The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards that are designed to ensure that companies who collect and store payment card information (PCI) are able to do so in a secure manner.
Best Practices for PCI Compliance
PCI compliance is not a one-time event, but rather an ongoing process, which must be frequently reviewed and updated. Below are some of the best practices to follow in order to comply with the PCI DSS v4.0 requirements:
Discover and Classify Your PCI
Knowing exactly what payment card information you store and where it is located in a fundamental requirement of PCI-DSS. Naturally, if you don’t know where your data resides, there’s little chance of keeping it secure. Use a dedicated data classification solution that will automatically scan your repositories for PCI and classify it accordingly. Likewise, use a solution that will classify data at the point of creation/modification.
Encrypt PCI at Rest and in Transit
All PCI must be encrypted, both at rest and in transit. Companies should use TLS v1.2 or higher, as SSL and early versions of TLS are no longer considered secure enough. A common approach to encrypting card numbers is to replace them with a random token, which will make them unreadable to unauthorized parties. When dealing with PCI in transit, you might want to consider adopting point-to-point encryption (P2PE) solution, to ensure that the data cannot be intercepted by adversaries. It is good practice to periodically scan your repositories for any PCI that is not encrypted.
Change Default Passwords
Many network devices, including servers, routers, modems, and POS systems, come with default passwords which need to be changed as soon as they are installed. It’s a good idea to keep an up-to-date inventory of all network devices to ensure that you don’t forget to change them. As always, you need to ensure that you have a strong password policy in place.
Restrict Access on a Need-to-Know Basis
In order to comply with PCI-DSS, organizations must ensure that access to cardholder data is only granted to those who really need access to it. They will also need to ensure that any users, roles, and applications that have access to PCI are well documented, continuously monitored, and updated when necessary.
Restrict Physical Access to PCI
When storing PCI on a physical medium such as paper, you must ensure that the documents have been adequately secured. This involves keeping them in a room protected by locks, alarms, CCTV cameras, and so on. Ideally, ID badges should be used to grant employees access to any restricted locations. Even if you are not storing PCI on a physical medium, the above measures should be in place to protect servers, and other devices storing PCI.
Assign a Unique ID to all Users with Access to PCI
All employees who have access to PCI must have a unique ID assigned to them. In other words, they must all have their own unique set of credentials. The use of shared credentials will lead to a loss of accountability, and will thus make it harder (and slower) to determine what happened in the event of a security breach.
Use a Firewall and Anti-Virus Software
From a technological point of view, firewalls and other intrusion prevention solutions are considered to be our first line of defense when it comes to keeping the bad guys out. Additionally, any devices that store PCI (including POS devices) must have the latest anti-virus software installed on them. All software/hardware that has access to PCI must be regularly updated and protected from unauthorized access.
Monitor Access to PCI
It is a mandatory requirement that all organizations continuously monitor access to any payment card data they store. Anytime PCI is accessed, moved, modified, or removed, the administrator will need to check to make sure that the actions performed were authorized. It’s generally a good idea to use an auditing platform that will deliver real-time alerts to your inbox or mobile app, any time changes to PCI are made. Some solutions will also provide pre-defined PCI compliance reports which can be used to demonstrate your compliance efforts to the supervisory authorities.
Regularly Check for Vulnerabilities
Carry out regular scans for security vulnerabilities, and even consider conducting penetration tests, mock phishing attacks, and so on. Any weaknesses must be identified and remediated in a timely manner.
Carry Out Security Awareness Training
Given that employees tend to be the weakest link when it comes to data security, it is crucially important that you carry out security awareness training to ensure that they know how to identify suspicious events, such as social engineering attacks, and other anomalous activities. You will also need to ensure that they understand the PCI-DSS compliance requirements, and are aware of the consequences of failing to comply.
In addition to ensuring that you have an up-to-date inventory of all network devices and applications used to access PCI, you must also document your policies and procedures, including any risk assessments you carry out. Any security incidents that have taken place must also be well documented, even if they seem irrelevant.