PCI DSS, which stands for Payment Card Industry Data Security Standards, is a regulatory framework for companies that collect payment card information. That sounds incredibly exciting, does it not? While PCI DSS requirements do concern physical security to a certain extent, the framework mainly pertains to the world of eCommerce, where payment card information is a major target for criminals.
In fact, payment card information is among the most lucrative data on the internet in terms of cost per record. It can go for as much as $200 per card on the dark web! So, as you can imagine, meeting PCI security requirements should be of the utmost importance to every organization that handles payment card information.
Complying with PCI DSS Security Requirements
While many regulations are onerous and written in a way that makes them difficult to interpret (looking at you, GDPR), PCI DSS is pretty straightforward. Talk about a breath of fresh air! Thatâ€™s likely owing to the fact itâ€™s an industry-wide regulation that doesnâ€™t need to be written in a way thatâ€™s applicable to national governments or member states. That means that it can be much clearer in its expectations.
And, frankly, none of this stuff is really all that difficult to accomplish. The one caveat to this statement is the scanning component â€” and weâ€™ll get to a ready-made solution for that in just a minute. In the meantime, here are the 12 requirements for PCI DSS compliance:
- Install and maintain a firewall.
- Change passwords and usernames from vendor defaults.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data.
- Use antivirus software and upgrade it regularly.
- Developer and maintain secure systems/applications.
- Restrict access to data on a need-to-know basis.
- Assign everyone with network access a unique ID.
- Restrict physical access to data.
- Track and monitor all access to network data.
- Regularly scan security systems and processes.
- Maintain a policy that addresses security.
If you want an in-depth guide to PCI DSS compliance and how to stay compliant, weâ€™ve got you covered.
Most of these PCI DSS compliance requirements are just best practices. Firewalls, antivirus programs, good password hygiene â€” realistically, you should already be doing that anyway. Itâ€™s number 11 that gives organizations the most trouble. Thatâ€™s because scanning is kind of a vague term. How exactly does one scan?
An Easy Way to Meet the PCI Scanning Requirement
Itâ€™s actually pretty simple â€” you donâ€™t even have to do it yourself. You can just purchase a scanning product from a trusted third-party vendor and use that. The best tool in the industry â€” and the one thatâ€™s most affordable â€” is Sectigo HackerGuardian. Retailing at $250 dollars, HackerGuardian scans your website using over 30,000 tests and produces actionable remediation advice as well as ready-to-submit reports that will help you easily meet PCI DSS requirements.
Oh, yeah, and it retails at $250 but we sell it for as little as $81.95 per year. Donâ€™t ask us how we make money â€” letâ€™s just say Iâ€™m writing this for free.
How Does HackerGuardian Perform PCI DSS Scans?
Really, all you need to do is set it up and decide when you want to run the quarterly scans. We recommend doing it at a higher frequency than that, though. A lot can happen over the course of three months, so think about running your scans weekly or bi-weekly. At the longest, you can run it as little as once a month. You only have to submit a report quarterly, but keeping your websites â€” and the payment card info they collect â€” safe is a daily task.