About
Login
Get Started

PCI-DSS Compliance

The Payment Card Industry Data Security Standard (PCI-DSS) defines a set of security standards designed to protect cardholder data during payment card transactions. NAC is an essential technology when it comes to meeting PCI-DSS security requirements.

Request a Demo

Protecting cardholder data can't be done effectively without proper network access control in place.

shield-zap

Requirement 1

Install and maintain a firewall configuration to protect cardholder data.

Portnox can complement firewall technologies by enforcing access control policies, ensuring that only authorized devices and users can access the cardholder data environment (CDE).

users-right

Requirement 2

Do not use vendor-supplied defaults for system passwords and other security parameters.

Portnox can enforce endpoint compliance by verifying that devices meet security standards and have proper configurations before granting access to the network.

credit-card-upload

Requirement 4

Encrypt transmission of cardholder data across open, public networks.

Portnox can help ensure that only authorized and compliant devices can access the network, reducing the risk of unauthorized access and potential eavesdropping on cardholder data transmissions.

shield-tick

Requirement 5

Protect all systems against malware and regularly update antivirus software or programs.

The Portnox Cloud integrates with antivirus systems and enforce compliance by verifying the presence and up-to-date status of antivirus software on devices attempting to access the network.

credit-card-x

Requirement 7

Restrict access to cardholder data by business need-to-know.

Portnox can enforce granular access controls based on user roles and device posture, allowing only authorized individuals and devices to access specific segments of the network that contain cardholder data.

fingerprint-03

Requirement 8

Identify and authenticate access to system components.

Portnox plays a role in user authentication by integrating with identity and access management (IAM) systems, ensuring that only authenticated users and devices are granted access to the CDE.

search-sm

Requirement 9

Track and monitor all access to network resources and cardholder data.

The Portnox Cloud provide detailed logs and audit trails of user and device activities, helping to monitor and track access to sensitive resources, and generate alerts or reports for suspicious activities.

Endpoint remediation solution

Keep all of your endpoints in a healthy state of compliance

Every endpoint connected to your network represents a potential entry point for a cybercriminal. With automated endpoint remediation from the Portnox Cloud, you can rest easy knowing all your users’ devices are compliant with your risk policies, and that common device vulnerabilities are eliminated.

Learn More

PCI-DSS security & compliance

FAQs

PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security standards established by major payment card companies, including Visa, MasterCard, American Express, Discover, and JCB, to ensure the protection of cardholder data and maintain the security of credit card transactions.

The PCI DSS applies to any organization that handles, processes, or stores payment card information, including merchants, financial institutions, service providers, and other entities involved in the payment card ecosystem. The standards were created to prevent data breaches and protect sensitive information, such as cardholder names, primary account numbers (PANs), expiration dates, and security codes.

Key objectives of the PCI DSS include:

  1. Building and maintaining a secure network: This involves installing and maintaining firewalls, using strong encryption for data transmission, and regularly updating system software and security patches.
  2. Protecting cardholder data: This includes encrypting cardholder data, implementing access controls, and restricting physical and logical access to cardholder information.
  3. Maintaining a vulnerability management program: Organizations must regularly scan their networks and systems for vulnerabilities, apply security patches, and use updated antivirus software.
  4. Implementing strong access control measures: This involves restricting access to cardholder data, assigning unique IDs to individuals with computer access, and implementing two-factor authentication.
  5. Regularly monitoring and testing networks: Organizations should track and monitor all access to network resources, regularly test security systems and processes, and maintain audit logs.
  6. Maintaining an information security policy: Organizations must develop and maintain a comprehensive security policy that addresses the protection of cardholder data and provides guidance to employees.

Compliance with PCI DSS is mandatory for organizations involved in payment card processing. Non-compliance can result in fines, restrictions on card processing, and reputational damage. Organizations typically undergo periodic assessments and audits to ensure their compliance with the standard and maintain the security of payment card data.

PCI DSS helps to secure various types of data that are involved in payment card transactions. The standard primarily focuses on protecting cardholder data, which refers to the information associated with the payment card used in a transaction. This data includes:

  • Primary Account Number (PAN): The PAN is the unique number printed on the front of a payment card, such as a credit card or debit card. PCI DSS mandates the protection of PAN through encryption or truncation to minimize the risk of unauthorized access.
  • Cardholder Name: The PCI DSS requires organizations to protect the cardholder’s name associated with the payment card.
  • Expiration Date: The expiration date of the payment card is considered sensitive information and must be protected as part of PCI DSS compliance.
  • Service Code: The service code is a three-digit number on the magnetic stripe of a payment card. PCI DSS requires organizations to safeguard this data element.
  • Cardholder Data Authentication Data: This includes data elements used to authenticate the cardholder during the transaction, such as the CVV (Card Verification Value) or CVC (Card Verification Code). PCI DSS mandates that these values should not be stored after authorization.
  • Additional Sensitive Authentication Data: This category includes other sensitive data used in the payment card transaction process, such as PINs (Personal Identification Numbers) or encrypted PIN blocks.

It’s important to note that PCI DSS also covers other related data and systems that could impact the security of cardholder data. This includes information security policies, network infrastructure, firewall configurations, access controls, logging and monitoring mechanisms, and other components involved in the processing, transmission, and storage of payment card information.

By implementing the security controls and measures outlined in PCI DSS, organizations can effectively safeguard these types of data, reducing the risk of data breaches and unauthorized access.

Yes, PCI DSS does require network segmentation policies as part of its security requirements. Network segmentation is the practice of dividing a computer network into smaller, isolated segments to enhance security and reduce the scope of a potential security breach. By implementing network segmentation, an organization can separate systems and sensitive data into different network segments, limiting the potential impact of a breach or unauthorized access.

The specific requirements related to network segmentation in PCI DSS are outlined in Requirement 1: Install and maintain a firewall configuration to protect cardholder data. The standard mandates the following:

  • 1: Establish a formal process for approving and testing all network connections and changes to the firewall and router configurations.
  • 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
  • 3: Protect cardholder data with a firewall. This requirement includes implementing network segmentation to isolate systems that store, process, or transmit cardholder data from other networks, especially public-facing networks.
  • 3.1: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment (CDE) and ensure that only established connections are allowed.
  • 3.2: Implement a DMZ (Demilitarized Zone) to separate the CDE from other networks.
  • 3.3: Limit inbound Internet traffic to the DMZ and the CDE.
  • 3.4: Place system components that store cardholder data (such as databases) in an internal network zone, segregated from the DMZ and other untrusted networks.
  • 3.5: Implement network segmentation to isolate systems that store cardholder data from those that do not.

These requirements emphasize the need for organizations to implement network segmentation and properly configure firewalls to protect cardholder data. Network segmentation helps to restrict access, control traffic flow, and minimize the risk of unauthorized access to sensitive data by isolating systems that handle cardholder data from other parts of the network.

It’s important to note that the specific network segmentation requirements may vary depending on the organization’s environment, but the general principle of implementing network segmentation to protect cardholder data remains consistent across all PCI DSS compliance obligations.

Yes, endpoint compliance is mandated in PCI DSS. The standard includes requirements and recommendations to ensure the security of endpoints, which are devices or systems connected to a network, such as desktop computers, laptops, point-of-sale (POS) terminals, and servers. Protecting endpoints is crucial because they often have access to and process cardholder data.

The following PCI DSS requirements specifically address endpoint security:

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs:

  • 1: Deploy anti-virus software on all systems commonly affected by malware, and ensure it is kept up to date.
  • 2: Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malware.

Requirement 6: Develop and maintain secure systems and applications:

  • 1: Establish and maintain a process to identify security vulnerabilities, including the use of reputable external sources for vulnerability information.
  • 2: Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.

Requirement 8: Identify and authenticate access to system components:

  • 1: Assign a unique ID to each person with computer access.
  • 2: Control the addition, deletion, and modification of user IDs, credentials, and other identifier objects.
  • 3: Incorporate multi-factor authentication for remote access to the network by employees, administrators, and third parties.

These requirements highlight the importance of implementing security measures on endpoints to protect against malware, regularly updating software and systems to address vulnerabilities, and implementing strong access controls, including the use of multi-factor authentication.

Endpoint compliance plays a crucial role in securing the overall cardholder data environment (CDE) and minimizing the risk of unauthorized access or compromise of sensitive data. Organizations must ensure that their endpoints are properly secured, regularly patched, and protected against malware as part of their PCI DSS compliance efforts.

Check Out the Full-Featured Portnox Cloud

Related Reading

Webinars

Taming Tool Sprawl: How Portnox Unifies Security Through Smarter Integrations
eBooks

Five Ways to Master Remote Access Security
Case Studies

New Albany Floyd County Consilidated School District rolls out NAC in record time with Portnox
Explore the Blog

NEW REPORT: CISOs' Perspectives on Cybersecurity in 2026

Learn More
X