About PCI-DSS Compliance

Understanding the PCI-DSS

PCI-DSS stands for "Payment Card Industry Data Security Standard". It was developed in the early 2000s and is updated every 3–4 years. PCI-DSS 4.0, the most recent update, was released in March 2022. The purpose of the PCI-DSS is to increase controls around credit card cardholder data and reduce credit card fraud.

PCI-DSS includes six broad objectives, with requirement sections associated to each of them:

Table 1. PCI-DSS Objectives and Requirements
Objective Requirement(s)

Build and Maintain a Secure Network

PCI-DSS 1: Install and Maintain Network Security Controls.

PCI-DSS 2: Apply Secure Configurations to All System Components.

Protect Cardholder Data

PCI-DSS 3: Protect Stored Account Data.

PCI-DSS 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks.

Maintain a Vulnerability Management Program

PCI-DSS 5: Protect All Systems and Networks from Malicious Software.

PCI-DSS 6: Develop and Maintain Secure Systems and Software.

Implement Strong Access Control Measures

PCI-DSS 7: Restrict Access to System Components and Cardholder Data by Business Need to Know.

PCI-DSS 8: Identify Users and Authenticate Access to System Components.

PCI-DSS 9: Restrict Physical Access to Cardholder Data.

Regularly Monitor and Test Networks

PCI-DSS 10: Log and Monitor All Access to System Components and Cardholder Data.

PCI-DSS 11: Test Security of Systems and Networks Regularly.

Maintain an Information Security Policy

PCI-DSS 12: Support Information Security with Organizational Policies and Programs.

The full PCI-DSS requirements documentation is available from the PCI Security Standards Council’s Document Library. PCI DSS v4.0 was released in March 2022.

Continuous Dynamic and the PCI-DSS

Continuous Dynamic helps you to address the requirements of PCI-DSS Requirement 6.2.4, which relates to techniques and methods to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software. Specifically, vulnerabilities identified by Continuous Dynamic can be monitored and remediated to ensure compliance with PCI-DSS requirements 6.2.4. The PCI 4.0 Compliance Report addresses each of the specific vulnerability classes described in that requirement and provides information on what categories and specific vuln classes are failing compliance testing, and how to remediate those vulnerabilities.

PCI-DSS v.3.2.1 will remain active until March 31, 2024. A version of the PCI Compliance Report that is aligned with the PCI-DSS v.3.2.1 standard will remain available in Continuous Dynamic to support customers through this transition period.

Service Level Requirements

Black Duck offers a variety of Continuous Dynamic service levels, from Baseline (BE) through Standard (SE) to Premium (PE). Premium Edition is the service level that provides full business logic analysis and business logic re-testing.

To perform a full PCI Compliance analysis, the asset must be subjected to business logic assessment; therefore, if you need the PCI report to establish compliance, Continuous Dynamic PE is the appropriate service to have for that asset.