Many organizations continue to struggle to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS), the payment card industry mandate to protect cardholder data and prevent fraud. The standard was formulated by five major payment card companies to reconcile their individual programs into a single set of requirements. The PCI Security Standards Council (PCI SSC) has since issued multiple updates with the most recent version 3.1 effective as of April 2015.
Organizations can achieve an efficient, repeatable and sustainable security program that satisfies both the technical requirements of their PCI obligations, and provides the level of cardholder data protection for which the standard was created. This white paper explains the essentials of a PCI compliance program, focusing on the critical, but problematic areas that comprise much of the heart of the requirements:
- Protect cardholder data from unauthorized use;
- Enforce strong controls around privileged users and data access;
- Implement centralized, automated role-based access control, authorization, and authentication;
- Provide system and database auditing, and database activity monitoring.