What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard designed to increase controls around cardholder data to reduce credit card fraud. Its purpose is to protect Cardholder Data (CHD), which includes the Primary Account Number (PAN), and Sensitive Authentication Data (SAD) wherever it is stored, processed, or transmitted.
Compliance is mandatory for any organization that accepts, processes, stores, or transmits cardholder information. The standard applies to organizations of all sizes and is maintained by the PCI Security Standards Council.
Ready to improve how you handle PCI compliance? See how Tufin helps you automate and enforce the controls that matter most. Request a Demo!
PCI DSS is structured around six core control objectives, 12 main requirements, and over 300 sub-requirements. The latest version, PCI DSS v4.0, emphasizes security as a continuous process, encouraging organizations to embed security practices into business-as-usual activities.
PCI DSS Requirements
PCI DSS v4.0 outlines 12 core requirements that help organizations secure cardholder data and maintain a hardened, audit-ready environment. These requirements span access controls, encryption, system integrity, and continuous monitoring. While some controls are operational or physical, many relate directly to network security policy. Tufin helps organizations meet the technical mandates that apply to network visibility, access enforcement, and change management. All 12 requirements are listed below, including clear notes where enforcement is outside Tufin’s scope.
Requirement 1: Install and maintain network security controls
Organizations must implement firewalls and other security controls to protect the Cardholder Data Environment (CDE). This includes using documented configuration standards, isolating the CDE from other networks, and reviewing firewall and router rule sets at least every six months to ensure they remain effective.
Requirement 2: Apply secure configurations to all system components
System components must follow hardened configuration standards. This includes removing vendor defaults such as default passwords and disabling unnecessary services, software, or user accounts to reduce the attack surface.
Requirement 3: Protect stored account data
Cardholder data must be unreadable when stored. Techniques such as encryption, tokenization, or hashing are required to protect this data from unauthorized access or tampering.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Cardholder data must be encrypted when transmitted across public or untrusted networks. Secure transmission protocols and strong key management practices are required to maintain confidentiality and integrity in transit.
Requirement 5: Protect all systems and networks from malicious software
Anti-malware controls must be deployed on systems commonly targeted by malicious code. These controls must be kept up to date, configured to run actively, and used to scan for threats on a regular schedule.
Requirement 6: Develop and maintain secure systems and software
A secure development lifecycle and formal change control process are required. All changes must be documented, tested, and approved. Vulnerabilities must be identified and remediated in a timely manner.
Requirement 7: Restrict access to system components and cardholder data by business need-to-know
Access must be limited to individuals whose job responsibilities require it. This is enforced through role-based access, access control lists, and least-privilege policies.
Requirement 8: Identify and authenticate access to system components
Each user must be uniquely identified. Multi-factor authentication is required to verify identity. Shared accounts must be avoided, and all access events must be tracked for accountability.
Requirement 9: Restrict physical access to cardholder data
Physical access to systems that store, process, or transmit cardholder data must be limited to authorized personnel. Controls include secured entry points, visitor logging, and restricted access to sensitive media.
Requirement 10: Track and monitor all access to network resources and cardholder data
All access to systems and cardholder data must be logged and monitored. Audit logs must be time-stamped, tamper-resistant, and reviewed regularly to detect unauthorized activity.
Requirement 11: Regularly test security systems and processes
Security systems must be tested to ensure their effectiveness. Testing activities include internal and external vulnerability scans, penetration testing, and validation of segmentation controls.
Requirement 12: Support information security with organizational policies and programs
Organizations must maintain a formal information security policy that governs system use, security responsibilities, and risk management activities.
Tufin and PCI DSS Compliance
With Tufin, you can operationalize PCI DSS controls through real-time visibility, automated access governance, and audit-ready reporting. Tufin helps you enforce secure segmentation, control every change, and validate compliance without relying on manual processes.
Define and enforce segmentation for the Cardholder Data Environment
With Tufin, you can define an inventory of relevant assets in the network and secure the boundaries of your Cardholder Data Environment (CDE) using dynamic topology. This gives you a clear view of all network segments, traffic paths, and devices in your environment.
Then, integrate your IPAM to define network segments as Tufin zones. This allows you to automatically maintain accurate segmentation without relying on spreadsheets or manual review cycles.
With Tufin’s Unified Security Policy and the PCI DSS template, you can define which connections are allowed into and out of the CDE. Tufin continuously monitors relevant access controls and alerts you if a change violates the policy.
Lastly, you can also automate your firewall rule reviews. With Tufin, you can identify expiring rules, map them to relevant owners, and route each one through a documented recertification process.
Control changes and enforce least privilege
Tufin allows you to build secure configurations and policy reviews directly into your change processes, in a way that’s clearly documented for PCI audit reporting.
You can use Tufin policy optimization tools to detect overly permissive, unused, or redundant rules that should be removed. This helps you avoid creating unnecessary exposure in network access controls. When someone requests access to a new system, Tufin ensures that the request is documented, reviewed, risk-assessed, and approved before implementation. Once the change is applied, the platform verifies that it aligns with your segmentation policy.
These steps help you avoid ad-hoc changes and keep access aligned with least-privilege principles, as prescribed by the PCI framework.
Monitor access and validate compliance continuously
Tufin gives you a clear and searchable audit trail of every policy change across your network. The platform records who made the change, when it was made, and why, including ticket references.
You can simulate changes before they are implemented to identify potential risks or compliance violations. If a proposed change would violate PCI guidelines for restricting access to the CDE, the platform alerts you in advance. You can also integrate Tufin with vulnerability scanners to ensure new access paths do not expose unpatched or exploitable systems to untrusted networks.
This simplifies audit reporting by demonstrating continuous compliance with access controls, and shows controls are working as intended.
Maintain a continuous state of audit readiness
Tufin helps you produce evidence for PCI audits without starting from scratch. You can generate on-demand reports, verify historical change data, and show auditors that segmentation, access control, and change management policies are being enforced at all times.
