Welcome back to the our series, The Ultimate Guide On Managing PCI DSS Requirement Frequencies. This week we’re diving head first into Requirement 3, “Protect Stored Cardholder Data,” and Requirement 4, “Encrypt Transmission of Cardholder Data Across Open, Public Networks.”
The good news is that between these two major requirement areas, there’s only one explicit requirement frequency. Whew, right? Before you breathe a sigh of relief, let’s break things down.
Requirement 3 has 20 high level requirements and 46 sub-requirements. There’s only ONE explicit requirement frequency but don’t get too excited unless you’re not storing customer cardholder data.
If your company is storing customer cardholder data, we highly recommend that you implement a solution that enables you to stop storing this data, thereby reducing your risk, potential exposure, and of course, reducing your assessment scope.
Requirement 4 has four high level requirements and 12 sub-requirements. There’s no explicit or implicit requirement frequencies.
How To Comply With PCI DSS Requirement 3 In 5 Easy Steps
All bets are off if your company is storing customer credit card data, but as long as you’ve gotten out of the business of storing this risky data, requirement 3 becomes easier to manage from a continuous compliance perspective.
- Don’t store customer credit card data anywhere for any reason.
- Prove the negative: Scan your in-scope servers and if you have tele-workers processing payments, scan their devices to prove there’s no cardholder data.
- Prove the negative: Scan out-of-scope areas of the network to provide the evidence necessary to the QSA that your company does not store cardholder data either in the cardholder data environment or anywhere else on your network.
- Provide your QSA with your company’s data-retention and disposal policies, procedures, and processes for identifying and securely deleting cardholder data at least quarterly, per PCI DSS requirement 3.1.
- Provide screen shots and application walk throughs (if you aren’t using a 3rd party payment provider) to prove your application masks PAN data per PCI DSS requirement 3.3. If you completed the walk-throughs with your QSA during the assessment scoping or the data flows of requirement 1.1.3, you’ve successfully fed two birds with one walk-through.
As long as you can prove you don’t store customer credit card data anywhere for any reason, your QSA will go through and mark most of Requirement 3 “N/A.”
Show Me The Proof: Are You Encrypting Cardholder Data in Transit?
Requirement 4 has more bark than bite. During your Report on Compliance Assessment, you will need to provide your company’s policies for transmitting cardholder data, prove that your company uses strong cryptography, provide vendor documentation as a cross reference, and prove that unprotected credit card data is never sent over end-user messaging.
Best practice: Spot check network traffic at least quarterly to validate that your company continues to comply with Requirement 4.
Don’t miss our next installment on PCI DSS Requirement Frequencies.
Our next article will be on Requirement Area 5: Protect All Systems Against Malware and Regularly Update Anti-Virus Software Or Programs. You guessed it…there’s plenty of requirement frequencies in this one!
September 14, 2021: Ask Us Anything!
Saving $92,000 in outside QSA assessment fees isn’t always easy, but with the right tools and framework, you can build a complete and functional PCI DSS Compliance program that not only saves you time, money, and effort; but also makes it easier for your QSA to assess your cardholder data environment. Led by two PCI DSS Compliance experts with over 20 years of combined experience, this 60 minute seminar will guide you through our successes and challenges with a complex and complicated cardholder data environment.
3 Key Takeaways:
1. Learn how pinpoint and remediate key issues before your annual Report on Compliance.
2. Master how to revise and enhance critical compliance processes to show maturity in your compliance program
3. Take away actionable steps on how to create a sustainable PCI DSS compliance program that saves time and money in outside QSA assessment fees.
This session will be 50-60 minutes long with time at the end for Q/A.