PCI compliance is necessary for every business storing cardholder’s data, and need to ensure the safety of their customers. Point of Sale (POS) systems need to be secure and leave no space for cardholders’ data frauds and breaches. That means you’ll need to think about information security policy and follow the latest PCI compliance standards.
What Is PCI DSS?
Payment Card Industry Data Security Standard (PCI DSS) is the standard for the security of credit card transactions, that is designed to prevent cardholder data breaches during credit card transactions. That means that every business that works with credit card transactions will have to pass a test and ensure everything works according to the newest standards.
The primary reason why this is so important is security; in a nutshell, customers need to know that it is safe for them to enter credit card info and that nothing can go wrong during the process. The PCI compliance standard was designed by five credit card providers: MasterCard, Visa, Discover, American Express, and JCB.
As a result, failing to comply with PCI standards will not only result in a loss of traffic on the company’s website, but the owner might face penalties of up to $100,000 per month. The primary goal should be a build-out and maintenance of secure network infrastructure to keep the business growing and ensure that customers are satisfied.
12 PCI Compliance Checklist
The PCI Security Standards Council has created a list of requirements that merchants need to follow to ensure the safety of cardholder data across the globe. Here’s the PCI compliance checklist:
Segment 1: Build and Maintain Secure Network
Requirement 1: Install and Maintain a Firewall Configuration To Protect Cardholder Data
The first requirement is to install and maintain firewalls and routers on every device with internet access. Most importantly, the company should install firewalls between any DMZ (demilitarized zones) and an internal network.
A firewall manages any incoming (and outcoming) traffic and blocks potentially problematic or harmful actors that may endanger cardholder data. The company should perform periodic penetration tests (simulated cyberattack) and vulnerability scans to evaluate the security of its systems.
After that, they should consider reviewing both firewall and router configurations at least every six months.
Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters
The second requirement is to avoid using default passwords or any other vendor-supplied or default security parameter, setting, or configuration. Also, the business should avoid implementing multiple functions to a single server since it can lead to permission conflicts and security vulnerability.
One of the things a company can do is to appoint a person to act as a system and infosec administrator.
Segment 2: Protect Cardholder Data
Requirement 3: Protect Stored Cardholder Data
The next thing on the agenda is protecting any cardholder data. The company needs to reduce the amount of data it’s storing since it can lower the chances of any fraudulent activity. The only reason to store user data is if it is necessary to meet the business’ needs. In addition, implementing documented data retention or disposal policies should be implemented as well. That way, the company will minimize the amount of data collected, and determine how long it is retained.
If there is a need to store cardholder data, the company needs to ensure that it is unreadable, by encrypting cardholder’s data and protecting private keys.
Cardholder data should be among the top priorities. Ensuring it is inaccessible is crucial.
Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks
The business needs to always use strong security and cryptography protocols such as SSH, IPSEC, etc.) to safeguard sensitive cardholder data during transmission over open or public networks.
Examples of open, public networks that are in the scope of the PCI DSS include among other Internet, WiFi, Bluetooth, mobile, satellite communication, etc.
Segment 3: Maintain a Vulnerability Management Program
Requirement 5: Protect All Systems Against Malware and Regularly Update Antivirus Software or Programs
Everyone knows how important anti-virus software is, and it is the easiest way to protect all systems from malware. Naturally, owning an anti-virus is not enough, and the company needs to have a person in charge of maintenance. That includes ensuring that software is updated to the latest version and that it performs regular tests on your system.
After that, another great safety measure is to limit who can access the program. The best course of action would be to allow admins only to alter or disable the software.
Requirement 6: Develop and Maintain Secure Systems and Applications
A company needs to find a way to stay up to date with the latest problems. The business owners should inform themselves if there are recent breaches in security or something they should worry about. They should make sure that they have installed all possible security patches supplied by the vendor. Moreover, it is essential to document everything, including impact, testing, and back-out procedures.
If the company is developing software or an app in-house, it should use security coding guidelines that are outlined in the DSS. As a result, the best course of action would be to use test networks for all changes and experiments until everyone is sure that they are ready to be implemented on the real ones.
Segment 4: Implement Strong Access Control Measures
Requirement 7: Restrict Access To Cardholder Data by Business Need To Know
Most of the previous steps focus on the potential threat from the outside, like malware or fraudulent activity. However, the business owner needs to ensure that cardholder data is safe from internal threats as well.
One way to achieve that is to create a list of roles that will have access to the cardholder data environment (CDE). That includes the definition of each role, privilege levels, and permissions they have. The default setting should be “deny-all.”
They don’t need to worry about the “what if” scenarios. Even if they have to grant access to CDE, they should do it for a certain period of time. Access control measures can help companies avoid numerous problems in the future.
Requirement 8: Identify and Authenticate Access To System Components
Among the highest priorities is to document and define all necessary procedures for identification and authentication. For example, the simplest way to track and monitor access is by assigning user IDs and test privilege control. If some of the users are inactive or terminated, the administrator should be sure to revoke access to the entire network.
Furthermore, they can always lock out users (or their IDs) after a specific number of failed attempts to access the network. The number of attempts and the timeout period is up to the administrators.
Other ways to include security are two-factor authentication, ensuring that users have strong passwords, and mandatory password reset after a certain time period. As with any other type of password, the users should never use the same one across multiple platforms. If one is compromised, all others will be as well.
Requirement 9: Restrict Physical Access To Cardholder Data
If possible, the admins should restrict physical access to the cardholder data environment. If anyone needs access, they can always create visitor authorization. However, admins should make sure that each visit is identified, monitored, documented, and secure.
The company should have strict policies when it comes to moving physical media within the facility. For instance, if there is a need to move something, it should use tracked couriers, and ensure that there is no way for destroyed media to be reconstructed.
Segment 5: Regularly Monitor and Test Network
Requirement 10: Track and Monitor All Access To Network Resources and Cardholder Data
The business owner needs to know who is using the network and who can access important data. One way to improve your PCI Compliance is to have alerts in case of any suspicious activity and a plan to deal with this type of anomaly.
The primary goal is for each audit to capture user ID, date, time, and type of event. They should keep track of login attempts, changes in accounts, actions made by admins, and similar. As a result, the business owner can easily locate the problem in case of an emergency. Finally, they should ensure that they have disabled any changes to logs and that they are keeping all audits at least one year behind.
Requirement 11: Regularly Test Security Systems and Processes
The only way to keep everything according to standards is to perform regular tests. The company needs to document everything as thoroughly as possible; for example, the tester should run vulnerability tests, both internally and externally, with an approved scanning vendor. A Vulnerability Management Program can be an excellent tool for classifying, remediating, and mitigating vulnerabilities. Likewise, perform regular penetration tests with qualified personnel and a third party.
The business owner should never accept the bare minimum. Just because something might seem enough, it doesn’t mean that it is. Hence, the company’s business should be the number one priority, and it should always do the best it can to prevent any type of mistakes or misuse.
Segment 6: Maintain an Information Security Policy
Requirement 12: Maintain a Policy That Addresses Information Security for All Personnel
The employees need to be aware of the risks and do everything in their power to keep the company and all clients safe. Therefore, the business owner should consider having annual security training for all employees that have access to the CDE.
Moreover, they need to assign roles and have people in charge of documentation, analyses, alerts, and monitoring access to data. As a result, the only way to have maximum security is through cooperation and careful work. It’s always better to be safe than sorry. The last thing anyone needs is to worry if there is something they could have done to prevent the disaster.
We Can Help!
There is a chance that all of this might seem too much and too complex, but we can make everything easier. Nevertheless, here at The Block Box, we are experts in PCI Compliance and know how to improve your security, and we can help you with PCI audits. There is no reason for you to go through all of this alone when we can assist you every step of the way.
If you have any questions, feel free to contact us. We will be delighted to assist you and work with you to improve the safety of your company and clients.