure, compliance process and its importance for protection against fraud, including carding, for educational purposes.

What is PCI DSS?​

PCI DSS is a set of standards aimed at ensuring the security of cardholder data (e.g. card number, name, CVV, PIN) and preventing leaks that could be used for fraud, such as carding. The standards apply to:

• For merchants (outlets that accept cards).
• Payment systems.
• Processing centers.
• For issuing and acquiring banks.
• To service providers involved in card processing.

PCI DSS was first published in 2004 and is updated regularly (the latest version as of August 2025 is PCI DSS v4.0, released in March 2022).

The objectives of PCI DSS are to:

• Protecting cardholder data.
• Reducing the risk of fraud.
• Ensuring trust in payment systems.

PCI DSS Framework: 12 Key Requirements​

PCI DSS v4.0 consists of 6 objectives and 12 requirements that cover all aspects of card data security. Here is a detailed description of each requirement:

Goal 1: Create and Maintain a Secure Network​

1. Installation and maintenance of network security tools:
   • Use firewalls to protect systems that process card data from unauthorized access.
   • Set up traffic filtering rules to allow only necessary connections.
   • Example: Allow access only to ports used for payment processing (e.g. HTTPS on port 443).
2. Opting out of default security settings:
   • Change default passwords for devices, apps, and accounts.
   • Set up unique encryption keys and certificates.
   • Example: Replace the router's factory password with a complex and unique one.

Goal 2: Protect cardholder data​

1. Protecting stored cardholder data:
   • Store only the necessary data (e.g. card number, expiration date) and minimize its volume.
   • Use masking (for example, showing only the last 4 digits of the card number) and tokenization.
   • It is prohibited to store sensitive authentication data (e.g. CVV, PIN, magnetic stripe data) after authorization.
   • Example: An online store must encrypt card numbers in its database using AES-256.
2. Encryption of data when transmitted over open networks:
   • Use TLS (Transport Layer Security) protocols version 1.2 or higher to protect data when transmitted over the Internet.
   • The use of legacy protocols such as SSL or TLS 1.0 is prohibited.
   • Example: Online payments must use HTTPS with a valid certificate.

Goal 3: Maintain a vulnerability management program​

1. Use and regularly update antivirus software:
   • Install antivirus software on all systems that may be vulnerable to malware (e.g. servers, cashier workstations).
   • Update your antivirus databases regularly.
   • Example: Antivirus software should detect Trojans that can intercept card data.
2. Developing and maintaining secure systems and applications:
   • Install security updates (patches) for operating systems, servers and programs.
   • Use secure software development practices (e.g. OWASP Top 10 for SQL injection protection).
   • Example: Regularly update your online store CMS to eliminate vulnerabilities.

Goal 4: Implement Strict Access Control​

1. Restricting access to data on a need-to-know basis:
   • Grant access to card data only to employees who need it to perform their duties.
   • Use role-based access control (RBAC).
   • Example: The cashier should not have access to the database with card numbers.
2. User authentication:
   • Assign unique identifiers (logins) for each employee.
   • Use two-factor authentication (2FA) to access critical systems.
   • Example: The server administrator must log in using a password and code from an authenticator app.
3. Restriction of physical access:
   • Protect server rooms, terminals and data storage from unauthorized physical access.
   • Use cameras, access control systems and access logs.
   • Example: The server room should be locked and accessible only to IT staff.

Goal 5: Monitoring and Testing Networks​

1. Monitoring access to network resources and data:
   • Keep logs of all actions related to access to card data (audit logs).
   • Use intrusion detection systems (IDS/IPS).
   • Example: Logs should record who accessed the database with map data and when.
2. Regular testing of security systems and processes:
   • Conduct vulnerability scans and penetration tests (pentests) at least once per quarter.
   • Check your wireless networks for unauthorized access points.
   • Example: Hiring a certified professional to perform a pentest.

Goal 6: Maintaining Information Security Policy​

1. Developing and maintaining a security policy:
   • Create and regularly update a security policy document that covers all aspects of PCI DSS.
   • Provide security training to your employees.
   • Example: All employees must undergo annual training on recognizing phishing attacks.

PCI DSS Compliance Levels​

Organizations are classified by compliance level based on transaction volume:

• Level 1: Merchants processing more than 6 million transactions per year. Requires an annual audit by a Qualified Security Assessor (QSA).
• Level 2: 1–6 million transactions per year. Requires SAQ (Self-Assessment Questionnaire) and possibly audit.
• Level 3: 20,000–1 million transactions (for e-commerce). SAQ required.
• Level 4: Less than 20,000 transactions (for e-commerce) or up to 1 million transactions (for physical stores). SAQ required.

PCI DSS Compliance Process​

1. Rating:
   • Identify which systems are part of the Cardholder Data Environment (CDE) - the area where card data is processed or stored.
   • Conduct a vulnerability analysis and compliance assessment.
2. Troubleshooting:
   • Fix any vulnerabilities that have been identified (e.g. install patches, configure encryption).
3. Reporting:
   • For Level 1: Pass a QSA audit and receive a Report on Compliance (RoC).
   • For levels 2–4: Complete the SAQ and, if required, provide an Attestation of Compliance (AoC).
4. Constant compliance:
   • Monitor, test and train regularly.

PCI DSS Relationship with Carding Protection​

PCI DSS directly helps prevent carding because:

• Limits data storage: Restricting the storage of CVV and PIN reduces the value of stolen data.
• Protects against leaks: Encryption and access control prevent database hacking.
• Detects attacks: Monitoring and testing helps identify skimmers or malware.
• Enhances online security: Requiring TLS and 3D-Secure protects against phishing and online fraud.

Current changes (PCI DSS v4.0)​

PCI DSS v4.0 (released March 2022, mandatory March 2024) includes the following new features:

• Flexibility of approaches: Organizations can use alternative methods to achieve security goals (Customized Approach).
• Strengthen Authentication: Require 2FA for all accounts associated with the CDE.
• Focus on online transactions: Increased e-commerce security requirements, including checking scripts on websites.
• Regular training: Mandatory training for employees every 12 months.

Conclusion​

PCI DSS is a key standard for protecting bank card data, which minimizes the risks of fraud, including carding. Its 12 requirements cover all aspects of security: from network protection to employee training policies. Compliance with PCI DSS requires ongoing efforts, but significantly increases customer confidence and reduces financial and reputational risks.

If you want to delve into specific aspects, such as how to implement encryption according to PCI DSS, conduct a pentest for compliance with the standard, or compare PCI DSS with other standards (for example, ISO 27001), let me know, and I will provide detailed information. I can also tell you about legal methods for testing the security of payment systems for educational purposes.