• Learn the 12 requirements of the PCI standards
• Understand how to meet and implement the 12 requirements
The Payment Card Industry Data Security Standards (PCI DSS) are technical and operational requirements that establish how organizations should safeguard and protect consumer cardholder data. In addition, the PCI Standards also provide alert and reporting protocols and define how organizations should monitor access to consumer cardholder data.
If that sounds serious, it’s because these standards are critical to the safety of your consumers. However, this weighty topic doesn’t mean that the PCI DSS is difficult to understand or implement. This article will break down the 12 Payment Card Industry Data Security Standards. We will discuss what each means and how you can achieve compliance within your organization.
The PCI Data Security Standards apply to all systems that accept and process cardholder data. Payment-related data is a desirable target for hackers, especially given the lucrative rewards you can gain from using and selling this data on the dark web. Unfortunately, data breaches are both frequent and incredibly expensive. Organizations that experience data breaches face negative financial consequences. In addition, these breaches can cause long-term damage to their reputations and the loss of consumer confidence.
Payment data security is about more than just protecting cardholder data. It also ensures that the data remains secure and that protocols are in place to determine the organization’s response when a breach occurs. The PCI DSS defines six goals (which you break down into 12 specific requirements that you have to implement):
As you can see, nothing on that list is surprising or exceptional. Any system that you deploy into production should meet these goals. Nevertheless, it’s essential to ensure that your payment-related systems meet the requirements for all of these goals. To that end, let’s explore each one.
The first goal is to ensure that you build your network with security in mind and maintain that security continuously. Your network should protect against invalid or malicious access requests while maintaining connectivity and performance for authorized users.
The most vulnerable components of your network are the access points. You must protect these access points with strong and hardened firewalls and routers. Work with security experts to ensure that you correctly configure the firewall according to industry best practices. In addition, you should have a formal process for testing and approving any changes to firewall and router configurations before you implement them.
You should document and regularly review all entry points to your network and clearly define all valid user journeys into and through your network. You should identify user groups and assign roles using the principle of least privilege, and you should document these with business justifications. All services, protocols, and allowed ports should be identified and scrutinized for appropriate business use, and then validated to prevent insecure patterns and processes.
Changing default passwords might seem obvious, but this has proven to be an easily exploited vulnerability for many systems. Before attaching them, you should change the default usernames and passwords for all devices that connect to your network – from firewalls to routers and even wifi access points.
You should also limit network devices to only those necessary to support your operations and ensure that all devices have a single, clearly-defined function within your network. Define and document standard practices for all devices in use within your network.
Your system should treat cardholder data with the utmost caution. You should only store and transmit data required for processing. Remember that encryption is critical whenever transferring or storing data.
You should define clear standards for how your system uses and stores cardholder data. In addition, you should take special care to store data in a way that makes it difficult to reconstruct. If possible, use one-way encryption so that even if the system is compromised, malicious actors cannot read the data. System output (including logs) should remove or mask any sensitive data. For example, masked data might only show the last few digits of a credit card.
The system should only use data like PINs and CVV numbers to process payments, and it should never write these to physical storage. Refer to the current PCI DSS documentation for specific details about how the system should manage data and what you are permitted to store.
When the system transmits data from a payment device to the network across public networks, you must ensure that it is encrypted using industry-standard cryptographic methods. This requirement applies to the internet, wireless and Bluetooth networks, and satellite and cellular networks. A best practice is to ensure that the system encrypts data before transferring it between services, even if you believe the underlying network to be secure.
Any device attached to your network represents an attack vector that someone can exploit. While firewalls and routers may be conspicuous targets, any workstation or laptop that can access your network is a potential access point for an intruder.
You must install anti-virus software on all devices connected to or within your network and perform regular scans. It is also imperative that this software is regularly updated with the latest virus and malware definitions to ensure that it can identify and remove them before executing an attack.
This requirement applies to third-party software as well as software that’s developed in-house. Completely secure software is the exception rather than the rule. For third-party software, including frameworks, libraries, and operating systems, you should ensure that you test and apply patches and updates as soon as possible. Pay close attention to the risks that each update mitigates to ensure that you are prioritizing the risks with the most significant potential impact on your organization.
Your in-house applications require comprehensive software testing, including unit and integration, performance, and targeted vulnerability and security scans. You should pay particular attention to applications that handle payment data, but all applications and services within the network should be subject to identical requirements and standards.
The principle of least privilege requires that you grant users only enough access to perform their assigned roles – and no more.
Cardholder and payment-related data are especially sensitive, and there should be a clear business use case for any user or application that requires access to this data. It would be best to establish specific business policies to govern how users may receive access. You should also conduct regular audits to enforce and re-evaluate these policies.
To achieve and maintain a secure computer system, you must identify who is accessing the system and when. This approach requires that you assign all users a unique set of credentials that only they can use. Unique identifiers are critical for system audits and ensure proper accountability for anyone with access to the system.
Authorized users should only be able to access sensitive data through approved interfaces and network protocols. Direct physical access to the servers and storage devices exposes the risk of unauthorized usage and access without proper oversight and auditing. Data security policies should prohibit the storage of sensitive data on local storage, removable storage devices, and printed hard copies. Visitors to the data storage facility should be appropriately authorized and monitored throughout their visit.
We’ve already discussed the importance of unique identifiers and rigid access control. But those measures are only effective if they are subject to continuous monitoring and validation. You should also ensure that protocols for securing your system and processes are in place and protect your network.
Network logs produce a wealth of information, and human personnel can’t continuously monitor and review this data. By transmitting access logs from network resources and systems that manage sensitive data into a log management system, you can create alerts for improper access and anomaly detection to protect your systems in real-time. You can also use them to perform audits and investigate any inappropriate activity.
Testing is a critical aspect of all computer systems, enabling us to validate that our configurations are correct and that access controls allow and prevent access appropriately. You should regularly test all systems and procedures to ensure that access control and data protection assumptions are correct. These tests should be automated and scheduled to prevent human error and forgetfulness.
Finally, it’s essential that you document approved processes rather than leaving them to your users’ discretion. Users should thoroughly understand all security expectations and their implications for the systems under their control.
A well-defined and clear security policy will help you establish a security culture within your workforce. You need to require all users of your systems – whether full-time, part-time, or temporary – to read, understand, and accept the security policies in place at your organization. You should also regularly review the policies to ensure they remain current and aligned with industry best practices. All users should be required to review these policies annually to fully understand the requirements and the implications for their daily tasks.
While it’s impossible to explain the full extent of the PCI requirements in a single post, we hope that this content has given you an idea of the scope of the PCI Data Security Standards and an understanding of the goals behind these requirements. We recommend reviewing the current PCI DSS documentation for more detailed information and guidelines for each area mentioned above. Within this documentation, you’ll find in-depth descriptions of the requirements and specific actions that you can take to ensure that your organization maintains PCI compliance.