PCI DSS Compliance Guide - WhoisNexus Academy

If you accept Visa, Mastercard, or AMEX, you must follow PCI DSS. It is not optional. It is a contractual obligation. Failing an audit can lead to massive fines or the revocation of your ability to process payments (which kills the business).

The Goal: Protect the PAN

Everything revolves around the **PAN (Primary Account Number)**. The 16 digits on the card.
Rule #1: If you don't need it, don't store it.
Rule #2: NEVER store the CVV (the 3 digits on the back) after authorization. It is illegal.

1. The 12 Requirements (PCI DSS v4.0)

The standard is grouped into 6 objectives covering 12 requirements.

Req 1: Install and maintain Firewalls. (No "Any/Any" rules).
Req 2: Do not use vendor defaults (Change 'admin/admin').
Req 3: Protect stored cardholder data (Encryption at rest).
Req 4: Encrypt transmission over public networks (TLS 1.2+ only).
Req 5: Protect systems against malware (Antivirus).
Req 6: Develop secure systems (Code review, Patching).
Req 7: Restrict access by business need (RBAC).
Req 8: Identify and authenticate access (MFA is mandatory).
Req 9: Restrict physical access (Badges, Cameras).
Req 10: Track and monitor all access (Logging).
Req 11: Regularly test security processes (Penetration Testing).
Req 12: Maintain a policy (Governance).

2. Scope Reduction: The Smart Way

Compliance is expensive. The best way to be compliant is to reduce the scope.

The CDE (Cardholder Data Environment): This includes people, processes, and technology that touch card data.
- If your web server processes the card, your entire web server is in scope.
- If your web server talks to the database, the database is in scope.
- If the admin logs into the web server from their laptop, the laptop is in scope.

2.1. Network Segmentation

Put the CDE on a completely separate VLAN. Put a Firewall between the CDE VLAN and the Corporate VLAN.
Now, your Corporate VLAN (10,000 employees) is Out of Scope. You save millions in audit costs.

2.2. Tokenization

Don't touch the card data. Use a payment processor (Stripe/Braintree).
1. Customer types card into an iFrame hosted by Stripe.
2. Stripe returns a "Token" (`tok_12345`) to your server.
3. You store the Token. You charge the Token.
Result: Real card numbers NEVER touch your servers. You qualify for SAQ-A (Self-Assessment Questionnaire), which is much easier.

3. Encryption Requirements

If you MUST store the data (e.g., you are a Bank), you must encrypt it.

Key Management: This is the hard part. You cannot store the Encryption Key next to the Encrypted Data. (That's like taping the key to the safe).
Use an HSM (Hardware Security Module) or a KMS (Key Management Service) to store the keys separately.

4. Penetration Testing (Req 11)

You must perform an internal and external pentest at least annually and after any significant change.
You must also perform vulnerability scans quarterly.

# Typical Audit Evidence required
Firewall configuration text files.
Screenshots of Antivirus consoles ensuring all agents are active.
Log files showing a user login event.
The final Pentest Report (Clean, with no High vulnerabilities).
        

Conclusion

PCI DSS is often seen as a burden, but it is actually a very solid baseline security framework. If you follow PCI DSS, you are 90% of the way to being secure against most threats.