The PCI DSS (Payment Card Industry Data Security Standard) is a security standard developed and maintained by the PCI Council. This article will serves as a “jumping off point” to understanding the 12 requirements of the PCI DSS.
The PCI DSS (Payment Card Industry Data Security Standard) is a security standard developed and maintained by the PCI Council. The purpose of PCI DSS compliance is to help secure and protect the entire payment card ecosystem. From secure firewalls to better passwords, adhering to this standard will keep your business safer, the hackers at bay, and your customers happy.
For businesses, ensuring your organization meets all 12 requirements will not only keep you compliant, but it will help keep your organization safe. Data breaches and data theft are very common, happening more and more each day. They negatively impact all payments parties in different ways—from retailers to consumers to banks—the need for PCI compliance has never been greater.
INFOGRAPHIC: A Quick Look at PCI DSS Compliance
No matter where you are in your PCI DSS compliance journey, you'll need a reference to help you get headed in the right direction. Use this article as a jumping off point to address all the requirements of the PCI DSS. To get started, let’s answer the most important question: what are the 12 requirements?
Before diving into each of the PCI requirements, you’ll also want to find which SAQ applies to your business. While most requirements will stay the same, there are some differences in the work you’ll need to do based on your SAQ.
PCI REQUIREMENT 1: Install and Maintain Network Security Controls
PCI REQUIREMENT 2: Apply Secure Configurations to All System Components
PCI REQUIREMENT 3: Protect Stored Account Data
PCI REQUIREMENT 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
PCI REQUIREMENT 5: Protect All Systems and Networks from Malicious Software
PCI REQUIREMENT 6: Develop and Maintain Secure Systems and Software
PCI REQUIREMENT 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
PCI REQUIREMENT 8: Identify Users and Authenticate Access to System Components
PCI REQUIREMENT 9: Restrict Physical Access to Cardholder Data
PCI REQUIREMENT 10: Log and Monitor All Access to System Components and Cardholder Data
PCI REQUIREMENT 11: Test Security of Systems and Networks Regularly. Maintain an Information Security Policy
PCI REQUIREMENT 12: Support Information Programs
The first of the PCI DSS requirements is to protect your system with firewalls. Properly configured firewalls protect your card data environment. Firewalls restrict incoming and outgoing network traffic through rules and criteria configured by your organization.
It’s important to install both perimeter and personal firewalls. Both provide a first line of defense for your network. Perimeter (or hardware) firewalls are the more robust security option. They can protect an entire network and segment its internal areas. Perimeter firewalls are typically more expensive, take time to properly configure, and need to be maintained and reviewed regularly.
Personal (or software) firewalls, on the other hand, are cheaper and easier to maintain. They’re designed to protect a single host from internal threats—typically it’s used to safeguard employees’ mobile devices, which can move in and out of the secure environment. If an employee clicks on a link in a phishing email, a software firewall should prevent malware infection.
See Also: Compliance with PCI Requirement 1: Basics of Managing Your Firewall
While it’s essential to establish up-to-date security systems and services for your business, that’s only half the requirement.
When putting new secure measures in place, don’t keep vendor-supplied defaults around. Out-of-the-box devices, such as routers or POS systems, come with factory settings like default usernames and passwords. Defaults make device installation and support easier, but they also mean that every model originates with the same username and password. Default passwords are simple to guess, and most are even published on the Internet.
The problem is that third parties sometimes install hardware or software and leave merchants unaware that their entire system is protected by an easy-to-find and easy-to-crack password. Vendors might also purposely leave weak or default passwords to make service easier. But, that’s like leaving your front door unlocked just to make life more convenient.
Fulfilling requirement 2 involves inventorying and then properly configuring all security settings on all systems and devices. Assign someone to compile and review this information.
See also: PCI Requirement 2: How to Get Compliant
The key point of these 12 requirements is to protect and secure stored cardholder data and prevent data breaches. For requirement 3, encrypting all stored card data with industry-accepted algorithms (e.g., AES-256) is a must . The problem is many merchants don’t know they store unencrypted primary account numbers (PAN).
Not only must card data be encrypted, the encryption keys themselves must also be protected. For example, using a solid PCI DSS encryption key management process will keep you from storing the key in the “lock” itself.
To fulfill this requirement, create and document a current cardholder data (CHD) flow diagram for all card data flows in your organization. A CHD flow diagram is a graphical representation of how card data moves through an organization (see adjacent example). As you define your environment, it’s important to ask all organizations and departments if they receive cardholder information, and then document how their answers may change card data flows.
You should regularly run a data discovery tool like PANscan or PIIscan. These tools help identify the location of unencrypted PAN and other sensitive information, so you can securely delete or encrypt it.
See also: PCI Requirement 3: What You Need to be Compliant
For requirement 4, you’ll need to know where you send cardholder data. Here are common places where primary account numbers (PAN) are sent:
You then need to make sure all sensitive data is encrypted and have security policies in place when you transmit this cardholder data over open, public networks.
A note about SSL and early TLS web encryption: Based on vulnerabilities in web encryption, the PCI Security Standards Council has released a policy stating that you need to transition from SSL and early TLS to secure versions of TLS.
SEE ALSO: PCI Requirement 4: Securing Your Networks
Protecting your systems from cyber threats is one of the most important things you can do for your organization and a good anti-malware and anti-virus setup can make all the difference.
Anti-malware software needs to be installed on all systems commonly affected by malware. Make sure anti-malware programs are updated on a regular basis to detect known malware. Maintaining an up-to-date anti-malware program will prevent known malware from infecting systems.
And be sure you or your POS vendor is regularly running your software’s anti-virus scans.
You should also keep up-to-date on current and existing malware threats. Using outside sources, such as vendor/anti-virus threat feeds, merchants can learn about emerging malware and attacks on systems. Then you can configure systems to alert and report on suspicious activity, such as new files added to known malware directories or unauthorized access attempts.
Even as malware evolves and changes daily, you can be prepared.
See also: PCI Requirement 5: Protecting Your System with Anti-Virus
Applications need regular fixes, patches, and updates to function properly, which is why manufacturers frequently release updates to patch security holes and ensure everything is running smoothly.
These patch updates can also be time sensitive. Once a hacker knows they can get through a security hole, they pass that knowledge on to the hacker community, which will then exploit the weakness until the patch has been updated.
Quickly implementing security updates is crucial to your security posture. Patch all critical components in the card flow pathway, including:
Be vigilant and consistently update the software associated with your system. Requirement 6 states that merchants must “install critical patches within a month of release” to maintain compliance. Don’t forget to update critical software installations like credit card payment applications and mobile devices. To stay updated, ask your software vendors to put you on their patch/upgrade notification list.
See also: PCI Requirement 6: Updating Your Systems
To fulfill requirement 7, establish a role-based access control (RBAC) system, which grants access to card data and systems on a need-to-know basis. Configure administrator and user accounts to prevent exposure of sensitive data to those who don’t need that information.
PCI DSS requires a defined and up-to-date list of the roles (employees) with access to the card data environment. On this list, you should include each role, the definition of each role, access to data resources, current privilege level, and what privilege level is necessary for each person to perform normal business responsibilities. Authorized users must fit into one of the roles you outline.
See also: Keep Employees on a Need-to-Know Basis: A Look at Requirement 7
According to PCI DSS requirement 8, user IDs and passwords need to be sufficiently complex and unique. You should not use group or shared passwords.
However, your system security should not be based solely on the complexity of a single password. No password should be considered “uncrackable,” which is why all non-console administrative access (remote access) to in-scope systems requires multi-factor authentication.
See also: Combatting Weak Passwords and Usernames
Employees often think physical security only applies after work hours. However, most data thefts (e.g., social engineering attacks) occur in the middle of the day, when staff is often too busy with their various assignments to notice someone walking out of the office with a server, company laptop, phone, etc.
You are not allowed to store sensitive information like payment card data out in the open where it can be easily accessed. For example, many hotels keep binders full of credit card numbers behind the front desk, or piled on the fax machine, for easy reservation access. Unfortunately, this collection of files not only makes life easier for employees but gives criminals easy access to this information.
See also: Employee Security Training Tips: Social Engineering
Requirement 9 states that you must physically limit access to areas with cardholder data, as well as document the following:
You will also need to implement automated lockout/timeout controls on workstations, periodically inspect all devices, and most importantly—train your staff regularly about physical security, policies and procedures, and social engineering.
It’s also important to train your employees to be skeptical in regard to security around the office. Asking for identification if they don’t recognize someone or calling out something suspicious is always a good practice. Safe is better than sorry.
See also: PCI DSS Requirement 9: Upping Your Physical Security
Keeping track of who accessed sensitive data, when they did, and what they did with that data may seem small, but we’ve found that in past years, non-compliance with requirement 10 was the most common contributor to data breaches.
Logs are only useful if they are reviewed.
System event logs are recorded tidbits of information regarding actions taken on computer systems like firewalls, office computers, or printers. To fulfill requirement 10, you must review logs at least daily to search for errors, anomalies, and suspicious activities that deviate from the norm. You’re also required to have a process in place to respond to these anomalies and exceptions.
Log monitoring systems, like Security Information and Event Monitoring tools (SIEM), can help you oversee network activity, inspect system events, alert of suspicious activity, and store user actions that occur inside your systems.
See also: PCI-DSS Requirement 10: Logging and Log Management
Even if you’ve completed all of the previous requirements, the 11th requirement is in place to make sure that everything is running smoothly and protecting you properly.
Your data could be left vulnerable due to defects in web servers, web browsers, email clients, POS software, operating systems, and server interfaces. Yes, fulfilling requirement 6 (installing security updates and patches) can help correct many of these defects and vulnerabilities before attackers have the opportunity to leverage them. But in order to be sure you’ve successfully patched these vulnerabilities, you need to be able to find them and test them by performing regular vulnerability scanning and penetration testing.
A vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities. All external IPs and domains exposed in the CDE are required to be scanned by a PCI Approved Scanning Vendor (ASV) at least quarterly.
A penetration test is an exhaustive, live examination designed to exploit weaknesses in your system. Just like a hacker, penetration testers analyze network environments, identify potential vulnerabilities, and try to exploit those vulnerabilities (or coding errors). Basically, these analysts attempt to break into your company’s network.
Requirements for frequency and type of penetration test will vary depending on your SAQ, business size, environment, systems, etc.
See also: PCI Requirement 11: Vulnerability Scans and Penetration Tests
The final requirement for PCI compliance is to keep documentation, policies, procedures, and evidence relating to your company’s security practices.
If you perform a PCI audit, you’ll quickly realize there’s a big emphasis on your documented security policies and procedures. During an assessment, QSAs will typically verify that specific requirements are defined in company policies and procedures. Then, they’ll follow predefined testing procedures to verify that those controls are implemented in accordance with the PCI Data Security Standard and with written company policies.
You will need to include the following information in your documentation:
The second part of requirement 12 is to perform an annual, formal risk assessment that identifies critical assets, threats, and vulnerabilities. This requirement will help you identify, prioritize, and manage your information security risks.
See also: PCI DSS Requirement 12: Leverage Policy to Improve Security
The process of reaching PCI DSS Compliance takes time and can seem like an overwhelming list of demands, but it’s ultimately what will make the difference between a failed cyber-attack on your business and a cyber-attack that sinks your business.
Take your time to do things correctly and thoroughly. Even if it takes longer, you’ll save yourself time, money, and frustration.
PCI guides, checklists, and templates from experts like SecurityMetrics will help you and your IT teams complete day-to-day tasks associated with each requirement, and security professionals can advise you on more complicated issues.
If you have questions about PCI Audits or other security services, contact us here.
.svg)
