What is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard for any organization that handles branded credit cards from the major card providers. While the PCI standard is mandated by the card brands, it is managed and administered by the Payment Card Industry Security Standards Council.
The PCI Security Standard Council (SSC) has developed the PCI Data Security Standard that is a set of twelve requirements that help ensure the security of credit card transactions in the payment industry. These standards are put into six group that provide both operational and technical requirements to build and maintain secure network and systems.
Build and Maintain a Secure Network and Systems
Implement Strong Access Control Measures
Maintain a Vulnerability Management Program
Regularly Monitor and Test Networks
Maintain an Information Security Policy
Protect Cardholder Data
PCI-DSS Compliance Requirements
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Protect all systems against malware & regularly update anti-virus software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need to know
Identify and authenticate access to system components
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security for all personnel
Chef Compliance for PCI-DSS Audits
Companies that handle credit card data in any way are subject to the Payment Card Industry Data Security Standard (PCI DSS) and know how difficult and time-consuming PCI audits can be.
Gathering relevant data that demonstrates how each and every configuration item in the cardholder data environment (CDE) is compliant, and has been over time, is often a manual process.
Thousands of hours of labor are required to collect information by hand and is very wasteful. It is critical for any organization subject to PCI to quickly pass its audit with as little manual work as necessary so teams can better focus on achieving business objectives.
By automating the processes related to PCI management, engineering teams can spend less time hunting down information to satisfy audit requests and more time doing product development.
Chef Compliance can help implement continuous security assessments that allow an organization to satisfy audit requirements at any time and make audits painless.
Adopting a continuous compliance approach allows you to quickly answer audit questions at any time, not just quarterly or yearly. With Chef Compliance, organizations can enter an audit cycle knowing their exact compliance posture, rather than being surprised by auditors who find weak points in your environment.
The 2020 Verizon Payment Security Report found that only 27% of organizations were able to maintain full compliance with the PCI-DSS, an 8.8% drop from the year before.
Teams can identify compliance issues or policy breaches rapidly and react quickly to triage and remediate problems even before auditors show up, demonstrating how compliance has evolved and improved over time.
Compliance is built on Chef core technology proven in large, complex environments over the past 10+ years. It is designed to help enterprises maintain compliance and prevent security incidents across heterogeneous hybrid and multi-cloud environments while improving speed and efficiency.
Standards-based audit and remediation content, easily tuned baselines, and comprehensive visibility and control make it easy to maintain and enforce compliance across your entire fleet, on-prem, in the cloud or on the edge.
Chef Compliance helps automate the standards by incorporating compliance processes into every stage of the development cycle based on the following Chef underlying core technologies.