How PCI DSS builds layers of protection

How PCI DSS builds layers of protection

By Natasja Bolton, Acquirer Support Manager

The primary objectives (or attributes) of security (whether that be ‘information security’ or more recently ‘cyber security’) are encompassed in the CIA triad: Confidentiality, Integrity and Availability which are defined as:

  • Confidentiality: ensuring that information is accessible only to those authorised to have access
  • Integrity: ensuring the accuracy and completeness of information and processing methods
  • Availability: ensuring that authorised users have access to information and associated assets when required


Organisations seek to fulfil those objectives for their information assets[1] as well as those of their partners, customer and clients through the use of logical, physical, procedural and personnel controls.  Those controls must work together as a framework to Prevent, Detect and Respond[2] to security incidents and cyber-attacks such that the security objectives are met.  Such a framework is defined by the PCI DSS, a baseline of technical and operational controls that work together to provide a defence-in-depth approach to the protection of cardholder data but which may also serve as a baseline of measures to protect all information assets.


The term “Defence-in-depth” is originally a military strategy that seeks to delay rather than prevent the advance of an attacker by yielding space in order to buy time. The basic premise is to insert as many barriers between the attacker and your critical data and systems by maintaining multiple, layered lines of defence or controls, rather than just one strong defensive line or type of control. A breach in one layer only leads the attacker to the next layer of defensive controls / countermeasures and increases the likelihood of the attacker being detected. It is often likened to layers of an onion that can be peeled, one by one.


Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below


How the defence-in-depth model relates to PCI DSS

Let’s look at the defence-in-depth model below in Figure 1 in more detail, and how it relates to the PCI DSS controls to secure your organisation, network and its components:


How PCI DSS Builds Layers of Protection | Expert Advice

Figure 1: the defence-in-depth layers[3]



Your critical data and systems, including your databases, Active Directory service information, documents etc. This is an attacker’s ultimate target. Example controls include:

  • To keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes. Simply put, if you do not need it, do not store it. (Requirement 3.1). If you must store cardholder data, render it unreadable e.g. using one-way-hashes, truncations, index tokens and pads or strong cryptography (Requirement 3.4).
  • Do not store sensitive authentication data after authorisation (Requirement 3.2).



The software that manipulates the data that is the ultimate target of attack. Example controls include:

  • To check for new vulnerabilities using reputable external sources, assign a risk ranking to newly discovered vulnerabilities, and patch high-risk vulnerabilities within 30 days (Requirement 6.1 and 6.2).



The computers that are running the applications. Example controls include:

  • To deploy endpoint security on servers and hosts to enforce network attached devices to conform to defined enterprise and desktop security policy (Requirement 5).


Internal Network

The network in the corporate IT infrastructure. Example controls include:

  • To install firewalls between the core network and wireless networks, and implement robust wireless security mechanisms such as strong authentication, strong encryption and rogue access point detection for any wireless technologies in use (Requirement 2.1.1).



The network that connects the corporate IT infrastructure to another network, such as to external users, partners, or the Internet. Example controls include:

  • To install firewalls at the perimeter of the network (Requirement 1.3) and use packet inspection techniques (IDS/IPS) at the network perimeter and at various strategic points inside the network (Requirement 11.4).



The tangible aspects in computing: the server computers, hard disks, network switches, power, and so on. Example controls include:

  • To use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment (CDE) e.g. CCTV, physical or logical controls to restrict access to network jacks, restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines etc. (Requirement 9.1).


Policies, Procedures, Awareness

The overall governing principles of the security strategy of any organisation. Without this layer, the entire strategy fails. Example controls include:

  • To establish, publish, maintain, and disseminate a security policy (Requirement 12.1)
  • To implement a formal security awareness program to make all personnel aware of the importance of cardholder data security (Requirement 12.6).


The PCI DSS baseline of technical and operational requirements is designed to protect an organisation’s cardholder data assets (information and systems) focussing primarily on protection of confidentiality. By baseline we mean the minimum that must be done to address known risks, attacks and methods of compromise.  Requirement 12.2 (risk assessment process) expects organisations to build on that baseline and the defensive layers of the PCI DSS.


By identifying their critical information assets, along with the potential threats and vulnerabilities (integrity and availability, as well as confidentiality) organisations can, through selection and implementation of further layered controls and countermeasures, enhance their ability to prevent, detect and respond to security incidents and attacks on their information security.


[1] Information assets include all computer systems and the information stored on those systems, transmitted across networks, information printed out or written on paper, sent by fax, stored on electronic media or spoken over the phone.


[2] Prevent: to stop unwanted or unauthorised activity from occurring; Detect: to discover unwanted or unauthorised activity; Respond: to address the unwanted or unauthorised activity (the incident) to minimise loss or downtime and return to normal


[3] Derived from


Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms