Despite the advances in cyber security technology and government initiatives and regulations, attackers will continue to attempt to steal unprotected payment card data. And, far too often, they are successful. Merchants and service providers are greatly concerned about what this means for their business. A lack of trust from customers and clients will hurt the bottom line. So remaining compliant with the latest security standards is important.
One of the most important security standards is PCI DSS, which stands for, “Payment Card Industry Data Security Standard.” According to the PCI Security Standards Council, “PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data. It consists of common sense steps that mirror security best practices.”
The goals of PCI DSS are:
- to build and maintain a secure network
- to protect cardholder data
- to maintain a vulnerability management program
- to implement strong access control measures
- to regularly monitor and test networks
- to maintain an information security policy
Every merchant organization—any organization that processes credit cards or other forms of digital payments—should aim to reach these goals. Some organizations have simple, easy-to-correct vulnerabilities that lead to data breaches. In other instances, organizations with intricate IT defenses and processes are overridden by an employee opening a phishing email.
This whitepaper from SecurityMetrics, along with its accompanying guide was specifically created to help merchants and service providers address the most problematic issues within PCI DSS requirements, including auditors best practices and IT checklists.
This whitepaper summarizes the information included in the 112-page guide. You can read it in one setting. However, instead of reading the guide from cover to cover, we recommend using it as a resource for your PCI compliance efforts.
Here is what you need to know—the 12 PCI DSS requirements
In order to reach the six goals above, PCI DSS has laid out twelve requirements that every compliant organization must reach. Those requirements are:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
For example, the first requirement you will learn about is protecting your system with firewalls.
Network firewalls can be software or hardware technologies that provide a first line of defense to a network. Firewalls can restrict incoming and outgoing network traffic through rules and criteria configured by your organization.
HARDWARE FIREWALLS: A hardware firewall (or perimeter firewall) is typically installed at the perimeter of an organization’s network to protect the internal networks from the Internet. Hardware firewalls are also used inside the environment to create isolated network segments separating the card data environment (CDE) from non-CDE systems.
In summary, a properly configured hardware firewall protects environments from the outside world. For example, if an attacker tries to access your network from the Internet, your hardware firewall should block them.
SOFTWARE FIREWALLS: It’s best practice to place a firewall between systems that store cardholder data and all other systems, even internal ones. Software firewalls are used to protect a single host from internal threats, particularly mobile devices that can move outside of the secure corporate environment.
Many devices come with preinstalled software firewalls, but for devices connecting to the cardholder data environment remotely, make sure they have a software firewall installed. For example, if a sales manager accidentally clicks on a phishing email scam, their device’s software firewall should stop the malware from infecting it.
It is likely that you already have one or more of the requirements above in place. It is also highly likely that your company doesn’t currently meet the majority of these requirements and that the requirements you do meet are due for an upgrade. That’s where the 2018 SecurityMetrics Guide to PCI DSS Compliance guide comes into play. It’s 112-pages long and goes into more detail on each of these requirements along with the four steps you need to take to make sure your company is prepared for a data breach.
You will also get details on crafting a PCI DSS budget and creating a security culture at your company. You will also learn about recent PCI and cybersecurity trends. Additionally, if you do experience a data breach, this guide can help you establish the best ways to handle it.