IP Fabric and PCI Compliance - Part 1: An Introduction

3 minute read

Co-authored by Solution Architect Dan Kelcher and content specialist Alex Bonehill

PCI compliance is a hot topic that has to be addressed by any organization that accepts, transmits, or stores private cardholder data (CHD). To this end, the PCI Security Standard Council (PCI SSC) has set out twelve key requirements, referred to as the PCI Data Security Standards (PCI DSS). Organizations must be able to prove that they abide by these standards in order to be deemed PCI compliant. But what do they have to prove exactly?

What does PCI compliance entail?

The requirements consist of technical and operational standards that businesses must follow to secure and protect card data transmitted through card processing transactions. The requirements listed by the PCI SSC are as follows:

  • Install and maintain a firewall configuration to protect CHD
  • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect stored CHD
  • Encrypt transmission of CHD across open, public networks
  • Use and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by “business need to know”
  • Assign a unique ID to each person with computer access
  • Restrict physical access to CHD
  • Track and monitor all access to network resources and CHD
  • Regularly test security systems and processes
  • Maintain a policy that addresses information security for all personnel

Ensuring compliance with these twelve requirements is essential for businesses - whilst there is not currently a specific legal mandate in place that requires organizations to prove PCI compliance, it is regarded as mandatory through both previous court precedent, and organizational requirements to maintain a secure environment for sensitive CHD. Failure to meet these requirements can result in fines of $5,000 per month and can even extend to having the ability to accept credit cards being revoked. This is without even mentioning the possibility of having a lawsuit levied against an organization in case of any data breaches involving CHD. Aside from these ramifications for failure to ensure compliance, it is also a good business practice for ensuring customer trust and maintaining a favorable brand reputation that emphasizes data security.

So now that we know what the 12 requirements are, and what could happen if these are not satisfied, it should be plain sailing towards PCI compliance, right? Not necessarily.

12 requirements...for now?

Ensuring compliance can be a daunting task, as the list of technical requirements, coupled with the often-complex nature of enterprise-level networks in this modern age, can lead some to rightly worry about whether they are fully covered in the face of an upcoming PCI compliance audit. Even those organizations that are currently PCI compliant should not rest on their laurels, with the new PCI DSS 4.0 release on the horizon. From March 31st, 2024, release version 3.2.1 will be retired, with the new 4.0 standard due to be released in its place. Consisting of 360 pages, complete with a change document comprising 20 pages of changes, the 4.0 release is bound to feature a number of curveballs for organizations – from new requirements being introduced, to some previous recommendations becoming binding requirements. A compliant system today, may not be so come 2024.

In order to determine whether some of these compliance requirements are met, and in the face of these upcoming changes in 2024 with the PCI DSS 4.0 release, it is essential that businesses first know their network. This in itself could be considered an essential pre-requisite to determining compliance for many organizations, and this is where IP Fabric can help.

In this short series of blog pieces, we will dive into how IP Fabric’s Automated Network Assurance Platform can help you gain full visibility of your network and can give you the insight you need when determining the scope of your next PCI compliance audit.

Get IP Fabric

Request a demo and discover how to increase 
your networks visibility & get better time efficiency.
Free Demo | Zero Obligation
Request a Demo

Where we fit in

IP Fabric is not a one-sized-fits-all tool that will help you conquer PCI compliance, meaning that not all of the 12 PCI DSS requirements will be covered in this short blog series.

Instead, our platform is able to assist you by providing a detailed visualization and overview of your network at a point-in-time, which can be used to verify some of the essential requirements set out by the PCI DSS, and also help you to limit the scope of your next audit to only the necessary components of your network, saving you both time and additional cost. Think of IP Fabric as part of your toolkit for ensuring PCI compliance - It can't do everything, but if used correctly, it can greatly relieve the burden of ensuring PCI compliance and make matters simpler.

Check back soon for the first part of our in-depth analysis on how IP Fabric can help provide you with the assurance you need before your next PCI compliance audit.

Please follow our LinkedIn or blog, where we are sharing new content regularly. If you are interested in seeing what IP Fabric can do to help you gain visibility in the darkest corners of your network, please request a demo.

Get IP Fabric

Request a demo and discover how to increase
your networks visibility & get better time efficiency.
Free Demo | Zero Obligation
Request a Demo
We're Hiring!
Join the Team and be part of the Future of Network Automation
Available Positions
IP Fabric, Inc.
115 BROADWAY, 5th Floor
NEW YORK NY, 10006
United States
This is a block of text. Double-click this text to edit it.
Phone : +1 (914) 752-2991
Email : [email protected]
IP Fabric s.r.o.
Kateřinská 466/40
Praha 2 - Nové Město, 120 00
Czech Republic
This is a block of text. Double-click this text to edit it.
Phone : +420 720 022 997
Email : [email protected]
IP Fabric, Inc. © 2022 All Rights Reserved