The Payment Card Industry Data Security Standard (PCI DSS) is required by the contract for those handling cardholder data, whether you are a start-up or a global enterprise. Your business must always be compliant, and your compliance must be validated annually. It is generally mandated by credit card companies and discussed in credit card network agreements.
The PCI Standards Council (SSC) is responsible for the development of the standards for PCI compliance. Its purpose is to help secure and protect the entire payment card ecosystem. These standards apply for merchants, service providers processing credit/debit card payment transactions.
What Is PCI Compliance?
Payment card industry (PCI) compliance is mandated by credit card companies to help ensure the security of credit card transactions in the payments industry. Payment card industry compliance refers to the technical and operational standards that businesses follow to secure and protect credit card data provided by cardholders and transmitted through card processing transactions. PCI standards for compliance are developed and managed by the PCI Security Standards Council.
The 12 requirements of PCI DSS
The requirements set forth by the PCI SSC are both operational and technical, and the core focus of these rules is always to protect cardholder data.
The 12 requirements of PCI DSS are:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
Before getting into PCI DSS requirements, you will also want to find out how to define PCI DSS scope. It is crucial to reduce the PCI DSS audit scope because it will help reduce your compliance costs, operations costs, and risk associated with interacting with payment card data.
PCI DSS 12 requirements are a set of security controls that businesses are required to implement to protect credit card data and comply with the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS Requirement 1: Install and maintain a firewall configuration to protect cardholder data
This first requirement ensures that service providers and merchants maintain a secure network through the proper configuration of a firewall as well as routers if applicable. Properly configured firewalls protect your card data environment. Firewalls restrict incoming and outgoing network traffic through rules and criteria configured by your organization.
Firewalls provide the first line of protection for your network. Organizations should establish firewalls and router standards, which allow for a standardized process for allowing or denying access rules to the network. Configuration rules should be reviewed bi-annually and ensure that there are no insecure access rules which can allow access to the card data environment.
PCI DSS Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
It focuses on hardening your organization’s systems such as servers, network devices, applications, firewalls, wireless access points, etc. Most of the operating systems and devices come with factory default setting such as usernames, passwords, and other insecure configuration parameters. These default usernames and passwords are simple to guess, and most are even published on the Internet.
Such default passwords and other security parameters are not permissible per this requirement. This requirement also asks to maintain an inventory of all the systems, configuration/hardening procedures. These procedures need to be followed every time a new system is introduced in the IT infrastructure.
PCI DSS Requirement 3: Protect stored cardholder data
This is THE most important requirement of the PCI standard. According to requirement 3, you must first know all the data you are going to store along with its location and retention period. All such cardholder data must be either encrypted using industry-accepted algorithms (e.g., AES-256, RSA 2048), truncated, tokenized or hashed (e.g. SHA 256, PBKDF2). Along with card data encryption, this requirement also talks about a strong PCI DSS encryption key management process.
Many times service providers or merchants don’t know they store unencrypted primary account numbers (PAN) and therefore running a tool like card data discovery becomes important. You would note that common locations where card data is found are log files, databases, spreadsheets, etc. This requirement also includes rules for how primary account numbers should be displayed, such as revealing only the first six and last four digits.
PCI DSS Requirement 4: Encrypt transmission of cardholder data across open, public networks
Similar to requirement 3, in this requirement, you must secure the card data when it is transmitted over an open or public network (e.g. Internet, 802.11, Bluetooth, GSM, CDMA, GPRS). You must know where you are going to send/receive the card data to/from. Majorly, the card data is transmitted to the payment gateway, processor, etc. for processing transactions.
Cybercriminals can potentially access cardholder data when it’s transmitted across public networks. Encrypting cardholder data prior to transmitting using a secure version of transmission protocols such as TLS, SSH, etc. can limit the likelihood of such data getting compromised.
PCI DSS Requirement 5: Use and regularly update anti-virus software or programs
This requirement focuses on protection against all types of malware that can affect systems. All systems including the workstations, laptops, and mobile devices that employees may use to access the system both locally and remotely must have an anti-virus solution deployed on them. You need to ensure that anti-virus or anti-malware programs are updated on a regular basis to detect known malware. Maintaining an up-to-date anti-malware program will prevent known malware from infecting systems.
Ensure that anti-virus mechanisms are always active, using the latest signatures, and generating auditable logs.
PCI DSS Requirement 6: Develop and maintain secure systems and applications
It is important to define and implement a process that allows to identify and classify the risk of security vulnerabilities in the PCI DSS environment through reliable external sources. Organizations must limit the potential for exploits by deploying critical patches in a timely manner. Patch all systems in the card data environment, including:
- Operating systems
- Firewalls, Routers, Switches
- Application software
- POS terminals
Apart from this, it requires you to define and implement a development process that includes security requirements in all phases of development.
Need help with PCI DSS implementation? Our QSAs can help out.
PCI DSS Requirement 7: Restrict access to cardholder data by business need to know
To implement strong access control measures, service providers and merchants must be able to allow or deny access to cardholder data systems. This requirement is all about role-based access control (RBAC), which grants access to card data and systems on a need-to-know basis.
Need to know is a fundamental concept within PCI DSS. Access control system (e.g. Active Directory, LDAP) must assess each request to prevent exposure of sensitive data to those who do not need this information. You must have documented list of all the users with their roles who need to access card data environment. This list must contain, each role, definition of role, current privilege level, expected privilege level and data resources for each user to perform operations on card data.
PCI DSS Requirement 8: Assign a unique ID to each person with computer access
According to requirement 8, you should not use shared/group user and passwords. Every authorized user must have a unique identifier and passwords must be adequately complex. This ensures that whenever someone accesses cardholder data, that activity can be traced to a known user and accountability can be maintained. For all non-console administrative access (remote access), two-factor authorization is required.
PCI DSS Requirement 9: Restrict physical access to cardholder data
This requirement focuses on the protection of physical access to systems with cardholder data. Without physical access controls, unauthorized persons could gain access to the installation to steal, disable, interrupt, or destroy critical systems and the cardholder data.
It requires use of video cameras/electronic access control to monitor entry and exit doors of physical locations such as data centre. The recordings or access logs of personnel movement should be retailed for minimum 90 days. You need to implement an access process that allows distinguishing between authorized visitors and employees. All removable or portable media containing the cardholder data must be physically protected. It is necessary to destroy all media when the business no longer needs.
PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data
The vulnerabilities in physical and wireless networks make it easier for cyber criminals to steal card data. This requirement requires that all the systems must have correct audit policy set and send the logs to centralized syslog server. These logs must be reviewed at least daily to look for anomalies, and suspicious activities.
Security Information and Event Monitoring tools (SIEM), can help you log system and network activities, monitor logs and alert of suspicious activity. PCI DSS also requires that audit trail records must meet a certain standard in terms of the information contained. Time synchronization is required. Audit data must be secured, and such data must be maintained for a period no shorter than a year.
PCI DSS Requirement 11: Regularly test security systems and processes
Vulnerabilities are being discovered continually by malicious individuals and researchers Therefore, all systems and processes must be tested on a frequent basis to ensure that security is maintained.
Following periodic activities are required:
- Wireless analyser scan to detect and identify all authorized and unauthorized wireless access points on a quarterly basis.
- All external IPs and domains exposed in the CDE are required to be scanned by a PCI Approved Scanning Vendor (ASV) at least quarterly.
- Internal vulnerability scan must be conducted at least quarterly.
- All external IPs and domains must go through exhaustive Application penetration test and Network penetration test at least yearly or after any significant change.
File monitoring is a necessity, too. The system should perform file comparisons each week to detect changes that may have otherwise gone unnoticed.
PCI DSS Requirement 12: Maintain a policy that addresses information security for all personnel
This final requirement of PCI compliance and it is dedicated to the core PCI DSS goal of implementing and maintaining an information security policy for all employees and other relevant parties. The information security policy must be at least a yearly reviewed and disseminated to all the employees, vendors/contractors. Users must read the policy and acknowledge.
This requirement also requires you to perform:
- An annual, formal risk assessment that identifies critical assets, threats, and vulnerabilities.
- User awareness training
- Employee background checks
- Incident management
All these requirements are reviewed by QSA and verified that they are adequately implemented.
PCI DSS compliance is not easy—even for companies with the best of intentions. Although it is a difficult standard to maintain, the benefits are worth it. Despite the difficulties, companies should strive to comply with PCI DSS, because failure to comply can have significant consequences.