PCI DSS Compliance Resources

If you’re just getting started on your PCI compliance journey, it can be pretty daunting to figure out where to get information. This page is not a comprehensive list of all resources available to help with PCI DSS compliance available online. It does contain links to some of the most useful resources I’ve found over the years. Please get in touch if you think there’s anything significant missing from here.

Contents

PCI Security Standards Council

The Payment Card Industry Security Standards Council (PCI SSC) is the body originally formed by 5 card brands (American Express, Discover, JCB, MasterCard, and Visa). The Council, as it’s sometimes known, is responsible for maintaining the PCI Data Security Standard (PCI DSS) and related security standards and programs.

PCI Data Security Standard (PCI DSS)

The PCI SSC document library for the current version of PCI DSS, v3.2.1, is linked here. Note that the site is set up to require accepting their agreement before you can open these documents, so I can’t link directly to them. Important documents in the library are:

  • PCI DSS – the security standard itself. This lays out the basic requirements in order for an organization to be PCI DSS compliant.
  • PCI DSS ROC Reporting Template – the template report an auditor will fill in if you are subject to an on-site audit. This template goes into more detail than the PCI DSS itself on what is needed to demonstrate compliance. In practice, you should work from the ROC Reporting Template when designing your PCI compliance program.
  • Prioritized Approach Tool – a spreadsheet tool designed to assist you in your journey to PCI DSS compliance. Note that while this can help you identify areas to focus on using a risk-based approach, you must address all PCI DSS requirements to be found compliant. This tool just helps you get the biggest ROI, from the PCI SSC perspective, early on in the process.

PCI SSC Approved Provider Lists

For certain activities within the scope of PCI compliance, you must use a vendor approved by the PCI SSC. These include your auditor (Qualified Security Assessor / QSA), external scanning vendor (Approved Scanning Vendor / ASV), and if you get breached, the forensic investigator (PCI Forensic Investigator / PFI).

The PCI SSC also maintains a list of Qualified Integrator & Reseller (QIR) companies. These are companies who have demonstrated an ability to correctly implement PCI PA-DSS compliant payment applications at customer sites. Some card brands require that level 4 merchants use a QIR to deploy their payment applications, rather than trusting the merchant to do it themselves.

Each of these are required to regularly re-certify with the PCI SSC. When you choose a provider for one of these roles, you have an obligation to check that the company you’re working with, and in some cases even the individual employee, are currently in good standing – if not, then any services they provide may not be considered valid.

You must also verify that the firm in question is allowed to provide the services in your region. For example, a QSA that is only registered to provide services in North America can’t audit a company operating in Australia.

AOC Templates

If you complete a PCI Self-Assessment Questionnaire, you’ll need to create your own Attestation of Compliance (AOC). Templates for various types of company are published by the PCI SSC. We maintain a guide to selecting the right PCI AOC template.

Card Brands

The various card brands all operate their own information security programs, of which PCI DSS is one component part. While many card brands maintain global lists of approved service providers, the specific requirements may be devolved to a regional level. It’s possible that Visa U.S. may have some different rules to Visa Europe, so it’s always worth checking when reviewing their online guidance that it’s appropriate for your specific region.

MasterCard

MasterCard’s information security program is known as the MasterCard Site Data Protection (SDP) Program. This builds on PCI DSS, and defines compliance tiers such as the specific levels of merchant and service provider.

One key requirement is that all merchants and service providers who use third party-provided payment application must use applications which are compliant with the Payment Card Industry Payment Application Data Security Standard (PCI PA-DSS).

Like other card brands, MasterCard maintains a list of service providers who have successfully completed PCI DSS level 1 audits within the last year.

Visa

Visa’s information security program is known as the Visa Cardholder Information Security Program. This builds on PCI DSS, and defines compliance tiers such as the specific levels of merchant and service provider.

Like other card brands, Visa maintains a searchable list of service providers who have successfully completed PCI DSS level 1 audits within the last year.

Blogs

There are a number of blogs produced by members of the PCI community, including the PCI SSC themselves.

PCI Security Standards Council

The PCI SSC blog is called PCI Perspectives. It’s both an announcement blog, and also contains tips on achieving and maintaining compliance from the perspective of the PCI SSC themselves.

QSA Blogs

A number of PCI QSAs maintain their own blogs. Newcomers to PCI compliance are frequently tripped up by some of the requirements, where the intuitive approach to addressing an item may not be considered sufficient by your QSA. These QSA blogs often dig into the rationale behind some of the less intuitive interpretations of the PCI DSS, and are well worth following.

  • PCI Guru – Jeffrey Hall, writing as PCIGuru, is a well known and respected QSA. He’s published good in-depth posts on various technical topics, and years ago published a sample Ultra Secure Network design.
  • PCI Ramblings – maintained by Wayne Murphy, this blog has some extremely in-depth posts on topics including management of compliance scope while using shared services like Microsoft Active Directory.
  • PCI Blog – provides multiple resources including a PCI DSS news feed, lists of free and commercial software to streamline compliance, and discussion forums.
  • thePCI Portal – written by Shawn Lukaschuk, features mostly short articles commenting on current PCI topics, and also links to news stories of interest to the PCI community
  • Branden Williams is an IT security consultant who writes on various topics including PCI. Of note, he’s also written a tool that can estimate the revenue generation ability of the PCI SSC itself!
  • Froud on Fraud – David Froud is a security consultant who writes on a variety of topics related to payments security. His essays tend to have a particular focus on governance, rising above the technical nuts and bolts of operational security.

YouTube

The PCI SSC maintains its own YouTube channel full of content they’ve created. Given how important PCI DSS compliance is to so many businesses, the number of subscribers to this channel is depressingly low. Despite this, they keep posting new content regularly, so somebody has decided that this is worth funding as an outreach exercise.

Considering that everything here is official communications from the PCI SSC, and it is relatively low volume, this channel is well worth subscribing to. Much of the material here is actually aimed more at operating security awareness programs, such as cartoons illustrating what are the 12 basic requirements of PCI DSS, or how to choose a strong password. So if you’re looking for material to include in your own company security awareness program, you might well find something here.

Discussion Forums

Reddit

Believe it or not, PCI compliance has made it all the way to Reddit. There are actually two separate subreddits dedicated to PCI compliance topics:

  • /r/pcicompliance – of the two, this is the more active and has the larger user community. It also has a Wiki, although it’s in need of some updates.
  • /r/pci – lower volume, but still worth searching if you’re looking to see if a question has already been answered. This sub is actually the older of the two.

There are also some other subreddits which are not PCI-specific, but cover topics you need to address for PCI compliance:

  • /r/netsec – Information Security News & Discussion
  • /r/sysadmin – Quite a bit of work to comply with PCI DSS falls on sysadmins and network engineers
  • /r/SOC2 and /r/HIPAA – companies dealing with PCI compliance topics are often also subject to one of these audits, depending on their industry

IRC Channels

Back in the days before Slack, we had IRC. If you’re looking to discuss a security or compliance topic, consider ##CompSec where a bunch of Security Auditors and Administrators hang out discussing these issues.

PCI Blog Forum

The PCI Blog also maintains a web-based discussion forum that’s free for anyone to sign up to. One of their forums is Ask a QSA, where you can ask questions directly to a qualified PCI QSA.

The PCI Dream Team

The PCI Dream Team is the name adopted by a group of QSAs who regularly do public panel sessions to discuss various PCI DSS compliance topics. It’s a good forum for getting your questions answered by professionals, and even for getting multiple suggestions for some of the more tricky corner cases.

Archives to their sessions are available online to listen to, and we maintain a local index of these.

Verizon Payment Security Report

This is a well-known resource that comes up regularly in discussions of PCI DSS compliance.

Verizon operate a large security consulting practice, and have been an active PCI QSA since 2009. On an annual basis, they use the body of information they’ve gathered over the year to publish a free report on the state of Payment Security. These yearly snapshots detail percentage compliance levels (in place / not in place / compensating control used) for each sub-requirement in the PCI DSS, and also correlate these to each breach that’s investigated.

Because Verizon performs many audits and investigations, we can effectively treat the report as a proxy for industry-level KPI’s.

In addition to the compliance KPIs and breach information, there are also a number of free resources included in the report. Perhaps one of the most valuable is the PCI DSS Compliance Calendar, a table showing which items within PCI DSS must be done annually / bi-annually / quarterly / weekly / daily. Anyone can generate this from the standard itself, but (per Verizon) there are 48 separate items to track; being handed the list is certainly a nice gift from a major QSA.