As the acronym would suggest, the Payment Card Industry Data Security Standard (PCI DSS) is a set of global security standards for the payment card industry, which is maintained by the PCI Security Standards Council (PCI SSC). There are 12 core requirements for any complete PCI DSS checklist, which we have simplified into 9 steps you need to take.
Need for PCI Compliance
The PCI compliance was first introduced in 2006. With the advent of Internet services, companies began their payment processing systems online; connecting each other wirelessly, physically and virtually. Meanwhile, consumers grew comfortable using credit cards to make purchases both online and offline. PCI Security Standards essentially ensure all merchants can safely store, process, accept or transmit cardholder data during a transaction.
PCI standards apply to:
- Card Readers
- Point-of-sale systems
- Store networks and wireless access routers
- Payment card data storage and transmission
- Payment card data stored in paper-based records
- Online payment applications and shopping carts
What level of PCI applies to you?
PCI Compliance comes in four different levels based on the number of credit card transactions you have per year.
|Merchant Level||Applicable to|
|PCI Compliance Level 1||Sellers that process over 6 million Visa or MasterCard transactions per year|
|PCI Compliance Level 2||Sellers that process 1 million to 6 million Visa or MasterCard transactions per year|
|PCI Compliance Level 3||Sellers that process 20,000 to 1 million Visa or MasterCard transactions per year|
|PCI Compliance Level 4||Sellers that process lesser than 20,000 Visa or MasterCard transactions per year|
Consequences of Non-Compliance
- Lost confidence which forces customers to go to other merchants
- Diminished sales
- Fraud losses
- Fines and penalties
- Lost jobs
- Going out of business
- Legal costs, settlements, and judgments
Checklist for PCI Compliance
1. Install and maintain a firewall
- Properly configure your firewall and routers to protect your payment card data.
- Establish rules and standards for your firewall and routers to determine the type of network traffic that is permissible.
2. Implement a strong password policy
- Passwords must have a minimum length of seven characters.
- Passwords must contain both numbers and alphabetic characters.
- Users must change their passwords at least every 90 days.
- Passwords must be unique to each user, and changed after the first use.
- New passwords must different from the previous four passwords.
- Accounts must be locked when a user enters the wrong password after six attempts.
- Once a user is locked out of their account, they must remain locked out for a minimum of 30 minutes or until a system administrator resets the account.
- Vendor-supplied default passwords/settings for all servers, devices and applications must be changed.
- Passwords must be encrypted, both at rest and in transit.
NOTE: Once PCI DSS v4.0 comes into effect, covered entities may be required to use multi-factor authentication for all accounts that have access to cardholder data.
3. Protect stored cardholder data
- Use a data discovery and classification tool to ensure that you know exactly what cardholder data you store, and where it is located
- Determine where the data came from and where it will go, e.g. a merchant, payment gateway, or payment processor.
- Determine who should have access to it and keep track of how cardholder data is accessed and used.
- Determine how long the cardholder data should be retained.
- Encrypt all cardholder data, both at rest and in transit.
- Redact card numbers so that only the first six or last four digits are shown.
4. Maintain secure systems and applications
- Keep your antivirus software up-to-date.
- Ensure that your anti-virus software generates logs which can be scrutinized for anomalies.
- Ensure that all software applications are patched in a timely manner, which should include any point-of-sale devices, operating systems and database engines.
- Consider using an automated patch management solution.
5. Restrict access to cardholder data
- Ensure that access to cardholder data is restricted based on a need-to-know basis.
- Ensure that your access controls have been clearly documented, and that you have protocols in place to grant and revoke access on a time-limited basis.
- Ensure that you have the necessary physical security measures in place to protect cardholder data, which includes locks, alarms, ID badges, CCTV cameras, and so on. Recordings and access logs must be kept for a minimum of 90 days.
- Ensure that you have adequate measures in place to distinguish between employees and visitors.
- All portable drives and devices that store, or have access to cardholder data, must be physically guarded and destroyed when they are no longer relevant.
6. Assign a unique ID to each person with computer access
- Ensure that each user has their own unique ID, or in other words, a unique username and password.
- Make sure that user’s never share login credentials.
- Use multi-factor authentication where possible.
7. Monitor access to network resources and cardholder data
- All relevant network resources and cardholder data must be continuously monitored.
- Ensure that you have an immutable record of all relevant activity that takes place on your network. This record must be retained, time-synchronized, and maintained for at least one year.
- Leverage the best technologies available to monitor network activity, which may include Firewalls, IPS, DLP and SIEM solutions.
- Use a DCAP/UBA solution to monitor access to cardholder data, which will give you insights into who is accessing the data, when, why, how and from where.
- Ensure that all relevant activity is presented in an intuitive format via a centralized dashboard. The displayed information must be sortable and searchable.
8. Test security systems and processes
- Schedule activities such as penetration testing and vulnerability scanning, at least annually.
- Conduct periodic wireless analyzer scanning on a quarterly basis to identify unauthorized access points.
- Use a PCI Approved Scanning Vendor (ASV) to scan external IPs and domains. This should also include quarterly internal vulnerability scans.
- You will also need to thoroughly test any applications that consume cardholder data for vulnerabilities.
9. Develop documentation and conduct risk assessments
- Develop a comprehensive set of company-wide information security policies and risk assessments.
- Ensure that your policies/assessments cover employees, managers, business associates, vendors, etc.
- Conduct an annual review of your policies.
- Make sure that all relevant stakeholders are aware of these policies, and have been trained to comply with them.
- Have well documented on-boarding procedures. Since you are handling cardholder data, you must be extra vigilant when it comes to carrying out background checks on potential employees
Issues with Native Auditing for PCI Compliance
For a payment cardholder merchant or a service provider, meeting PCI compliance is mandatory. Your computer systems do already provide auditing features for server components storing critical data. However, native auditing methods have numerous drawbacks; they can be noisy, time-consuming and complex. Native auditing also includes non-conformance to ‘change management’; since ‘Privileged users’ can accidentally or intentionally delete native logs in your Active Directory, File Server or other IT components.
How Can Lepide Help You with PCI DSS Compliance?
The Lepide Data Security Platform provides in-depth auditing of your cardholder data, as well as detailed reports that are customized to meet the requirements of PCI DSS. The Lepide Data Security Platform will aggregate event data from multiple platforms, including most popular cloud platforms, and display a summary of important events via a centralized dashboard.
This will help you determine who is accessing your data, as well as determine who should have access to your data.
The Lepide Data Security Platform can deliver real-time alerts on changes made to any data that falls under PCI DSS, which might include access/changes to payments data, as well changes to permissions of user accounts that have access to payments data. You can also audit computers that store payments data, to ensure that any changes are authorized and the data is secure.