Stay up to date
Stay up to date with the latest threat reports, articles & mistakes to avoid.
Simple, yet important content.
No salesy pitches and all that, promise!
This article covers:
- What is PCI DSS?
- How to become PCI compliant? 12 requirements of PCI DSS around functional goals and controls required to achieve the compliance
- How to maintain PCI compliance?
- What are the PCI violations?
If you prefer video format, there is a condensed version here:
What is PCI Compliance?
PCI is an information security standard for organisations that handle credit card transactions. It includes any entity that processes, stores or transmits credit card information.
This standard is mandated by major credit card companies – Visa, Mastercard, and American Express – and administered by Payment Card Industry Security Standards Council (PCI SSC)
Why is PCI compliance important?
Customer data protection and payment information is a priority for businesses today, thanks to PCI guidelines. Cybercriminals have caused billions of dollars in Credit card fraud costs to businesses around the globe. Implementing, maintaining and avoiding fines is an essential step towards offering sensitive information protection to your customers.
Sustainable compliance figures with PCI DSS continue to fall. It is evident from the key findings of Verizon 2020 payment security report:
- Only 27.9% of organisations were able to maintain full PCI DSS compliance.
- 27.5% compliance drop, demonstrating clear downtrend since 2016.
- Only 47.9% changed vendor defaults or had a process for monitoring them.
- Only about two-thirds of all businesses track and monitor system access adequately.
It’s clear from the above facts that lack of following all the controls adds to breaching risk.
Adhering to PCI compliance helps stay compliant with data security and privacy laws such as GDPR (General Data Protection Regulation).
Who needs to be PCI Compliant?
PCI council clearly states that
If you accept or process payment cards, the PCI Data Security Standards apply to you.
How to become PCI Compliant?
To achieve PCI DSS compliance, businesses must implement PCI defined controls focussed on six PCI compliance goals. In total, there are 12 requirements with actionable steps. Once implemented, internal processes must be in place to monitor, test, report and remediate.
12 requirements of PCI DSS
Build and Maintain a Secure Network and Systems
This functional goal stresses the importance of implementing and maintaining secure hardening of devices and systems.
1. Install and maintain a firewall configuration to protect cardholder data
Firewalls are the first line of defence for any external traffic. These devices are used at perimeters of an entire organisation or internally in front of the network’s segmented areas. Regular maintenance is a critical component of a firewall that involves firewall security assessments and change management processes.
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Default passwords and settings is a way of saying of providing an open invitation to threat actors. This information is available in vendor manuals, online forums and can be easily guessed. It is essential that vendor-supplied default passwords and settings are removed/disabled/changed before rolling out any systems into the PCI environment.
Protect Cardholder Data
This goal relates to the protection of cardholder data during processing, storage and transmission of data.
3. Protect stored cardholder data
Sensitive data must be encrypted at rest. There are multiple techniques such as encryption, hashing, truncation deployed by businesses to protect cardholder data. As a baseline, don’t store cardholder data. Don’t transmit cardholder data using email, clear-text formats such as text, Docx files.
4. Encrypt transmission of cardholder data across open, public networks
Sensitive data must be encrypted during transit. It includes HTTPS with secure TLS configuration during transmission over open, public networks.
Maintain a Vulnerability Management Program
This functional goal relates to developing and maintaining secure systems and applications in the PCI DSS scope. Usually, this is achieved by vulnerability management/regular penetration tests and secure configuration reviews.
5. Use and regularly update anti-virus software or programs
Protection against malware requires a multi-layered approach, meaning preventing malware delivery, containing the malware infection and reducing the impact. Use of endpoint protection measures such as anti-malware solutions, limiting removable media usage, internet and email traffic inspection are the top picks.
6. Develop and maintain secure systems and applications
Threat actors often exploit weaknesses or vulnerabilities in the systems and applications to achieve privileged access to access or steal sensitive information. Tactical patch management and strict use of secure technical baselines are helpful against the unauthorised access to systems and applications.
Implement Strong Access Control Measures
This functional goal relates to implementing access control measures to prevent data breaches due to insider attack scenarios and relaxed permissions abuse by external and internal parties.
7. Restrict access to cardholder data by business need-to-know
In line with defence in depth, need to know basis permissions management should be in place for all systems and applications within the cardholder data environment (CDE).
8. Assign a unique ID to each person with computer access
Assigning unique identification sets to individual users adds to the accountability of actions establishing an audit trail.
9. Restrict physical access to cardholder data
Use of relevant physical controls to restrict access to the cardholder data environment (CDE).
Regularly Monitor and Test Networks
Frequent monitoring of all access to networks, systems and applications followed by testing security systems is required for continuous risk remediation within the PCI scope.
10. Track and monitor all access to network resources and cardholder data
Insufficient logging and monitoring could lead to disastrous results, especially where evidence or incident response processes are involved. It is vital to ensure relevant event logging, system traces and exception recording to help the incident management process during a data breach or security incident. Correct logging is critical for monitoring teams to ensure the right alerts are generated and avoid false positives due to high log data volumes.
11. Regularly test security systems and processes
The rapid pace of new vulnerabilities being discovered and exploited every week requires ongoing security assessments of the PCI environment to know the risks. Vulnerability scanning and network segmentation penetration tests are included often during regular security tests.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors
A security policy is a tool to implement all the expectations from people, processes and technologies in use. Maintaining a security policy would continuously set a good standard on staff awareness of customer data sensitivity. An indirect advantage is a cultural impact leading to positive changes within the corporate environment and day to day computing tasks related to sensitive information.
Discuss your concerns today
What are PCI compliance levels?
Based on the amount of card payments per year, PCI SSC have created four merchant levels:
- Level 1 merchants are ones that process over 6 million card transactions annually.
- Level 2 merchants are ones that process 1 to 6 million transactions annually.
- Level 3 merchants are ones that process 20,000 to 1 million transactions annually.
- Level 4 merchants are ones that process fewer than 20,000 transactions annually.
PCI compliance requirements vary based on your merchant levels.
Level 1 organisations need to undergo an external audit performed by a Qualified Security Assessor or Internal Security Assessor. It consists of an on-site assessment :
- to validate the PCI DSS scope
- review documentation
- Determine if PCI DSS requirements are being met
- Support and guidance throughout the compliance process
- Auditor then submits a Report on Compliance (RoC) to the acquiring banks to demonstrate PCI compliance.
Levels 2-4 organisations must submit SAQ (Self-assessment Questionnaire), and no external audit is necessary. Level 2 organisations are required to submit RoC.
Based on the levels, organisations can validate their PCI compliance via QSA’s or by submitting a Self-assessment Questionnaire (SAQ). Each organisation completes SAQ and submits quarterly reports.
PCI DSS compliance doesn’t stop here. Otherwise, yours too may add to that list of Verizon report facts mentioned earlier. It is the beginning of the implementation of new controls and maintenance of PCI compliant systems and applications.
How to maintain PCI Compliance?
Customer data protected by your business is only protected if it remains protected during the entire lifecycle of a transaction. Otherwise, one bad apple may spoil the bunch.
The following list represents the most often overlooked operating controls that may lead to loss of PCI compliance:
- Internal & External penetration testing and vulnerability scanning
- Firewall security reviews
- Strict adherence to change management processes
- Network Segmentation checks
- Consistent reviews and checks on impact of changes/failures to apply operating controls/security policy
The following controls would help protect the PCI data and ensure your organisations’ compliance is maintained:
- Identify and secure all sensitive data using protection mechanisms such as encryption
- Classify data into different categories based on the policy
- Identify and map permissions for all users, groups, owners
- Identify who has what level of access to what data, perform regular checks on secure information storage practices
- Review access control measures regularly
- Review user and group memberships
- Regular privilege access management reviews
- File integrity monitoring, content filtering to monitor customer data and unauthorised access and transfers
- Logging and monitoring of user, file, software change and access events
- Vulnerability scans, penetration testing and segmentation tests to identify and remediate risks
Once a plan is in place, execution is defined and conducted promptly, and compliance maintenance becomes second nature. It would also add easy adherence to other data security and privacy laws.
PCI Compliance violations
As per the PCI Compliance blog, PCI fines are not published and are passed to acquiring banks charged from $5000 to $100,000 per month until merchants achieve the PCI compliance. This fine may put a small business out of work though it’s a small amount compared to big enterprises’ revenues.
Adherence to compliance is not a tick in the box, but more of doing it at the concept level, ensuring a proactive approach and compliance maintenance.