PCI DSS

4.1 Explain the importance of basic network security concepts

Audits and Compliance

📘CompTIA Network+ (N10-009)

What is PCI DSS?

PCI DSS is a set of security standards created to ensure that organizations that store, process, or transmit credit card information do so securely. It is a compliance requirement for any business that handles cardholder data (CHD).

  • Purpose: Protect cardholder data, prevent data breaches, and reduce fraud.
  • Applies to: Merchants, service providers, and any entity that handles payment card information.

PCI DSS Requirements

PCI DSS has 12 main requirements, organized into 6 categories. These are essential for exam knowledge.

1. Build and Maintain a Secure Network

  • Requirement 1: Install and maintain firewalls to protect cardholder data.
    • Example: A firewall is configured on the network separating the payment application servers from the public internet.
  • Requirement 2: Do not use default passwords and other security settings.
    • Example: Ensure default passwords for SQL databases storing cardholder data are changed to strong passwords.

2. Protect Cardholder Data

  • Requirement 3: Protect stored cardholder data (encryption, masking).
    • Example: Store credit card numbers in a database only after encrypting them with AES-256.
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks.
    • Example: Use TLS 1.2 or higher when sending payment data from a web application to a payment processor.

3. Maintain a Vulnerability Management Program

  • Requirement 5: Use and regularly update anti-virus software on systems commonly affected by malware.
    • Example: Install anti-malware on Windows servers hosting payment applications.
  • Requirement 6: Develop and maintain secure systems and applications.
    • Example: Apply security patches to web servers that host payment pages.

4. Implement Strong Access Control Measures

  • Requirement 7: Restrict access to cardholder data to only those who need it.
    • Example: Only the billing department can access cardholder records, not the marketing team.
  • Requirement 8: Assign unique IDs to each person with system access.
    • Example: Each admin in the payment system must log in with their own credentials, never shared accounts.
  • Requirement 9: Restrict physical access to cardholder data.
    • Example: Payment servers must be in a locked server room with badge access.

5. Regularly Monitor and Test Networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data.
    • Example: Maintain logs for database access and alert on unusual activity.
  • Requirement 11: Regularly test security systems and processes.
    • Example: Conduct vulnerability scans and penetration tests on servers processing card data.

6. Maintain an Information Security Policy

  • Requirement 12: Maintain a policy that addresses information security for employees and contractors.
    • Example: Company policy includes rules on how developers and IT staff handle cardholder data.

PCI DSS Compliance Levels

The PCI DSS divides organizations into levels depending on volume of card transactions:

LevelDescriptionExamples of Compliance Requirement
1Over 6 million transactions/yearAnnual on-site audit and quarterly vulnerability scans
21–6 million transactions/yearAnnual Self-Assessment Questionnaire (SAQ) and quarterly scans
320,000–1 million e-commerce transactions/yearAnnual SAQ and scans
4Less than 20,000 e-commerce transactions/yearAnnual SAQ (simplified)

Key point for exams: Level determines the type of audit required.

PCI DSS in Audits and Compliance

  • Audits: External Qualified Security Assessors (QSAs) may conduct audits to verify compliance.
  • Compliance: Organizations must maintain documentation, such as policies, access logs, vulnerability scans, and system configurations.
  • Non-compliance: Can lead to fines, loss of ability to process payments, and reputational damage.

IT-Focused Examples

  • Encryption: Payment gateway encrypts card numbers before saving in a SQL database.
  • Access Control: Only specific servers can access the payment database; other servers are blocked by firewall rules.
  • Monitoring: SIEM tools monitor cardholder data access and alert on unusual login attempts.
  • Testing: Security team performs quarterly vulnerability scans on payment servers.

Key Exam Points to Remember

Real IT implementation examples often include databases, web servers, firewalls, encryption, and monitoring tools.

PCI DSS = Protects credit card data; mandatory for any organization handling card info.

12 requirements grouped into 6 areas: Network security, data protection, vulnerability management, access control, monitoring/testing, security policy.

Compliance levels are based on transaction volume; higher levels require audits.

Encryption, firewalls, access control, monitoring logs, and policies are central concepts.

Non-compliance can have serious legal and financial consequences.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by