Payment Card Industry and Data Security Standards (PCI DSS) are clearly defined standards for companies accepting customer credit card payments. Carefully following the PCI compliance checklist is essential to gaining both compliance and consumer confidence when taking payment from credit card vendors.
PCI DSS are regulatory guidelines drafted to protect consumers online and ensure e-commerce companies and other online service providers protect sensitive data correctly. The Payment Card Industry Security Standards Council (PCI SSC) works with payments industry stakeholders in an effort to drive adoption and compliance.
- About This Article
- What Is PCI DSS?
- 12-Step Checklist for PCI DSS Compliance
- 1. Firewall Protection of Cardholder Data
- 2. Vendor Default Passwords
- 3. Cardholder Data Protection
- 4. Encrypt the transmission of cardholder data
- 5. Malware Protection
- 6. Secure Systems and Applications
- 7. Restrict Access to Cardholder Data
- 8. Unique User IDs
- 9. Restricted Physical Access to Cardholder Data
- 10. Monitoring of Network Access, Resources, and Cardholder Data
- 11. Regular Testing of Security Systems and Processes
- 12. Ongoing Information Security Policy
- Further Technology Articles
About This Article
This article provides an overview of PCI DSS and includes a condensed PCI compliance checklist of the official PCI DSS Quick Reference Guide. In addition, this article aims to act as a springboard for our customers to consume the insightful content offered by the official Payment Card Industry Security Standards Council. You will find further helpful links in the conclusion section.
What Is PCI DSS?
PCI DSS is a set of standards that state how companies should conduct credit card transactions online. The goal is to reduce payment card fraud by fortifying security controls around cardholder data. Credit card providers, including American Express, Visa, Discover, and MasterCard, created these processes and protections to protect their customers. The PCI SSC finalised and now administers these standards.
The most recent version of the PCI DSS is version 4.0, which was released in March 2022. Service providers and merchants have two years to update their security controls to comply with the latest version. Here is the link to the official PCI DSS overview guide we recommend you also review.
12-Step Checklist for PCI DSS Compliance
Companies have several options when it comes to payment solutions. While there are several ways to accept credit card payments, some come with more risks than others. To ensure security compliance, your company must adopt a solution that adheres to PCI DSS standards and adheres to the following 12 steps.
1. Firewall Protection of Cardholder Data
Firewalls control traffic as it traverses an organisation’s network. They form the foundation of your data defences and should be set to deny all public access and traffic from untrusted hosts and networks. There is an exception, of course, for the protocols needed for the cardholder data environment.
Network environments are subject to change. Thus, your IT security teams should document all firewall policies and supporting procedures. Furthermore, those procedures must include reviewing your organisation’s firewall configuration every six months.
To comply with the PCI DSS maintenance requirement, your team should conduct penetration tests and run regular vulnerability scans to ensure there aren’t any significant vulnerabilities in your network setup.
2. Vendor Default Passwords
PCI DSS states that enterprises must protect devices with unique passwords rather than the default passwords assigned by the vendor. Password must have at least seven characters with a mix of letters and numbers, be different from previously used passwords, and be updated every 90 days.
Weak passwords are an open door for hackers to enter the system and have ways of guessing the password. Fortunately, it’s also one of the most straightforward vulnerabilities to address. Your team should ensure you’re not using default passwords in your payment card infrastructure because default passwords have easily decipherable patterns.
3. Cardholder Data Protection
Cardholder data protection focuses on protecting data wherever it resides in the network, including data storage, sensitive information in transit, processing, or physical form. As such, this is a wide-ranging requirement. Companies must adopt different security methods depending on where the sensitive information resides and which entity handles it along those points.
The standard also requires limiting data storage and retention to reduce the security risk. For example, part of the mandate is that an organisation must not store sensitive authentication data after authorisation.
Furthermore, they should mask the Primary Account Number (PAN) when displaying account numbers. Only the first six or last four digits should be visible. Finally, the PAN should not be readable anywhere it’s stored.
4. Encrypt the transmission of cardholder data
Encryption makes transmitted data unreadable to unauthorised persons and is necessary when dealing with sensitive information, especially when data is moving across the internet.
PCI DSS stipulates that you must protect cardholder data anywhere in the network, whether in backup storage, at rest, or in transit. Any enterprise that sends customer data through an open network must encrypt it. Open networks include Bluetooth, public wireless, satellite communications, and the internet.
You must also document encryption as part of the security policies and procedures your organisation has in place to protect cardholder data in transit.
5. Malware Protection
To protect your devices from malware attacks, PCI DSS requires you to install and maintain antivirus/anti-malware software. Endpoint protection solutions help prevent mobile threats such as viruses and malware from corrupting your data on edge devices that are especially vulnerable.
Malware comes in many forms, including spyware that enables criminals to view employee activities. It also includes ransomware, which can paralyse your organisation and lock you out of files containing sensitive customer data.
Regardless of type, all malware enters the same way, usually in an email containing a malicious link or file attachment. With antivirus and anti-malware software, you can spot malicious software promptly and remove it before it can do harm.
6. Secure Systems and Applications
This requirement stipulates that companies must implement and maintain secure systems and applications, specifically applications that store, process, or transmit cardholder data.
For instance, enterprises must deploy patches promptly to avoid vulnerabilities. They must also adopt secure coding practices, follow change control procedures, document these processes, and train staff to execute them efficiently.
In addition to developing procedures, keep in mind the software tools/apps your security team uses to support your processes. If the app is not secure, it becomes a liability rather than an aid. Vet the software before purchasing to review its track record for patching vulnerabilities.
7. Restrict Access to Cardholder Data
Your organisation must ensure that only authorised personnel have access to sensitive data. Systems and processes must be in place that limits access to a need-to-know basis.
This access restriction requires your team to determine the relevant information for every job role. From there, grant employees access to only the data they need to perform their job functions.
As with all security measures, you should document your security policies, including how you restrict access to cardholder data. The documentation should specify which users can access which data or system(s).
8. Unique User IDs
Each employee should have a unique ID and password to access confidential data. These IDs allow security teams to monitor user access along with what actions they took and when. This is critical to identifying insider threats or finding compromised user accounts.
Added security measures include locking users out of accounts after a specified number of failed attempts. Also, a device should require re-authentication once a session has been idle for 15 minutes or more.
Authentication credentials should also be encrypted during transmission so they cannot be compromised. Finally, a standard requirement is to delete or deactivate inactive user accounts within 90 days.
9. Restricted Physical Access to Cardholder Data
PCI requirements state that you must restrict physical access to cardholder data. That means that there should be safeguards for cardholder data documentation, servers, and other hardware to protect against unauthorised access. Also, establish entry controls to areas where cardholder data is stored.
Users should also be assigned unique user IDs so that the security team can monitor their activity. Other controls include access key cards, locking file cabinets, and visitor logs to create a physical audit trail of personnel coming in and out of restricted areas of the building. Records and logs should be kept for at least three months.
10. Monitoring of Network Access, Resources, and Cardholder Data
PCI compliance requires alerting and logging mechanisms that allow you to track and analyse anomalies in your system. They spot suspicious activity as an unauthorised individual is trying to break into your systems or later as you investigate a recent breach.
Monitoring tools send a notification when your network has been breached. Here is where PCI compliance sets a requirement to establish a defined process for linking system access to each user. That way, you maintain the oversight needed to know who logged into which system at what time.
11. Regular Testing of Security Systems and Processes
This requirement specifies that organisations should regularly test their security systems and processes for vulnerabilities. Your team can test using vulnerability scans, intrusion detection software, and penetration tests. The goal is to ensure your environment remains fortified enough to handle the latest threats.
You should scan your systems every 90 days and ensure your systems are purged of exploitable vulnerabilities. To remain compliant, you must scan active systems weekly or monthly to keep your network secure.
12. Ongoing Information Security Policy
The final PCI requirement is to create a policy that establishes a clear information security strategy to address all personnel, customer, and other relevant third parties. It should reflect your organisation’s commitment to PCI DSS compliance.
Furthermore, the policy should include your proposed technological defences and planned training for all staff. It should be a written document containing the guidelines staff are to follow. Employees should be able to read the document and understand what they need to do to be PCI compliant.
Protecting your customers’ credit card data is not just about regulatory compliance; it’s simply good practice. Given the rising instances of cybercrime and ransomware attacks, PCI compliance shows your customers that you take their privacy seriously and take the needed steps to protect their information from threat agents.
Your next step should be to read the official PCI DSS Quick Reference Guide that discusses the 12 requirements we have just covered in greater detail. Also, be sure to visit the PCI DSS Document Library, as this is a must-read section for anyone serious about PCI compliance.
If you would like to discuss your network security requirements in more detail with one of our cyber security professionals, please don’t hesitate to get in touch.