• Skip to primary navigation
  • Skip to main content
  • Skip to footer
ControlCase No Tag LOGO md

ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

  • Company
    • About Us
    • Careers
    • Locations
    • Team
  • Industries
    • Business Process Outsourcing
    • Cloud Service Providers
    • Retail
    • Telecom | Entertainment
  • Certifications
    • PCI DSS Certification
    • CSA STAR Certification
    • GDPR Assessment
    • HIPAA Assessment
    • HITRUST Certification
    • ISO 27001 Certification
    • FedRAMP 3PAO Services and NIST 800-53
    • CMMC Compliance: NIST 800-171
    • MARS-E Assessment
    • P2PE Certification
    • PA DSS Certification
    • SOC2 Report
  • Solutions
    • Continuous Compliance Solution
    • One Audit
    • Card Data Discovery Software
    • Data Security Rating
  • Testing
    • Application Reviews
    • Application Security Training
    • Code Reviews
    • Card Data Discovery
    • External Vulnerability Scans
    • Firewall Security Reviews
    • Internal Vulnerability Scans
    • Log Monitoring
    • Penetration Testing
  • Resources
    • Events
    • News
    • Webinars
    • Courses
    • Newsletters
    • Blog
  • Contact Us

How to Manage PCI DSS Compliance Using Zero Trust Principles.

You are here: Home / Blog / How to Manage PCI DSS Compliance Using Zero Trust Principles.

Many companies have implemented work-from-home policies, which challenge how PCI DSS compliance has been traditionally managed.

The Payment Card Industry Data Security Standard (PCI DSS) is a standard established by the leading payment card issuers. The PCI DSS provides guidelines for securely processing, storing or transmitting payment card data. It aims to protect organizations and their customers against payment card fraud and is made up of 12 requirements or control objectives that comprehensively protect the payments ecosystem. This standard has been around since 2006; providing organizations with a framework they can use to implement, maintain and measure the strength of their cardholder data environment. Then the lockdown happened, forcing organizations across the globe to allow employees to work remotely.

Today more and more organizations are operating remotely and allowing employees to work from home. This has presented a bigger risk for many organizations who process, store or transmit payment card data. Achieving and maintaining compliance with PCI DSS has become increasingly challenging and yet; more important than ever. This paper introduces Zero Trust Principles and encourages organizations to adopt these principles across all 12 requirements of the PCI DSS.

What are Zero Trust Principles?
Zero Trust Principles suggest that an organization should consider itself at risk from attackers within both its internal and external network and implement stringent controls for complete security. These principles enforce the idea that no machine or user within the organization’s network should be automatically trusted; therefore, organizations must examine their access controls and adopt least-privilege controls across all processes.

Here are the 12 requirements of the PCI DSS applied to Zero Trust Principles:

Requirement 1 – Building and maintaining a secure network.
It is necessary to implement personal firewall software on every single device that employees have access to – including their personal devices. Additionally, they must use only required access control rules on their personal firewall. It is also vital to ensure that employees do not have the ability to modify or disable the firewall software.

Requirement 2 – Configuration Scans
In addition to maintaining an up-to-date inventory of workstations, organizations system configuration standards are also enforced on working from home user’s workstations.

Requirement 3 – Protecting Stored Cardholder Data
With many employees now working remotely, the frequency of card data discovery scanning must be increased. There must be a clear process for running automated scans, removing any sensitive data found and reducing risk and exposure of full card numbers.

Requirement 4 – Protecting Cardholder Data In Transmission
In addition to using encrypted VPN connection, remote employees must only access the internet using HTTPS (TLS v1.2). The use of unofficial email and messaging of cardholder data must also be strictly prohibited.

Requirement 5 – Antivirus and Malware
This goes without saying; an antivirus solution that cannot be disabled and is regularly updated must be installed on all systems.

Requirement 6 – Securing Applications
Clear segregation and regular patch management is needed here– development workstations should not be able to access remote productions environments.

Requirement 7: Access Control
Unless an employee is a recognized power user; access to any systems within the cardholder data environment must be prohibited. Access should be on a need-to-know basis along with least privileges access.

Requirement 8: User IDs
Without exception, all remote workers must use two factor authentication to connect to cardholder data environment.

Requirement 9: Physical Security
With employees working form home, organizations must ensure full cardholder data cannot be viewed, printed or downloaded. The review of data centers may now need to be completed using time stamped cameras and CCTV.

Requirement 10: Logging and Monitoring
All activities done on remote employees’ workstations must be logged and frequently synchronizing with designated servers.

Requirement 11: Vulnerability Management
Internal vulnerability scanning and penetration testing that emulates working from home user scenarios must be performed.

And finally;

Requirement 12: Policies and Procedures
It is more important than ever to communicate the risk introduced by having employees work from home. Information Security training and awareness must be provided to ensure security and compliance goals are a business as usual consideration across the entire organization.

Conclusion
The above list provides solutions for addressing each of the PCI DSS requirements using zero trust principles. However, managing security is still no easy task. Wherever possible, organizations must use technology to automate processes, increase accuracy and reduce risk.

There are 3 key areas that an organization may simplify their PCI DSS compliance management using technology to implement zero trust principles:
1. Automation – By automating remote scanning, testing and evidence collection, organizations can save time and reduce risk while employees are working from home.
2. The use of CCTV and cameras – this provides a mechanism to enable remote assessments and PCI DSS certification.
3. Make PCI DSS Compliance Business as Usual – Organizations must develop, implement and maintain a continuous compliance program that includes more frequent reviews and scans across the entire network.

Book a FREE 30 minute Consultation to discuss your environment.

Related Blog

Compliance 101: HITRUST Update 2023
Interested in knowing more about HITRUST Certification? Join us via webinar on Thursday Feb 2nd, 2023, as we discuss HITRUST, HITRUST CSF, the HITRUST CSF Assurance Program, and version 11 updates. Presented by ControlCase CSO Kishor Vaswani and HITRUST Partner Omkar Salunkhe.
Compliance 101: Data Protection by Design
Register for our Jan 26th, 2023, Data Protection by Design webinar to discover how your company can establish proactive data protection programs with ease using ControlCase's unique OneAudit™ solution. Presented by ControlCase UK President Ashish Kirtikar.
PCI DSS v4.0 | Webinar
Deep Dive into notable changes: Promote Security as a Continuous Process Increased Flexibility and Customized Approach Increased Alignment between PCI ROC and PCI SAQ Keep up with the security needs of the Payment Industry and landscape (such as MFA/phishing, etc.)
Seminario Web PCI DSS v4.0
Los temas por tocar serían: Cambios incluidos en PCI DSS v4.0 Cambios críticos de PCI DSS v3.2.1 a v4.0 Cambios metodológicos de PCI DSS v3.2.1 a v4.0 Nuevos requerimientos que podrían necesitar un mayor esfuerzo en la implementación Desde la perspectiva de Latam
CMMC Compliance Webinar
In this 45 minute webinar ControlCase will discuss the following: What is CMMC 2.0? Who does CMMC 2.0 apply to? What is the accreditation body (CMMC-AB)?
SOC 2 Compliance and Certification | Webinar

About Us

ControlCase is a global provider of technology-driven compliance and security solutions. ControlCase is committed to partnering with clients to develop strategic information security and compliance programs that are simplified, cost effective and comprehensive in both on-premise and cloud environments.

ControlCase provides the best experts, customer experience and technology for regulations including PCI DSS, GDPR, SOC2, HIPAA, ISO 27001/2, CCPA, SWIFT, Microsoft SSPA, CSA STAR, SCA, PA DSS, PCI P2PE, PCI PIN, PCI 3DS, PCI Secure Software, PCI Secure SLC.

https://www.controlcase.com

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

Footer

Connect

Corporate Headquarters
12015 Lee Jackson Memorial Hwy, Suite 520, Fairfax, VA 22033

Send us a message

Call Us

About Us

ControlCase is a United States based company, headquartered in Fairfax, Virginia with locations in North America, Europe, Latin America, Asia/Pacific and the Middle East to serve our clients globally.

Quick Links

  • Company
  • Team
  • Careers
  • Locations
  • Covid-19 Notice

Certifications, Assessments and Reports

  • PCI DSS Certification
  • CSA STAR Certification
  • GDPR Assessment
  • HIPAA Assessment
  • HITRUST Certification
  • ISO 27001 Certification
  • FedRAMP and 3PAO Services
  • MARS-E Assessment
  • P2PE Certification
  • PA DSS Certification
  • SOC2 Report

© ControlCase LLC 2023 | Privacy Policy | Impartiality Statement | Legal Notices