PCI DSS stands for Payment Card Industry Data Security Standard and it was developed by the PCI Security Standards Council to help decrease internet payment card fraud. Any organization that processes cardholder data must comply with PCI DSS. Compliance validation is performed by a qualified security assessor (QSA), by an internal security assessor (ISA), or by a self-assessment questionnaire (SAQ) for companies with smaller volumes of cardholder data.
PCI DSS compliance is a global standard and while it is not mandated by law in the United States, all states have some variation of regulation surrounding cardholder data and non-compliance, more often than not resulting in hefty fines for the company.
Why is PCI DSS Important?
Compliance with PCI DSS means that you are making appropriate steps to protect cardholder data from cyber-theft and fraudulent use. It has as much impact on your business as it does to your customers, because a cyber-attack can mean a potential loss of revenue, customers, brand reputation and trust.
Data breaches are a regular occurrence for small business who are less equipped to put security measures in place. In the UK for example, an Information Security Breaches Survey 2015 found that 74% of small organisations reported a security breach in the last year.
With that in mind, it’s now more important than ever to take responsibility for your customer’s data and make sure you make the appropriate provisions to keep that data secure.
What Do I Need to Do to Become PCI DSS Compliant?
For organizations who want to become PCI DSS compliant, you first need to understand how payment data is captured, stored and organized. Many companies will be using a fully hosted solution to manage this.
Compliance is measured by the merchant or service provider completing an audit of their cardholder data environment against the standard.
As defined by IT Governance, “The standard requires merchants and member service providers (MSP’s) involved with storing, processing or transmitting cardholder data to:
- Build and maintain a secure IT network;
- Protect cardholder data;
- Maintain a vulnerability management program;
- Implement strong access control measures;
- Regularly monitor and test networks;
- Maintain an information security policy.”
These are broken down further into 12 requirements that every merchant or MSP must do in order to be compliant.
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
Include policies, procedures and processes to keep and dispose of data, ensuring that it is always up-to-date and accurate. Some data should never be stored, such as the contents of the magnetic strip, card verification number or personal identification number. Encryption should be used to keep cardholder data secure.
4. Encrypt transmission of cardholder data across open, public networks.
Examples of this include internet, wireless technologies such as Bluetooth, GPRS and satellite communications.
5. Use and regularly update anti-virus software or programs.
Protect systems against malware and regularly update antivirus programs to mitigate against viruses, worms and Trojans. Antivirus tools should be implemented, maintained and kept running unless absolutely necessary.
6. Develop and maintain secure systems and applications.
This means checking for software updates and keeping software up-to-date at all times to safeguard against latest vulnerabilities.
7. Restrict access to cardholder data by business need-to-know.
Systems and processes need to be put into place for WHO will have access to this data and WHY they need access. Access should only be available to people who need it to perform their role.
8. Assign a unique ID to each person with computer access.
This means making sure you know who is accessing what at any time, so you can always ensure that only people with proper authorization are allowed in specific systems and components. One way to ensure proper authorization is the use of two-factor authentication for increased security, such as use of smart cards, tokens or biometrics.
9. Restrict physical access to cardholder data.
Data loss is also possible through physical security breaches, so proper care should be taken to ensure access to physical records are limited and monitored. Server rooms and data centers should be restricted, media should be destroyed and devices that carry data should be protected from tampering as well as monitored.
10. Track and monitor all access to network resources and cardholder data.
Logging all access is required to detect and minimize the risk of a data breach. Secure and controlled audit trails should be implemented to log all actions from individual users including access to data, privileges, invalid login attempts and changes to authentication mechanisms such as deletion of objects. These logs should all be regularly reviewed.
11. Regularly test security systems and processes.
Penetration testing is an important part of and IT security team’s tools and should be carried out annually, as well as after any significant changes to the network. These include vulnerability scans, network topology and firewall maintenance.
12. Maintain a policy that addresses information security for employees and contractors.
Review it twice annually and update it according to any new risk environment. A risk assessment should be carried out to identify any threats or vulnerabilities, so that the policy and incident response plan can be formed. Once formed, an awareness program must be maintained and implemented to share and update staff of any new security protocol.
What Does this Mean for My Business?
Business who are looking to become PCI DSS compliant should follow this checklist by Tripwire. The PCI Security Standards Council also has a great library of resources.
The requirements of compliance for PCI DSS are general cybersecurity best practices. If you aren’t already familiar with the EU law GDPR coming into effect in May 2018, then you should be aware that this has many of the same best practice guidelines in it. You should be looking to have your network and infrastructure protected no matter what size your business in order to be compliant, but also to protect the most valuable asset you have as a business – your data.
Public Key Infrastructure (PKI) is a great way to manage and control your data. Using PKI, you can give an identity or Digital Certificate to all the internal systems and components in your organization that communicate with each other. These certificates can be used to identify and authenticate users, machines and devices to provide greater access control or privilege-based access, encrypt communications and data transmissions and ensure the integrity of transmitted data.
GlobalSign is a Certificate Authority who issues Digital Certificates for companies of all sizes, with management tools to simplify larger deployments.