Enter your details below and we'll get back to you.
Share this article
As with so many things in life, planning is best done by following a list. Last month we covered the checklist required for ISO 27001 certification and this month we’re turning our attention to PCI DSS. While the specifics of how to become compliant may vary, the basic premise of both standards is actually quite similar. As I will outline below there are 12 PCI DSS requirements to consider.
As most merchants will already be aware, the Payment Card Industry Data Security Standard – or PCI DSS is a standard mandated by the card brands, but administered by the Payment Card Industry Security Standards Council (PCI SSC) in order to help secure and protect payment card information.
The standard holds businesses accountable for their data protection, providing clear guidelines that must be followed in order to gain compliance.
Data theft and data breaches are, unfortunately, extremely common across all industries. The impact of a breach can be devastating for all parties involves, so the need for PCI compliance has never been greater.
The following provides a brief description of what each of the requirements covers.
Properly configured firewalls protect your card data storage environment, restricting incoming and outgoing network traffic through rules created by your organisation.
When investing in out-of-the-box items like software that provides security service or POS systems, be sure to update default usernames and passwords to something unique to your business.
Stored card data must be encrypted using industry-accepted algorithms. What’s more, the encryptions themselves must also be protected, which requires a full understanding of how data moves through your organisation.
Understand where you send your cardholder data – processors, backup servers, third parties, outsourced management systems and corporate offices are among the most common options. You’ll then need to protect and encrypt across the transmission process.
Anti-virus software needs to be installed on all systems that could be affected by malware. Be sure to keep your software updated too.
Patch all critical components in the card flow transmission journey, including internet browsers, firewalls, app software, databases, POS terminals and operating systems. Ensure that there is an industry standard robust Software Development Life Cycle in place.
For this step, you’ll need to ensure that critical data can only be accessed by authorised users. A roles-based access control system (RBAC) can assist in this as each required role within the organisation can be set with the most appropriate privileges. This grants access to card data and systems on a need to know basis, limiting the exposure of sensitive data to those with the authority to access it.
User IDs and passwords should be sufficiently complex. But, even more importantly, they need to be unique. Shared or group passwords put your data at unnecessary risk. Ensure that there is complexity applied to passwords to ensure they are strong and not easily guessed.
Physically limit access to areas where cardholder data is accepted over the phone or where cardholder data is held. It’s a good idea to document who has access to secure environments and why, as well as creating a list of authorised device users, locations and applications where card holder data is processed.
You must review logs of activity at least daily in order to find errors, anomalies and suspicious activities. You’ll also need a response in place for these anomalies. Log monitoring systems like SIEM can help you oversee network activity in your business.
Note: In 2017, Security Metrics found that failing to comply with this step was the most common contributor to data breaches.
These are measures which aim to identify vulnerable areas in your security before an incident takes place. Penetration testing mimics the actions of a hacker in order to find out the easiest way to access your data, allowing you to act proactively rather than reactively.
The final requirement for PCI compliance involves keeping a record of documentation, policies, procedures, and evidence relating to your business’s security. This includes employee manuals, policies and procedures, third-party agreements, and incident response plans. All such documentation must be maintained and updated as necessary and must always be reviewed on at least an annual basis.
Looking for help to meet the 12 PCI DSS requirements? Our team of experienced information security professionals includes Qualified Security Assessors able to guide you towards quick, efficient compliance. Click here to get in touch with our team and find out how we can help you.
For a full and detailed explanation, please refer to a copy of the latest version of the PCI DSS available at https://www.pcisecuritystandards.org/document_library