What is Required for PCI DSS compliance?

Organizations that store, process, or transmit payment card data must protect the data from exposure by adhering to the Payment Card Industry Data Security Standard (PCI DSS). The standard, which establishes a baseline level of security to protect payment card data, has 12 major areas of requirements, which are designed to achieve six overarching IT security goals.  This article describes the requirements and goals in simple terms. Please visit the website of the Payment Card Industry Security Council at https://www.pcisecuritystandards.org/ to understand specific requirements for your organization.

Build and Maintain a Secure Network

Requirement 1:  Install and maintain a firewall configuration to protect cardholder data

Properly functioning firewalls and correctly configured routers comprise the first critical layers of an organization’s network defense. Compliance with this item requires a demonstration that firewalls and routers are properly configured and functioning as expected.

Requirement 2:  Do not use vendor-supplied defaults for systems passwords and other security parameters

Many data breaches are the result of unchanged default passwords or system software settings in payment card systems. Since most default passwords for leading products are widely known and accessible, changing or removing factory-set credentials is an integral preliminary step when deploying applications or devices. Furthermore, controls should be instituted to verify that default logins do not exist in the environment.

Protect Cardholder Data

Requirement 3:  Protect stored cardholder data

Any cardholder data stored in the systems must be encrypted. In this case, the shortest path to compliance is determining where credit card data is stored and encrypting it before saving.  PCI DSS stipulates that cardholder data must be rendered unreadable before saving to disk, so these encryption requirements apply to any type of storage media: portable media storage, backup media and the like.

One way to address this requirement is through tokenization.  Tokenization is the process of turning a meaningful piece of data, such as an account number, into a random string of characters called a token that has no meaningful value if breached. Tokens serve as a reference to the original data but cannot be used to guess those values.  Encryption and tokenization make the stored cardholder data out of scope for PCI.

Requirement 4:  Encrypt transmission of cardholder data across open, public networks

When credit card information is transmitted over public networks like the internet (e.g., submitting a web form with payment details), encryption methods such as SSL must be used to protect the data. Additionally, wireless networks using the WEP encryption standard are no longer allowed to transmit credit card data of any type.

Maintain a Vulnerability Management Program

Requirement 5:  Use and regularly update anti-malware software

Anti-malware software is a critical component of IT security, but like all applications, it must be regularly updated and patched to maintain its effectiveness.

Requirement 6:  Develop and maintain secure systems and application

Review the alerts of all the software vendors used in your systems and apply their patches methodically. If the application has been customized, patching can be very difficult as the extended code may be affected by the patch. In this situation, the application needs to be properly tested to see whether the application is vulnerable and then a plan must be put in place to address any issues. In addition, organizations with customized applications should consider conducting a vulnerability assessment.

Implement Strong Access Controls Measures

Requirement 7:  Restrict access to cardholder data by business need-to-know

All access to critical cardholder data should be restricted and recorded. For example, access should only be given to staff explicitly requiring credit/debit card details. Remember: you can use encryption and directory access controls to allow administrators and support staff appropriate access to the services they need - without revealing sensitive data. Additionally, all access should be documented and regularly audited.

Requirement 8:  Assign a unique ID to each person with computer access

The majority of data breaches originate from inside the corporate network. Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by - and can be traced to - known and authorized users. All remote users should be  required to access corporate data and applications via two-factor authentication (e.g., tokens or smartcards). Devices should be logged off after a period of inactivity. Passwords should be routinely tested to prove they are unreadable during transmission and storage.

Requirement 9:  Restrict physical access to cardholder data

Physical access to any building needs to be via a reception area where all visitors and contractors sign in. All devices that store (or could store) credit card details must be in a secure environment. Server rooms need to be locked with CCTV installed. Access to the wireless and wired network components must be restricted.

Regularly Monitor and Test Networks

Requirement 10:  Track and monitor all access to network resources and cardholder data

The logs of all network and device activity need to be recorded and analyzed for anomalies. They need to be stored in a manner that provides tracking of legitimate access, intrusions, and attempted intrusions. The logs must be available as material evidence in the event of a breach.

Requirement 11:  Regularly test security systems and processes

Under PCI DSS, companies should conduct regular vulnerability scans for possible exploitable weaknesses in their environments.  When there are significant changes to the network, device operating systems, or applications, organizations should run internal and external vulnerability scans to check for exploitable security flaws.

Requirement 11.5:  Deploy a change detection mechanism

Deploy a change detection mechanism (for example, file integrity monitoring tools) to alert 24/7 personnel to unauthorized modification of critical system files, configuration files or content files. Configure the software to perform critical file comparisons at least weekly. Implement a process to respond to any alerts generated by the change-detection solution.

Maintain an Information Security Policy

Requirement 12:  Maintain a policy that addresses information security

Organizations need to include IT security in their overall policies and risk management strategies. Ownership of these initiatives must be assigned to a person or group within the organization. A strong security policy sets the tone for the entire company and informs employees of what is expected of them. Some of the areas addressed include remote access technologies, wireless technologies, removable electronic media, email usage, internet usage, laptops, and mobile devices, among others. Additionally, service providers should also be monitored and managed.

How ERMProtect Can Help with PCI DSS Compliance

ERM Protect can help ensure your organization is PCI compliant.  As one of the original PCI QSA firms, we are experts at payment card compliance, IT security, and data protection.  We leverage almost 30 years of experience to secure your payment data, protect your business and manage costs and risk. Contact us at 1-800-259-9660 and ask for Silka Gonzalez to get a quote.