If you accept credit or debit cards from customers, you need to be PCI DSS compliant as part of your security posture. But what does that mean? PCI DSS stands for Payment Card Industry Data Security Standard, a data standard for businesses that deal with credit cards. This standard is overseen by the PCI DSS council.
Meeting the PCI DSS requirements is not always easy, but it's well worth the effort in order to keep your customers' data safe. In this post, we'll take a look at the goals and requirements of PCI DSS compliance and how you can achieve them.
PCI DSS Compliance Process
There are three core steps involved in the compliance process: assessment, remediation and reporting.
Step 1: Assessment
In order to become PCI DSS compliant, your business must first assess the security risks it poses to cardholder data. This involves evaluating your systems and processes to identify any potential vulnerabilities that could be exploited by hackers.
The assessment should cover the flow of cardholder data from the start to end of transaction, across all devices including PCs, laptops and mobile phones among others. The PCI DSS council provides a number of self assessment tools that are suitable for different categories of businesses. They also have a Qualified Assessor program where independent experts can help you with the assessment.
Step 2: Remediation
The remediation phase is the process of fixing any security vulnerabilities that have been identified in the assessment phase. This can involve anything from installing new software to tightening up security procedures.
It's important to remember that the remediation phase is not a one-time event. You need to continually assess your systems and address any new vulnerabilities that are identified. Otherwise, you run the risk of being non-compliant and facing penalties from your payment processor.
Remediation actions include:
- Reviewing and fixing vulnerabilities found
- Categorizing and prioritizing the vulnerabilities.
- Shifting to safe processes
- Re-scanning to guarantee that vulnerabilities have actually been remedied.
Step 3: Reporting
Once you've completed the assessment and remediation phases, it's time to report your findings to your acquiring bank as well as the payment card brands that you work with. All service providers and merchants are required to provide quarter scans to PCI SSC approved scanning vendors, large volume transaction operators are required to have on-site assessment conducted by PCI SSC approved Qualified Security Assessor(QSA) whereas small businesses are allowed to perform self assessment and provide an attestation of the same. This is an important final step, as it proves remediation efforts have been successful and that your systems are now PCI compliant.
You'll need to provide a detailed report documenting the results of your assessments and outlining the steps you've taken to remedy any vulnerabilities. Be sure to include supporting evidence, such as screenshots of scan reports or copies of updated policies and procedures.
Once everything is in order, they'll issue a PCI DSS compliance certificate declaring your organization compliant with the standard.
Six PCI DSS compliance goals
The goal of PCI-DSS is to protect customer data by meeting a series of security requirements for businesses that process payments.
There are six core goals and 12 core requirements for PCI DSS compliance. In the next section, we look at the six goals plus the matching requirements for each goal.
Goal 1: To build and maintain a secure network
The first goal of PCI DSS compliance is to build and maintain a secure network. This includes ensuring that all systems and devices are properly secured, and that all data is encrypted. Before the internet banking era, network security mainly entailed securing your systems against physical access by criminals. But the digital age now adds another broad angle that includes securing the PIN entry points and the complex computer networks that are used to execute transactions.
This goal focuses on implementing robust network security controls to deter criminal activity which is quite rampant in the card payments industry.
Requirements for goal 1
1. Installation and maintenance of firewall to protect cardholder data
To fulfill goal one of PCI DSS compliance, you're required to install and maintain a firewall configuration to protect cardholder data. A firewall is a security program that helps protect your computer and cardholder data from unauthorized access. It blocks communication between untrusted networks and your computer, which can help prevent hackers from stealing data.
Here are a few tips for using firewall to protect your cardholder data:
- Make sure your firewall is turned on and set to block all unauthorized access.
- Only allow authorized traffic through your firewall.
- Regularly check your firewall’s logs to make sure no unauthorized traffic has been trying to get through..
2. Avoid using vendor-supplied defaults for system passwords
Changing vendor-supplied defaults for system passwords might sound obvious. But all too often, companies leave these defaults in place, which can pose a serious security risk to your cardholder data.
Why is this such a big deal? Well, imagine that a hacker gains access to your credit card processing software by guessing the default password. They would then have free reign to steal sensitive data or even sabotage your business.
Set strong passwords for each user role, and change them regularly. A strong password is one that is at least 8 characters long, contains a mix of upper and lowercase letters, numbers, and special characters, and is not something that can be easily guessed.
Goal 2: To protect cardholder data
Cardholder data includes any information that can be used to identify a cardholder, such as their name, account number, or expiration date.
This data is stored on the magnetic stripe of payment cards, and businesses that accept card payments must take steps to protect it.
Requirements for goal 2
3. Protect stored data
You are highly discouraged from storing sensitive data such as authentication information, especially after the authentication process is complete. If this data falls into the wrong hands, it can be used to fraudulently gain access to systems or accounts. It can also be used to create fake identities, which can be very damaging to your businesses.
4. Encrypt transmission of cardholder data across open, public networks
When data is encrypted, it's converted into an unreadable format that can only be accessed with a special key. This makes it much more difficult for hackers to get their hands on sensitive information.
There are a few ways to encrypt data transmission. One popular method is called Transport Layer Security (TLS). TLS creates a secure connection between two systems, allowing for the safe transfer of information. It's important to note that TLS is not the only form of encryption, but it is one of the most common and most reliable.
If you're looking to secure your cardholder data, it's important to invest in a TLS encryption solution. Doing so will help you stay compliant with PCI DSS requirements and keep your customers' data safe and secure.
Goal 3: To maintain a vulnerability management program
Vulnerability management involves identifying potential security risks and vulnerabilities, and taking steps to address them.
There are a number of steps you can take to maintain a successful vulnerability management program. The first is to develop and implement a comprehensive vulnerability management criteria that covers all aspects of your environment. You should also establish an incident response plan and ensure that your staff is properly equipped. In addition, you need to regularly scan your systems for vulnerabilities and actively manage any identified flaws.
There are three levels of vulnerability risk: low, medium, and high. Low-risk vulnerabilities are those that pose a minimal threat and can be addressed through general security measures. Medium-risk vulnerabilities are more serious, but can still be addressed through standard security measures. High-risk vulnerabilities are those that could lead to a data breach and must be addressed immediately.
Further reading: types of vulnerabilities
Requirements for goal 3
5. Use and regularly update anti-virus software
Antivirus software is essential to protecting your business and customers from the threat of cybercrime.
Select an antivirus program that is up-to-date with the latest threats, and make sure to schedule regular updates so you can stay ahead of any new vulnerabilities.
6. Develop and maintain secure systems/ applications
This means making sure that your software is up-to-date and properly patched, and that your employees are trained in security best practices.
It's also important to have a system in place for identifying and responding to vulnerabilities, investigating them, and implementing corrective actions.
If you're not sure where to start, consider working with cyber security companies to help you develop a comprehensive security plan for your business.
Goal 4: To implement strong access control measures
This means establishing tight restrictions on who has access to sensitive data. Only authorized personnel should have access to sensitive data and systems.
There are a variety of ways to achieve this, but one of the most effective is using strong passwords and identification procedures. Employees should be required to create unique passwords, and change them regularly. In addition, access should be restricted to specific areas and devices, and logs should be kept of all access attempts.
This is an important security measure, as it helps to protect cardholder data from being compromised. By limiting access to only those who need it, you can ensure that customer data is always kept safe.
Requirements for goal 4
7. Restrict access to cardholder data by business need-to-know
You need to make sure that only employees who need access to this sensitive information have access to it. This can be done by creating user roles and assigning permissions accordingly.
For example, you may want to create a role for employees who need to process payments, and give them access to the relevant cardholder data. But you may want to restrict access for other employees, like HR or accounting, who don't need this information to do their jobs.
8. Assign a unique ID to everyone with access to devices
Assigning unique IDs ensures that only authorized users can access your systems and data. You can create user IDs yourself, or use a third-party tool like Microsoft Active Directory.
In order to comply with this requirement, you'll need to decide what type of authentication is best for your organization. Common methods include passwords, passphrases, PINs, and tokens. Whatever you choose, make sure it is strong and impossible to guess.
9. Restrict physical access to cardholder data
When it comes to protecting your customers' credit card data, one of the most important things you can do is restrict physical access to it. This means keeping cardholder data in a secure location where only authorized personnel can access it.
Here are some tips for restricting physical access to cardholder data:
- Limit the number of people who have access to the physical data locations
- Ensure that only authorized personnel have access to the data
- Use secure storage facilities that are protected from unauthorized access
Goal 5: To regularly monitor and test networks
The purpose of monitoring and testing is to identify and prevent any potential network security threats that could put customer data at risk. By regularly testing your systems for threats and vulnerabilities, you can help protect your customers and your business from malicious activity.
An effective way to monitor your network is by using penetration testing tools. These tools simulate a real-world attack on your network in order to find any weak points that could be exploited.
Further reading: penetration testing vs vulnerability scanning
Requirements for goal 5
10. Track and monitor all access to network resources and cardholder data
You need to keep a record of who is accessing your systems and what they're doing. You also need to have a system in place that alerts you if any unauthorized access is detected.
There are a number of ways to track and monitor access, but the most effective is by using security information and event management (SIEM) software. SIEM software collects and monitors data from security devices like firewalls, intrusion detection systems, and antivirus software. It then analyzes this data to identify any suspicious activity, helping you to quickly address any security threats.
11. Regularly test security systems and processes
This means testing your firewalls, intrusion detection systems, and other security measures to ensure that they are working properly and protecting your data. You should also test your employees' knowledge of security policies and procedures to make sure they are properly trained in how to protect your company's cardholder data.
Keep these items i mind when testing:
- Test all systems that are connected to the cardholder data environment
- Use a variety of methods, including manual testing and automated tools
- Report your findings as per your organization's security policy guidelines.
Goal 6: To maintain an information security policy
A comprehensive information security policy should include security measures for all aspects of your business, from the data you collect to the way you store and transmit it. By implementing these measures, you can help protect your cardholder information from being compromised or stolen.
Here are a few tips to help keep your information security policy up to scratch and ensure that your business stays compliant with PCI DSS standards:
- Review and update your security policy regularly, at least every 6 months.
- Train your staff on the security policy and ensure that they understand and follow it.
- Get the policy audited by reputable bodies to ensure it captures all important policy frameworks.
Requirements for goal 6
12. Maintain a policy that addresses information security for all personnel
The keyword here is “all personnel”. Your security policy needs to not only be robust but also one that caters to all personnel within your organization. This policy should address how cardholder data is protected, both in terms of physical security and cybersecurity.
One of the most important things you can do is have an effective incident response plan in place. This plan should spell out exactly how you will handle a data breach or other security incidents, including who will be responsible for notifying card brands, restoring data backups, and informing the public.
Make sure you have a process in place for dealing with customer complaints and inquiries, and that your team is familiar with the relevant reporting requirements in your area.
PCI DSS Compliance FAQ
Who needs to be PCI DSS compliant?
If you process, store or transmit cardholder data, then you need to be PCI DSS compliant. This includes businesses of all sizes, from big corporations to small mom-and-pop shops. Even if you don't currently accept cards, but you plan to in the future, you still need to be PCI DSS compliant. And if you're ever unsure whether or not your business needs to be PCI DSS compliant, it's always best to err on the side of caution and make sure your systems are fully compliant.
Why Is PCI DSS compliance important?
PCI DSS compliance is important because it protects your customers' financial data. When you become PCI DSS compliant, you're demonstrating that you take cardholder data security seriously and are doing everything possible to protect your customers' information. This builds trust and confidence, which can result in increased sales and better customer loyalty.
What are the penalties for non-compliance with PCI?
If your business isn't PCI DSS compliant, you could suffer some serious penalties. Fines can start at $5,000 per month for non-compliance, and go up from there. You could also face legal action if a data breach occurs, and could even be shut down permanently. Clearly, it's in your best interest to make sure your business is PCI DSS compliant if it is operating in this industry.