What Is PCI Compliance?
In support of secure credit card transactions, “PCI is an industry standard that basically regulates how credit cards are processed and sets forth a standard set of security requirements designed to ensure the protection of sensitive data associated with credit card payments,” says Alan Shark, executive director at the Public Technology Institute, a division of Fusion Learning Partners.
“This becomes particularly important to state and local governments, because government has far more sensitive data than perhaps any business and also accepts credit card payments,” he says. In government, “credit card payments through websites and through other transactions have become quite commonplace. How are we keeping up with it? What are the questions that local governments should be asking?”
By asking the right questions and implementing appropriate controls according to a defined standard, state and local agencies can go a long way toward improving security.
“If you're compliant with PCI, it really does reduce the likelihood of data breaches and the reputational damage associated with that,” says Kayne McGladrey, IEEE Senior Member and field CISO at compliance management platform Hyperproof.
What Are the 12 PCI DSS Compliance Standards?
The 12 requirements under PCI DSS cover a wide range of technologies, according to Lauren Holloway, director of data security standards at the PCI Security Standards Council. The 12 items require IT teams to install and maintain network security controls, apply secure configurations to all system components and protect stored account data.
PCI DSS looks at the data aspects of credit card handling, an urgent need in the current technology landscape.
“So much data is stored digitally these days. PCI DSS is a recognition that we do have a digital economy at this point and that it’s essential to have controls at the digital level,” McGladrey says.
Government organizations need to protect systems and networks from malicious software; develop and maintain secure systems and software; and identify users and authenticate access to system components, among other things. And, they need to “test security of systems and networks regularly,” Holloway says.
The 12 key requirements include 78 base requirements, “as well as over 400 test procedures,” McGladrey says. In particular, PCI DSS testing includes requirements governing penetration testing, as part of an emerging emphasis on long-term security.
“In PCI 4.0, there is a new focus on long-term security processes. PCI used to be perceived as a one-and-done; you'd do it annually. This is much more about maintaining controls during the year,” McGladrey says.