Welcome back to the our series, The Ultimate Guide On Managing PCI DSS Requirement Frequencies. This week we’re diving head first into Requirement 3, “Protect Stored Cardholder Data,” and Requirement 4, “Encrypt Transmission of Cardholder Data Across Open, Public Networks.”

The good news is that between these two major requirement areas, there’s only one explicit requirement frequency. Whew, right? Before you breathe a sigh of relief, let’s break things down.

Requirement 3 has 20 high level requirements and 46 sub-requirements. There’s only ONE explicit requirement frequency but don’t get too excited unless you’re not storing customer cardholder data. 

If your company is storing customer cardholder data, we highly recommend that you implement a solution that enables you to stop storing this data, thereby reducing your risk, potential exposure, and of course, reducing your assessment scope. 

Requirement 4 has four high level requirements and 12 sub-requirements. There’s no explicit or implicit requirement frequencies.

How To Comply With PCI DSS Requirement 3 In 5 Easy Steps

All bets are off if your company is storing customer credit card data, but as long as you’ve gotten out of the business of storing this risky data, requirement 3 becomes easier to manage from a continuous compliance perspective. 

  1. Don’t store customer credit card data anywhere for any reason. 
  2. Prove the negative: Scan your in-scope servers and if you have tele-workers processing payments, scan their devices to prove there’s no cardholder data.
  3. Prove the negative: Scan out-of-scope areas of the network to provide the evidence necessary to the QSA that your company does not store cardholder data either in the cardholder data environment or anywhere else on your network.
  4. Provide your QSA with your company’s data-retention and disposal policies, procedures, and processes for identifying and securely deleting cardholder data at least quarterly, per PCI DSS requirement 3.1.
  5. Provide screen shots and application walk throughs (if you aren’t using a 3rd party payment provider) to prove your application masks PAN data per PCI DSS requirement 3.3. If you completed the walk-throughs with your QSA during the assessment scoping or the data flows of requirement 1.1.3, you’ve successfully fed two birds with one walk-through.

As long as you can prove you don’t store customer credit card data anywhere for any reason, your QSA will go through and mark most of Requirement 3 “N/A.”

Show Me The Proof: Are You Encrypting Cardholder Data in Transit?

Requirement 4 has more bark than bite. During your Report on Compliance Assessment, you will need to provide your company’s policies for transmitting cardholder data, prove that your company uses strong cryptography, provide vendor documentation as a cross reference, and prove that unprotected credit card data is never sent over end-user messaging.

Best practice: Spot check network traffic at least quarterly to validate that your company continues to comply with Requirement 4.

Don’t miss our next installment on PCI DSS Requirement Frequencies. 

Our next article will be on Requirement Area 5: Protect All Systems Against Malware and Regularly Update Anti-Virus Software Or Programs. You guessed it…there’s plenty of requirement frequencies in this one!

Upcoming Events

September 14, 2021: Ask Us Anything!

October 5, 2021: Assess Smarter Not Harder. Attend this event and receive 1 CPE towards your CISA, CISM, or even your PCI-P credential.

Saving $92,000 in outside QSA assessment fees isn’t always easy, but with the right tools and framework, you can build a complete and functional PCI DSS Compliance program that not only saves you time, money, and effort; but also makes it easier for your QSA to assess your cardholder data environment. Led by two PCI DSS Compliance experts with over 20 years of combined experience, this 60 minute seminar will guide you through our successes and challenges with a complex and complicated cardholder data environment.

3 Key Takeaways: 

1. Learn how pinpoint and remediate key issues before your annual Report on Compliance. 

2. Master how to revise and enhance critical compliance processes to show maturity in your compliance program 

3. Take away actionable steps on how to create a sustainable PCI DSS compliance program that saves time and money in outside QSA assessment fees.  

This session will be 50-60 minutes long with time at the end for Q/A.

10 Essential Tasks To Do BEFORE You Start Your 2023 PCI Report On Compliance

Don’t Start Your 2023 PCI Report on Compliance Without Doing These 10 Essential Tasks FIRST:

The end of the first quarter is quickly approaching. It’s time to get your PCI Compliance house in order.

Because nobody wants to be the next Landry’s and have a $20M fine upheld by federal court.

1. You have a copy of the signed Statement of Work with your QSA

Make sure you have this statement of work at your fingertips throughout your assessment period. This agreement protects you and your QSA for work that is contractually agreed upon.

2. Complete an end-to-end PCI Scope Assessment

The success of your PCI Report on Compliance hinges upon an accurate PCI Scope Assessment.

Your scope assessment includes the who, what, where, when, why, and how of your cardholder data environment and anything or anybody that connects to your cardholder data environment.

Firewalls and Routers: How to Take Control of Unruly Firewall Rules, Configurations and Network Connections

Best Practice: Developers and system administrators request changes to firewall rule sets all the time. Whether it’s to do work on system components or test system components, these changes can make a mess out of your rule sets. It’s so easy for someone to unintentionally request an “any” rule which is prohibited in the cardholder data environment. Our best advice is to insert your ISA or someone on the compliance team into the firewall rule change review.

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.