PCI-DSS v3.2

### PCI-DSS v3.2 Overview

The Payment Card Industry Data Security Standard (PCI-DSS) v3.2 is an essential framework designed to ensure the secure handling of credit card information by businesses. Developed by the Payment Card Industry Security Standards Council (PCI SSC), its purpose is to protect cardholder data from theft and fraud. Targeting Chief Information Security Officers (CISOs), security professionals, IT managers, and any entities involved in processing, storing, or transmitting credit card information, PCI-DSS v3.2 is pivotal for maintaining trust in the financial transactions ecosystem.

### Key Components/Pillars

PCI-DSS v3.2 consists of six main components or pillars that underline its comprehensive approach to security:

1. **Build and Maintain a Secure Network and Systems**: This involves the installation and maintenance of firewall configurations to protect cardholder data alongside the need for secure system configurations.
2. **Protect Cardholder Data**: Ensuring the protection of stored cardholder data and safeguarding data during transmission across open, public networks.
3. **Maintain a Vulnerability Management Program**: The establishment of protective measures against malware and the regular update of anti-virus software and programs.
4. **Implement Strong Access Control Measures**: Access to system information and operations should be on a need-to-know basis, with unique IDs for each person with computer access.
5. **Regularly Monitor and Test Networks**: Continuous testing of security systems and processes is essential.
6. **Maintain an Information Security Policy**: A formal policy that addresses information security for all personnel.

### Guidelines/Controls

**Governance and Risk Management**: The framework prioritises a governance structure with clear accountability and establishes risk management processes that identify and assess risks to cardholder data.

**Personnel Security**: PCI-DSS v3.2 mandates background checks for employees with access to sensitive data and educates them on security policies.

**Physical Security**: Ensuring the physical protection of systems and data through access control systems and monitoring.

**System Hardening and Configuration**: Removal of unnecessary functionalities and the secure configuration of systems to protect against vulnerabilities.

**Access Control**: Limiting access to cardholder data by business need-to-know, implementing strong access control measures.

**Cryptography**: Use of strong cryptography and security protocols to protect cardholder data during transmission over open, public networks.

**Incident Response**: Establishment of an incident response plan that is tested and activated upon a security breach.

### Implementation and Compliance

The approach recommended by PCI-DSS v3.2 for implementation and compliance is based on a risk assessment model. Entities are encouraged to prioritise their efforts on the most critical vulnerabilities. For compliance, the standard supports various validation mechanisms, including self-assessment questionnaires and external audits by Qualified Security Assessors (QSA). The PCI SSC also offers certification programs to validate compliance.

### Additional Resources

The PCI SSC provides an array of resources, including advisories, alerts, and training to support entities in meeting the PCI-DSS v3.2 requirements. For further information, entities can visit the official PCI SSC website and access detailed documentation at [https://www.pcisecuritystandards.org/](https://www.pcisecuritystandards.org/).

### Benefits and Adoption

Adopting PCI-DSS v3.2 helps organizations protect sensitive cardholder information, reduce the risk of data breaches, and maintain customer trust. Its adoption is widespread among various sectors including retail, banking, and online merchants. The framework’s structured approach to security, combined with compliance validation mechanisms, ensures that organisations can meet the high standards required for protecting payment card information.

The comprehensive nature of PCI-DSS v3.2, covering everything from governance to incident response, makes it an essential standard for any organization involved in the processing, storage, or transmission of credit card data.