With eCommerce ruling the market, the frequency of data breaches has blown-up. Vulnerabilities in the card-processing ecosystem have led to compromised point-of-sale devices, e-commerce applications, personal computers, wireless hotspots and beyond.
To combat this trend, a PCI Data Security Standard was created by the PCI Security Council with founding members including American Express, JCB International, MasterCard Worldwide, Visa Inc. and Discover Financial Services.
We have collated here all the requirements under the PCI Compliance. This checklist will remain applicable for the upcoming PCI DSS 3.2 that will take effect from February 1st 2018.
Need for PCI Compliance
The PCI compliance was first introduced in 2006. With the advent of Internet services, companies began their payment processing systems online; connecting each other wirelessly, physically and virtually. Meanwhile, consumers grew comfortable using credit cards to make purchases both online and offline. PCI Security Standards essentially ensure all merchants can safely store, process, accept or transmit cardholder data during a transaction.
PCI standards apply to:
- Card Readers
- Point-of-sale systems
- Store networks and wireless access routers
- Payment card data storage and transmission
- Payment card data stored in paper-based records
- Online payment applications and shopping carts
What level of PCI applies to you?
PCI Compliance comes in four different levels based on the number of credit card transactions you have per year.
|Merchant Level||Applicable to|
|PCI Compliance Level 1||Sellers that process over 6 million Visa or MasterCard transactions per year|
|PCI Compliance Level 2||Sellers that process 1 million to 6 million Visa or MasterCard transactions per year|
|PCI Compliance Level 3||Sellers that process 20,000 to 1 million Visa or MasterCard transactions per year|
|PCI Compliance Level 4||Sellers that process lesser than 20,000 Visa or MasterCard transactions per year|
Consequences of non-compliance
- Lost confidence which forces customers to go to other merchants
- Diminished sales
- Fraud losses
- Fines and penalties
- Lost jobs
- Going out of business
- Legal costs, settlements, and judgments
PCI Compliance Checklist
PCI lists 12 specific requirements to protect your customer’s cardholder data:
Requirement 1: Install and maintain a Firewall
To meet PCI requirements, make sure you establish configuration, formalize testing around changes and identify all connections that could impact cardholder data. All in all, your firewalls need to deny all traffic from untrusted networks and hosts.
Requirement 2: Avoid using vendor-supplied defaults
When integrating a new system in your network landscape, change the defaults before installation. Encrypt everything and make sure that all software settings address known vulnerabilities and meet industry requirements.
Requirement 3: Protect stored Cardholder data
Don’t ever display the Primary Account Number (PAN) and ensure that information is always masked. Also, avoid storing your PAN details in multiple locations.
Requirement 4: Encrypt transmission of cardholder data
Hide data away from those who shouldn’t have access to it by encrypting transmission of cardholder data.
Requirement 5: Use and regularly update security software
Install security software like antivirus, firewall, antispam or endpoint security on computers and devices, especially personal computers that are prone to malicious attacks. Moreover, make sure all security software is up-to-date, actively used and currently producing logs for auditors.
Requirement 6: Develop and maintain secure Systems and Applications
If you are planning to install a new system, you better be sure to use PCI best practices from start to finish. Then again, when you are making change control, follow required procedures without fail.
Requirement 7: Restrict access by need-to-know
When there is a system component with multiple users, make sure each person gets only gets access to what they need to perform a job, nothing more.
Requirement 8: Assign each person a unique ID
Assigning unique IDs not only keeps intruders away but also lets you track malicious insiders within your organization. Limit access to systems and data based on the minimum information needed to do a job at hand. Always use at least one type of authentication.
Requirement 9: Restrict physical access – Lock it up. Lock it in.
Always ensure that you place right controls on access to physical information. Maintain a visitor log and make sure all media backups are off-site and protected.
Requirement 10: Track and monitor all access
Consider linking all individual users to one common platform, especially the ones having the administrative privileges. Also, lockdown audit trails to prevent tampering with information.
Requirement 11: Regularly test security systems and processes
You can use a wireless IDS/IPS to identify all wireless devices and determine all wifi access points. You can also set up a ‘home alarm’ for your cardholder data environment to monitor traffic in and out.
Requirement 12: Maintain a Policy that addresses information security for Employees and Contractors
Write a policy and make sure that everyone reads it. It is advised that you annually review this policy to make sure that it is in line with the cardholder data environment. Assign daily security duties that meet your PCI requirements.
Meeting PCI compliance
Complying with PCI requires you to be quick at spotting rogue administrators or malicious insiders, as they may sell confidential customer data to criminals or dark market service providers. Auditing access to payment card data is essential in ensuring that no unauthorized activities take place. For requirements 1 through 6, using auditing solutions that provide like real-time and threshold-based alerts can help detect critical changes and prevent ransomware strains from spreading. Some solutions even allow you to automate script execution upon detection of a specified event.
For requirement 7, however, it is advisable to maintain a policy of least privilege to ensure that users have only the levels of privilege they require to do their job successfully.
For other requirements ranging from 8 to 12, following a regular auditing regime is recommended. Implementing strong access control measures and maintaining a vulnerability management program is essential.
Issues with native auditing
For a payment cardholder merchant or a service provider, meeting PCI compliance is mandatory. Your computer systems do already provide auditing features for server components storing critical data. However, native auditing methods have numerous drawbacks; they can be noisy, time-consuming and complex. Native auditing also includes non-conformance to ‘change management’; since ‘Privileged users’ can accidentally or intentionally delete native logs in your Active Directory , File Server or other IT components.
LepideAuditor – A better way to stay PCI Compliant
LepideAuditor, an award-winning IT security and auditing solution, can help address your PCI compliance requirements in a quicker and eaiser way. LepideAuditor:
- Audits payments data access, the solution enables you to report on every access made to files, folders, and even mailboxes. Also, you get real-time, and threshold alerts on access made to critical data or mailboxes delivered as emails or as push-notifications to the LepideAuditor App.
- Lets you ‘protect your cardholder data’ as it keeps track of all changes made to server components and notifies administrators of any critical changes in real-time.
- Maintains a policy of least privilege and tracks all changes in the permissions of Active Directory objects so that you can monitor and build a secure network.
Below is a PCI report that shows deleted files and folders. By accessing this report, you can get answers to the ‘who, what, when and where’ details instantly and take action accordingly.