BLOG HOME > Audit > The 2021 Guide to PCI DSS Compliance Has Launched

The 2021 Guide to PCI DSS Compliance Has Launched

A challenging year for payment data security

Have an Upcoming PCI Audit Deadline?

Request a Quote Here

The year 2020 was challenging for most of the world. And with a global pandemic and lockdowns, businesses had to scramble to stay afloat and deal with new payment data security variables such as remote workers, an increase in cybersecurity threats, and changes in operations to almost all areas of their business. 

In the face of these challenges, PCI DSS compliance is more important for merchants than ever. The Payment Card Industry Data Security Standard was established in 2006 to help merchants protect payment data. Compliance with the PCI DSS is an industry requirement for any company that accepts major credit cards and can help them develop their own robust security program. 

The PCI DSS has twelve requirements, each of which covers a different aspect of security. According to SecurityMetrics forensic research data–based on investigations of breached companies–no investigated business that was breached was compliant with all twelve requirements at the time of the compromise. In many cases, noncompliance with requirements like logging and log management (requirement 10) and vulnerability scanning (requirement 11) directly contributed to the data breaches.

The good news is that these and other security issues are fixable, and SecurityMetrics’ mission is to help you fix them, maintain compliance, and avoid payment data compromise. Every year, SecurityMetrics’ teams collaborate to update and release the Guide to PCI DSS Compliance in accordance with this goal. 

The SecurityMetrics Guide to PCI DSS Compliance 

The PCI Guide includes interactive and printable IT checklists for every requirement, stories and tips from our security analysts (QSAs), forensic data breach research data, as well as the latest updates on PCI DSS compliance. It is meant to be a tool in the arsenal of a CISO, IT manager, security officer, or anyone involved in security and compliance. 

Audit Director, Matt Halbleib (CISSP, CISA, QSA), said "We publish our guide to give businesses of all sizes a tool to understand and organize their PCI compliance efforts. Maintaining PCI compliance in an environment-specific way helps businesses protect their data, detect breaches, and keep cybercriminals off their network." 

The 2021 PCI DSS Guide has been updated to include:

  • Insight into what to expect for PCI DSS 4.0
  • Forensic data breach investigations and predictions
  • Tips for applying the PCI DSS in a cloud environment 
  • Information on e-commerce attacks including iFrame hacks
  • How to set up a PCI-compliant remote workforce setup
  • Interactive IT checklists for each requirement 
  • Brand new PCI compliance trends and customer data 
  • Tips and experiences from PCI Auditors (QSAs) 

"Businesses who utilize the Guide to PCI DSS Compliance can better organize their compliance efforts and understand the way PCI compliance requirements affect cybersecurity. On top of that, the PCI Guide is a great training tool when assigning new resources to your PCI compliance effort,” said SecurityMetrics VP of Assessments Gary Glover (CISSP, CISA, QSA).

2021 PCI DSS Data Breach Analysis

The SecurityMetrics PCI Guide includes forensic investigations results from 2020. These results include data on which PCI DSS requirements were or were not implemented at the time of compromise, whether non-compliance contributed to the breach, as well as forensic takeaways to help businesses connect PCI compliance to cybersecurity and better protect against threat actors. 

Interestingly, noncompliance with vulnerability scanning, penetration testing, and risk management requirements contributed frequently to data breaches. 

Check out a few of the most interesting results from our investigations. Here are PCI DSS requirements implemented at the time of compromise:

REQUIREMENT 1: Protect Your System With Firewalls

  • In place 63%
  • Not in place 0%
  • Unknown 37%

REQUIREMENT 2: Use Adequate Configuration Standards

  • In place 63%
  • Not in place 37%
  • Unknown 0%

REQUIREMENT 10: Implement Logging and Log Monitoring

  • In place 49%
  • Not in place 51%
  • Unknown 0%

REQUIREMENT 11: Conduct Vulnerability Scans and Penetration Testing 

  • In place 25%
  • Not in place 75%
  • Unknown 0%

Get my free SecurityMetrics PCI Guide

Download Now

Here is how noncompliance with the same PCI DSS requirements as above affected breaches for compromised organizations in 2020:

REQUIREMENT 1: Protect Your System With Firewalls

  • Contributed 0%
  • Didn’t Contribute 62%
  • Unknown 38%

REQUIREMENT 2: Use Adequate Configuration Standards

  • Contributed 0%
  • Didn’t contribute 62%
  • Unknown 38%

REQUIREMENT 10: Implement Logging and Log Monitoring

  • Contributed 51%
  • Didn’t contribute 49%
  • Unknown: 0%

REQUIREMENT 11: Conduct Vulnerability Scans and Penetration Testing

  • Contributed 62%
  • Didn’t contribute 25%
  • Unknown 13%

Forensic contributions also include predictions about what threat and data breach trends we will see in 2021. These predictions include issues like e-commerce attacks, remote virtual meetings, and a return to cybercrime in the physical world. 

PCI DSS Compliance as a framework for organizational security

The PCI DSS is a security standard that can provide an organized and comprehensive framework for any environment. It includes specific SAQs, based on variables like the way companies take payment information. These SAQs cover which specific places businesses need to look to start their data security programs and can save companies time and money.

Download a copy of the SecurityMetrics Guide to PCI DSS Compliance here to get started. 

See what PCI Guide users have to say 

“I needed quick and straightforward guidance on how the PCI DSS requirements apply to software development. I was able to quickly find what I needed written in a way that was both quickly digestible and highly understandable. This resolved the concerns we had and reinforced the importance of the standardization of process controls we are putting in place.”

kconway, Freedom Mobile

“This is a fantastic guide for merchants on any level to work towards becoming PCI compliant, it also serves as a great resource to train future hires!” 

“Excellent guide to PCI compliance which provides a manageable template to develop internal policies and procedures.”

“The Security Metrics Guide was very comprehensive and definitely extremely useful. I especially benefited from the IT checklist guide.”

“...SecurityMetrics Guide to PCI DSS Compliance is a one-stop guide to ensuring your organization is PCI DSS compliant. This is the best comprehensive guide I've found.”

“Made us aware of a lot of details concerning our security... also our service provider responsibilities, which we were not aware of. Provided us with valuable tips for firewalls and explained a lot of terminology that was unknown before PCI DSS.”

Join Thousands of Security Professionals and Subscribe