PCI Compliance

Install and maintain a firewall configuration to protect cardholder data

The first requirement is to protect systems with firewalls. Firewalls refer to devices controlling computer traffic. They examine traffic between the organization's network (internal) and an untrusted network (external) to determine what transmissions to block based on the rules and criteria the organization has configured. For a better first line of defense, it would be best to install both software and hardware firewalls.

Do not use vendor-supplied defaults for system passwords and other security parameters

It is important for organizations not to use vendor-supplied default passwords and settings. These include usernames and passwords provided as factory settings. It is easy for malicious parties to access and compromise systems using these default passwords. Organizations should also avoid easy-to-crack or easy-to-find passwords.

When installing a system on your network, make sure you remove all unnecessary default accounts. Conduct an inventory and configure all security settings on your systems.

Protect stored cardholder data

Organizations should encrypt stored cardholder data using an industry-accepted algorithm. Encrypted data will remain unreadable and unusable even if an intruder gains access to them, as long as they do not have the right cryptographic keys. Aside from encryption, organizations should also apply other protection methods like hashing, masking and truncation.

Encrypt transmission of cardholder data across open, public networks

In most cases, primary account numbers (PAN) are sent to backup servers, corporate offices, outsourced systems or infrastructure management. For security purposes, organizations must encrypt sensitive information even during transmission over open and public networks. It is vital to follow industry best practices when it comes to the implementation of encryption for the transmission and authentication of data.

Use and regularly update anti-virus software or programs

Malicious software programs (malware) are the viruses, worms and Trojans that exploit the vulnerabilities of a system. In most cases, malware enters a network during official business activities. It can happen while an employee is sending an email or browsing online. Some are not aware of malware attacks until it is too late. To prevent this, organizations should make sure that their anti-virus software is always up to date on existing malware threats.

Develop and maintain secure systems and applications

Vulnerabilities in security systems can give access to malicious parties and software. While no application is perfect, manufacturers and vendors provide security patches frequently to address security holes. Organizations must install these updates as soon as possible to prevent hackers from getting through a security hole and exploiting vulnerabilities. Among the critical aspects included are application software, databases, firewalls, internet browsers, operating systems and POS terminals.

Restrict access to cardholder data by business need-to-know

Limit access to critical data. Determine authorized personnel for each system and process. Define the roles of employees, what these roles are for, what data resources they should have access to and their privilege level. Doing this will prevent unauthorized access and ensure that users only have access to data necessary to fulfill their roles.

Assign a unique ID to each person with computer access

The eighth PCI DSS requirement states the need for unique user IDs and passwords. Each user should have a unique ID. This way, each person will be accountable for the actions taken using their account. It is also not advisable to use shared passwords. Systems should have a limit on password attempts to protect data at the point of entry, during transmission and even while in storage. Some companies practice multi-factor authentication for added security.

Restrict physical access to cardholder data

Physical access to cardholder data gives unscrupulous individuals an opportunity to access systems and devices. For instance, some merchants may keep printed copies of customer information with payment card numbers. These files can be targeted by malicious parties for identity theft or other fraudulent activities. Limit physical access and keep these files in secure areas. Staff members should know about physical security policies. Implementing timeout controls on workstations and conducting inspections on all devices will also help.

Track and monitor all access to network resources and cardholder data

Logging mechanisms are important to prevent unauthorized access. It is crucial for organizations to track activities and check system event logs. In doing so, it is easier to prevent, detect and minimize the impact of data breaches. Logs can also send alerts when there is something wrong. Additionally, you can use system activity logs to determine what causes a compromise.

Regularly test security systems and processes

System vulnerabilities can come up anytime. They may be due to defects in browsers, web servers, email, operating systems, POS software or server interfaces. Test processes and software regularly to make sure all security controls are working well, even in changing environments. Organizations can get automated vulnerability scans and penetration tests.

Maintain a policy that addresses information security for all personnel

The last requirement organizations need to fulfill for PCI compliance is to have a strong security policy. Company personnel should know their responsibilities for protecting sensitive data. Keep documentation of everything related to the security measures of the company, such as employee manuals, incident response plans, policies, procedures and third-party agreements.

The twelfth requirement also includes annual formal risk assessments. These will identify assets, threats and weaknesses, allowing companies to prioritize and manage risks.

Find out the PCI level of your organization

This will be based on the total number of transactions you processed in a 12-month period. Your PCI level will determine the requirements you need to fulfill to be PCI compliant.

Create a map of systems, connections and data flow

To protect sensitive information, you need to be aware of where it is located and how it moves. Determine the points of transactions, how data is handled within the company and what technologies or systems are involved in the transactions. The company’s IT and security teams should work hand-in-hand for the completion of this step.

Build a secure network and check security protocols

After mapping out data flows and touchpoints, companies need to ensure that the right security protocols and controls are in place. This is where the 12 PCI DSS requirements apply.

Complete an SAQ

The Self-assessment Questionnaire (SAQ) a merchant should use depends on the type of business. SAQs include yes-or-no questions that will help businesses determine whether they meet the PCI DSS requirements. The PCI SSC released guidelines to help merchants figure out which SAQ is applicable.

Submit annual ROC and AOC

To remain PCI compliant, merchants need to submit an Attestation of Compliance (AOC) form every year. This document confirms the result of an assessment based on the SAQ or a compliance report. The Report of Compliance (ROC) for Level 1 merchants should be conducted by a Qualified Security Assessor (QSA). The PCI SSC has a list of QSA companies.

Complete and pass quarterly network scans

It is also crucial for companies to pass their quarterly network scans. These should be conducted by an Approved Scan Vendor (ASV). Merchants can find ASV companies using the PCI SSC website.