PCI, or Payment Card Industry, is a compliance criterion developed by an association of the five most substantial companies issuing credit cards to ensure the security of processing, transaction, and storage of sensitive credit card information. The PCI Data Security Standard (DSS) is not a government official legislation (except in a few states like Minnesota, Washington, and Nevada).
PCI DSS applies to all merchants, businesses, and service providers with at least one card transaction and processing a year. The compliance levels depend on the number of transactions and how the merchant treats the sensitive card data.
12 Requirements You Need To Know
Below is a list of the 12 requirements for PCI DSS compliance:
- Installing and maintaining firewalls
- Not keeping default passwords on devices, systems, and other parameters
- Protecting the card data environment (CDE) physically
- Encryption of the cardholders’ data transmission over public and open networks
- Keeping anti-virus software and similar programs up to date
- Keeping other relevant systems, applications, and programs up to date
- NTK (need-to-know) employee profiling and clearance
- Assigning every computer user a unique ID
- Maintaining restrictive access (physically) to cardholder data
- Maintaining logs and monitoring cardholder data and network resource access
- Regular testing of security systems
- Developing policies that address information security that applies to all personnel
We will go over each rule to clarify what these exactly mean.
1. Installing and maintaining firewalls
Firewalls protect the system from unwanted intrusions as defined by your company. Firewalls can be physical hardware, very safe yet spacious and more expensive. They can also be software installed on your system to overlook unauthorized access to cardholder data.
Even though extremely necessary, firewalls are the initial layer of protection of your systems.
Note: All layers of protection have their flaws and weak points, so SSC (Security Standards Council) created PCI requirements that encompass all the necessary security layers to minimize data compromise.
2. Not keeping default passwords on devices, systems, and other parameters
Every piece of device, like swipe terminals, etc., and software usually comes with a default, weak, or even generic password that’s sometimes easy to breach since some can even be found on the web.
Changing to a stronger password is a PCI requirement and having someone that compiles and manages passwords in your environment. Proper configuration of security systems is a must.
3. Protecting the card data environment (CDE) physically
The physical storage that keeps credit card data has to be physically protected from malicious intent. This also includes encrypting the data with algorithms prescribed by industry standards.
The merchant has to watch out for any unencrypted PANs in physical storage they manage, encrypt them, or remove (deleting) them. The Primary Account Numbers can be displayed with the first six and the last four digits visible.
4. Encryption of cardholder data transmission over public and open networks
A business has to ensure that any transmission over public and open networks is encrypted to prevent hackers from intercepting the transmission. The unencrypted transmission provides the hacker with all the necessary data for card theft. Secure protocols, like TLS or SSH, decrease the chance of these types of intrusion.
5. Keeping anti-virus software and similar programs up to date
Anti-virus protects the system from all known malware that can compromise sensitive data.
Not only that anti-virus keeps the system secure from external threats online, but it can also keep it secure from threats that come over employee’s phones and other personal devices.
Keeping an updated anti-virus and checking anti-malware news and blogs will keep you secure.
6. Keeping other relevant systems, applications, and programs up to date
Updating firewalls, operating systems, application software, POS terminals, databases, and other software pieces provides an additional security level from program holes that hackers can exploit.
7. NTK (need-to-know) employee profiling and clearance
Limiting the access to sensitive data to the employees on the need-to-know terms. This includes defining the list of roles and granting different levels of access according to these employee roles.
The list of roles should contain every role, definition, level of privilege, and access to the data.
8. Assigning every computer user with a unique ID
Tracking the activity by an individual eases the control for security breaches. A unique ID and a unique password with a single employee who has access to this data better regulate responsibility assessment.
9. Maintaining restrictive access (physically) to cardholder data
This means organizing the security of the physical instances related to cardholders’ data. It includes installing video surveillance on entries and exits and limiting access to sensitive data to unauthorized personnel and intruders.
This also refers to any movable media and requires this portable media to be protected from unauthorized access and theft.
10. Maintaining logs and monitoring cardholder data and network resource access
Systems keep simple data that summarize their activity. Checking these logs daily and looking for anomalies in daily logs control any malware that might have snuck into the system.
There are different Security Information and Event Monitoring (SIEM) tools for the ease of this task. There are standards for the records of audit trail, and synchronizing the time is also required.
11. Regular testing of security systems
There are periodic tests that are required by PCI DSS to be done on the system to check for its integrity and security level.
A vulnerability scan checks the external IPs, as well as the domains that were exposed to the CDE. These are obliged by ASVs (Approved Scanning Vendors).
Penetration scans try to breach your system, controlling for weak points. Depending on the businesses’ SAQ, these tests are done in different periods.
12. Developing policies that address information security that applies to all personnel
In short, this means educating your employees, developing and maintaining policies related to security. PCI heavily relies on documentation, procedures, policies, end evidence, so these should be prepared. They include:
- Manuals for employees
- Procedures and policies
- Agreements with third-party vendors
- Plans for responding to potential incidents