PCI & CIS: Partners in Payment Data Security

A transaction occurs every time you swipe your payment card or enter your payment details online. But have you stopped to think how those payment transactions are protected?The Payment Card Industry Security Standards Council (PCI SSC) is at the forefront of this work. It provides data security standards and programs that can help your business detect, mitigate, and prevent cyber attacks.In this blog post, we'll review how the PCI SSC and the Center for Internet Security® (CIS®) work together to increase payment data security everywhere.

PCI DSS: The Beginning of a Global Forum

In 2004, the founding four members of the PCI SSC introduced the Payment Card Industry Data Security Standard (PCI DSS) to help prevent credit card fraud. Today, there are 54 PCI Board of Advisors members, including Phil White, Director of the CIS Benchmarks™. The Board of Advisors represents a global team of strategic partners who are dedicated to securing payment data. Each member of the Board brings industry, geographical, and technical insight to PCI SSC initiatives.

CIS has long worked with the financial sector to secure its data. In fact, CIS Benchmarks are referenced in the PCI Data Security Standard. It only makes sense as an industry leader of standards and technology that we share our experience and insight into the PCI Council’s plans and projects. CIS began working with the PCI Board of Advisors in 2018. It has been a rewarding experience to collaborate with global leaders dedicated to the same mission and goals of securing data and transactions in a connected world.

Phil White
Director of Benchmarks

Achieving PCI DSS Compliance as a Process

If you're involved in payment processing transactions, you're responsible for ensuring compliance to PCI DSS. This responsibility may seem daunting, but it doesn’t have to be if treated as an ongoing process throughout the year rather than a one-time project. You can embrace this shift in approach using the benefits, resources, and tools of a CIS SecureSuite® Membership.

Weaving PCI DSS Compliance into CIS Security Best Practices

PCI DSS references CIS resources to help protect payment card data. This means you can use the CIS Critical Security Controls® (CIS Controls®) and Benchmarks to help achieve PCI DSS compliance.Developed by a community of cybersecurity experts and IT professionals from around the world, the Controls and Benchmarks provide security best practices for protecting your data and hardening your systems. Specifically, the Controls consist of 18 prioritized best practices that IT teams can implement to help prevent cyberattacks.The Benchmarks builds upon the foundation laid by the Controls by providing secure configuration recommendations for a wide variety of technologies. CIS has more than 100 CIS Benchmarks across 25+ vendor product families, including servers, operating systems, and cloud infrastructure.

How CIS Helps to Simplify Your PCI DSS Efforts

PCI DSS provides a comprehensive set of requirements to secure payment account data worldwide. You can use CIS security best practices to build a foundation for your PCI-compliant cyber defense program. Indeed, PCI DSS Requirement 2.2, "System components are configured and managed securely," explicitly references the Benchmarks for hardening your systems. When combined with our mapping of the CIS Controls v8 to PCI DSS v4.0, the CIS Benchmarks can help you navigate multiple aspects of PCI compliance, including:

• Firewall and Router Configurations
• Patch Management
• Access Control
• Change Control

Want to take an even more deliberate approach using CIS security best practices? This is where a CIS SecureSuite Membership can help. When you become a Member, you gain access to CIS-CAT^®  Pro Dashboard, a tool which helps you to visualize the impact of your hardening efforts over a recent period of time using a graphic interface. In using CIS-CAT Pro Dashboard, you can gain greater visibility into machines that are subject to PCI DSS compliance, information which you can then use to audit and measure CIS Benchmark conformance on a specific group of endpoints. Best of all, each CIS-CAT Pro report includes remediation steps for non-compliant settings, which means you’ll know what to do to improve your configuration audit scores.

A SecureSuite Membership also comes with access to CIS CSAT Pro. This tool is designed to help you track and prioritize your implementation of the Controls. It includes the ability to create and assign implementation tasks at the CIS Safeguard level, thus helping you and your team members formalize your program of strengthening your cybersecurity defenses while complying with PCI DSS.

Want to learn more about meeting your compliance commitments with a SecureSuite Membership? Check out our video below.