The Payment Card Industry and Data Security Standards or PCI DSS has steep standards for companies that accept credit card payments from customers. Being PCI compliant is particularly important for holding consumer confidence and accepting payment from credit card vendors.
Like most regulatory guidelines, The PCI DSS was drafted with the intention of protecting consumers online and making sure online service providers and e-commerce companies protect sensitive data adequately.
We get into depth on each of the steps below, but if you only have time for a quick overview, here is our 12-Step PCI DSS Compliance checklist:
- Install and Maintain a Firewall to Protect Customer Data
- Don’t Use Vendor-Supplied Default Passwords
- Protect Stored Cardholder Data
- Encrypt all Transmission of Cardholder Data
- Use and Update Anti-Virus Software (Regularly!)
- Develop and Maintain Secure Systems and Applications
- Restrict Accèss to Cardholder Data
- Track and Monitor User Access
- Restrict Physical Access to Cardholder Data
- Track and Monitor Access to Cardholder Data
- Test Security Systems and Processes
- Maintain a Policy That Addresses Information Security
What is PCI DSS?
PCI DSS is a set of standards created by credit card providers including Visa, American Express, MasterCard, and Discover that state enterprises must follow to offer credit card transactions online. The regulations outline the processes and protections that enterprises must implement to protect their customers. The standards are decided by the PCI Security Standards Council or PCI SSC.
What Happens if I Don’t Comply?
As industry standards, the PCI regulations aren’t legally binding. However just because the PCI isn’t law there are still steep consequences for security violations. Companies can be fined and penalized for non-compliance by banks. Essentially card providers penalize the merchant’s bank if the merchant doesn’t comply, and the bank will then attempt to pass the charges on to the offending company.
The cost of non-compliance can range from $5,000 to $100,000 each month until the inadequacies are addressed. Those who consistently fail to comply may have their ability to accept cards revoked.
12 Step Plan for PCI Compliance
To ensure that you comply with the PCI DSS, there are 12 general requirements you need to meet.
1. Install and Maintain a Firewall to Protect Customer Data
One of the first things you need to do when working towards PCI compliance is to install a reliable firewall to protect cardholder data. A firewall is used to manage incoming and outgoing network traffic and block bad actors from interacting with the network. The type of traffic accepted by the router is controlled through a list of rules.
It is important to note that you must document all firewall policies and procedures. You must also periodically review(every six months) firewall configurations to make sure there are no vulnerabilities.
To comply with the maintenance requirement you should actively test your defenses with penetration tests and run regular vulnerability scans to make sure there aren’t any glaring holes in your setup. Doing so will not only benefit your PCI compliance but will also serve to protect your wider network as well.
Relate reading: Network Firewall Software
2. Don’t Use Vendor-Supplied Default Passwords
The PCI DSS states that you must protect devices with unique passwords rather than those that have been assigned by the vendor. The official requirements state that the password must have at least seven characters with a mixture of numbers and letters, be different from previous passwords, and be updated every 90 days.
The guidelines on what happens if a user can’t access the account are also very strict. If users fail to use a valid password in six attempts then they should be locked out. Once locked out of the account, it must stay locked for at least 30 minutes. More generally you’ll want to select a password with a mixture of symbols, upper and lower case letters, and numbers to provide the best protection to match current best practices.
Relater reading: Network Password Managers
3. Protect Stored Cardholder Data
The instructions for protecting stored cardholder data are complex but only apply to enterprises that store cardholder data. Under PCI standards you should only store cardholder data if it’s critical for meeting the needs of the business. If you do have a good reason to store credit card data then you need to take measures to protect that data from falling into the hands of fraudsters and unauthorized individuals.
Security measures you should implement to protect cardholder data include password policies, authentication protocols, and controlling access to resources like servers or storage cabinets.
4. Encrypt all Transmission of Cardholder Data
Cardholder data must be protected whether it’s in storage or in transit. Any enterprise that sends customer data through an open network needs to encrypt it so that it can not be read by fraudsters and unauthorized individuals. Under the PCI DSS, an open network can be the Internet, wireless technologies including Bluetooth and 802.11, Global System for Mobile Communications, General Packet Radio Service, and satellite communications.
To protect the data in transit you can use IEEE 802.11i and WPA2. However, you cannot use WEP as a security measure. Once again, you need to be documenting the security policies and procedures you have in place to protect cardholder data in transit.
5. Use and Update Anti-Virus Software (Regularly!)
To keep your devices from being compromised the PCI expects you to be using anti-virus software. Installing an antivirus system on your devices is a best practice anyway because it helps prevent malicious software like viruses and malware from corrupting your data.
Any system that can be infected by malware should be protected by an antivirus product. Once you have installed an antivirus system you are responsible for keeping it updated. This includes updating the actual software and additional signatures. You must also regularly scan the devices to make sure that they haven’t been compromised.
6. Develop and Maintain Secure Systems and Applications
The sixth requirement of PCI dictates that enterprises must develop and maintain secure systems and applications. More specifically, any application that stores, processes, or transmits cardholder data needs to be secured.
The regulations state that the enterprise must be able to identify security vulnerabilities with a monitoring product from a reliable source, protect services from known vulnerabilities with security patches, train any developers in secure coding techniques so they can avoid vulnerabilities, and document all associated processes.
One thing to keep in mind is that any software tool you use to support your processes can be a liability if it’s not secured. If you’re using an application with a poor track record in patching vulnerabilities then you should consider changing to another application; otherwise, you will leave yourself open.
7. Restrict Access to Cardholder Data
Securing cardholder data is as much about limiting employee access to confidential information as deploying antivirus or vulnerability scanning software. The golden rule of thumb for this requirement is that access to systems and cardholder data should be limited to those who “need to know.” You can deny access to all users by default and then only give access rights when they are required. The moment an employee doesn’t need to access data you can remove the right.
A good way to control access to data is by assigning a unique ID and access privileges to the necessary individuals. Once again you will need to document your security policies and the means you’re using to restrict access to cardholder data. The documentation should specify which users can access which system or data.
8. Track and Monitor User Access
Monitoring user access and authentication is just as important as controlling physical access to data. By having a paper trail of user access you can make sure that no one is accessing data they shouldn’t be. Each individual should have a unique ID and password that they use to access confidential data. You can use these IDs to monitor who accessed sensitive information, what action was taken, and when.
You must also have additional security measures in place such as locking out user IDs after six failed attempts to access a device and requiring re-authentication if a session has been idle for over 15 minutes. Authentication credentials must also be encrypted during transmission so they can not be compromised by an attacker. There is also a requirement to deactivate or delete inactive user accounts within 90 days.
9. Restrict Physical Access to Cardholder Data
The PCI specifically states that you must also restrict physical access to cardholder data. Everything, from documentation of cardholder data, servers, and other hardware must be protected against unauthorized access. You need to have entry controls to areas where cardholder data is stored and assign users unique user IDs so that you can monitor their activity.
If you have visitors coming into your enterprise you need to record them on a visitor log (you must maintain this for at least 3 months after the visitor has left). Visitors should also be given a physical token with an expiration date to distinguish them from full-time employees.
10. Track and Monitor Access to Cardholder Data
Monitoring access to cardholder data is necessary to make sure that there is no unauthorized access or interactions that you need to be aware of. The most reliable way to monitor access is with a monitoring platform. Use a monitoring tool that allows you to view resources such as log files and system traces to detect data breaches.
Many monitoring tools have an alerts system that will automatically send you a notification when the network has been breached. The core requirement of this section is that you need to “establish a process for linking all access to system components to each individual user.” In other words, you need to have the oversight to pinpoint who logged into what system at what time.
11. Test Security Systems and Processes
The 11th requirement specifies that enterprises should regularly test security systems and processes for vulnerabilities. You can test through the use of vulnerability scans, intrusion detection software, and penetration tests. You want to make sure that your environment is evolving to address the latest threats.
You will have to make sure that all systems have been scanned in the last 90 days, and that no systems have exploitable vulnerabilities or detected intrusion activity. To stay compliant you need to regularly scan active systems weekly or monthly to ensure that your network is secure.
12. Maintain a Policy That Addresses Information Security
The final step is to implement and maintain a security policy that you use to enforce the other protections you have established. Your employees, customers, and other relevant third parties should be aware of your policy. Employees should know why it’s important to secure customer data and that you’re going to monitor their access to information. Customers should be aware that you take the protection of their data seriously.
The security policy should be presented as a written document that sets clear guidelines for staff to follow. When employees read the document they should be able to understand exactly what they need to do to be PCI compliant. Awareness will be your first line of defense against threats like malware.
PCI Compliance: Just Good Practice
Protecting the credit card data of your customers is far more than just an exercise in regulatory compliance; it’s good practice. Compliance is an opportunity to show your customers that you care about their privacy and are serious about protecting their information from fraudsters. You will also indirectly reap the reward of enhanced network security through running antivirus platforms and regular vulnerability scans.
Ensuring PCI compliance is absolutely essential given the prevalence of fraud and cybercrime. By highlighting your commitment to cybersecurity, you signal to customers you are a company that they can trust. From there on, it is on you to maintain the protection of that data. The confidence of consumers is hard to gain but easy to lose.