To create a safer payment ecosystem, major players, namely, American Express, JCB, MasterCard, Visa, and Discover formed the Payment Card Industry Security Standards Council (PCI SSC) and subsequently, a standard for data security, the PCI Data Security Standards (PCI DSS). The latest version of PCI DSS is v.3.2.1 and though PCI DSS is not a law, it is expected that the industry needs to be compliant with its requirements as non-compliance entails hefty fines and lost business opportunities and customers.
Do you need to be PCI DSS compliant?
If you handle, store, process, or transmit credit card data you ought to be PCI DSS compliant. Moreover, your card processing agreement normally requires you to be so. Depending on how much sensitive information visits and resides in your systems, your compliance requirements could be more or less, complex or basic.
Achieving PCI DSS compliance entails adhering to 12 high-level requirements, and depending on your compliance needs, 300+ controls. Here is more on how to comply with PCI DSS.
What is needed for PCI DSS compliance?
PCI DSS compliance is validated against a list of PCI DSS requirements. Read on to know more.
Goal: Build and Maintain a Secure Network and Systems
- Use and maintain a firewall configuration: The goal is to protect cardholder data using a network security device (firewall) by controlling incoming and outgoing network traffic. Here, it pertains to traffic within internal trusted networks as well as between internal and external (untrusted) networks. A firewall is your first line of defense, preventing unauthorized access and securing the cardholder data environment.
- Ensure proper password protection: Operating systems, routers, POS terminals, etc., often come with vendor-default passwords and accounts. These can help with installation; however, such initial settings are often freely available on the internet or are widely known. Hackers can easily exploit this loophole and hence, change all vendor-supplied passwords and security parameters, and delete default accounts.
Goal: Protect Cardholder Data
- Protect stored data: As a rule, it is good to avoid storing cardholder data when it is not necessary. However, some business transactions need you to store sensitive information. In such cases PCI DSS mandates that you employ protection methods like hashing, encryption, masking, and truncation to ensure that in case of unauthorized access, the cybercriminal will not be able to read the data or use it meaningfully.
- Encrypt transmitted data: Open, public networks can be accessed by cybercriminals and hence, you should ensure that the data you send over networks like the internet, Bluetooth, GSM, and Wi-Fi, is secure. PCI DSS asks that data be encrypted, and that encryption strength be appropriate, that you use trusted keys/ certificates only, and that you employ a secure protocol for data transmission.
Goal: Maintain a Vulnerability Management Program
- Use and update antivirus software: Today, there is an increased amount of business activity that is susceptible to malicious software attacks. Hence, it is essential to have an antivirus software (which may be supplemented by an anti-malware solution) that can detect, protect against, and remove all known types of viruses, worms, trojans, adware, rootkits, spyware, etc. Since, software threats evolve with each day, regular updates are also a PCI DSS requirement.
- Have secure applications and systems: All code is buggy and hence, applications are never “perfect”. Loopholes exist and are discovered, and for this reason, developers frequently release security patches. PCI DSS requires you to install critical patches supplied by vendors within 1 month of release. Also, you need to set in place a process for identifying security vulnerabilities and map them to a risk ranking – “high”, “medium” or “low”.
Goal: Implement Strong Access Control Measures
- Restrict access to cardholder data: Risk increases as data exposure increases, and to limit this, PCI DSS proposes that critical data be accessed only by authorized staff, on a need-to-know basis. What is the minimum amount of access that is required to perform a specific job responsibility? That is what you must consider when assigning and approving privileges. A system admin will enjoy more privileges than a call center staff, yet none may require access in a particular scenario.
- Assign unique IDs for access: Having unique IDs for users is important to ensuring accountability for actions taken and tracing the cause of issues. Point 8 of PCI DSS also requires that you use sufficiently strong passwords. Inactive IDs are to be removed or disabled in 90 days and passwords are also to be changed within this period.
- Limit physical access to data: Restricting and monitoring physical access to cardholder data is important to the integrity and security of the sensitive information you hold. Ensuring a secure cardholder environment could involve everything from installing video security cameras to having password-protected login screens and procedures to authorize visitors.
Goal: Regularly Monitor and Test Networks
- Create and monitor access logs: Having audit logs in place allows you to trace suspicious activity and attribute it to a specific user in case of any data compromise. However, PCI DSS also requires that you monitor these logs. Else, you will find yourself backtracking only after a data breach occurs. The goal is to stop it in its tracks.
- Test security systems and processes often: To root out fresh vulnerabilities PCI DSS asks that you conduct tests on your custom software, processes, and system components regularly. In particular, check for the presence of wireless access points, through which an intruder can gain unauthorized access “invisibly”.
Goal: Maintain an Information Security Policy
Document a security policy: Protecting sensitive data is the responsibility of all employees and to set the right tone, PCI DSS requires that you establish, publish, maintain, and disseminate a security policy that educates personnel on what is needed from them.
What are the essential steps of PCI DSS compliance?
Know your compliance level : There are 4 PCI DSS compliance levels.
- Level 1: Merchant processing <20,000 online transactions annually, or up to 1 million total transactions annually
- Level 2: Merchant processing 20,000 – 1 million online transactions and less than 1 million total transactions
- Level 3: Merchant processing 1 – 6 million transactions annually
- Level 4: Merchant processing over 6 million transactions annually
Depending on your compliance level, you will determine which networks and components are in PCI DSS scope.
Assess system components within scope: Each PCI requirement has corresponding testing procedures, and at this stage you must check for compliance and identify gaps. Level 1 businesses need to conduct an onsite assessment and draft an Annual Report on Compliance (ROC). A Qualified Security Assessor or an internal auditor will be involved in the process. A QSA is a PCI-SSC-approved independent security organization that validates your business’ adherence to PCI DSS.
If you belong to Level 2-4, assess your compliance by filling out an annual Self-Assessment Questionnaire (SAQ). There are 9 SAQs and these comprise Yes-or-No questions for each PCI DSS requirement. You need to use the SAQ relevant to you only. Every quarter or less, businesses at all levels engage the services of an Approved Scanning Vector (ASV) to check for external scanning requirements of PCI DSS. Depending on the gaps present, you will need to adopt certain security controls and protocols. The 12 PCI DSS security requirements outlined above indicate how you should go about protecting sensitive information.
Report, attest, and submit: After assessing and taking remedial measures, documentation of the SAQ/ ROC and compensating controls occurs. You can then fill out a formal Attestation of Compliance (AOC) and have it verified by a QSA to show that you are in full compliance with PCI DSS. You can submit your SAQ, ROC, AOC, etc., to any organization requesting them with everything in order.
Remember, PCI DSS compliance is not a one-time task. It involves an ongoing process of assessing, repairing, and reporting. It requires you to bring together your legal, technology, finance, and security teams for a common purpose, and a software solution like VComply can help you manage and monitor the 300 odd security controls you may need to set in place. With it, you can easily delegate responsibilities, conduct gap analysis, generate reports, get prompt alerts, and more. With PCI DSS 4.0 slated to arrive in mid-2021, getting compliant today is the best thing you can do to prepare for the future. So, take steps towards securing your cardholder data environment and use VComply to accelerate your compliance efforts manifold!