If the payment card industry was a state, PCI DSS (Payment Card Industry Data Security Standard) would have been the equivalent of internal security laws and regulations.
The PCI DSS was created by the Administered Payment Card Industry Security Standards Council (PCI SSC). It stipulates 12 main requirements (and over 300 sub-requirements) regarding security practices surrounding the use of payment cards.
There are several levels of compliance and any enterprise (from the smallest merchants to the largest credit card processing services) must fulfill the requirements in order to be allowed to use credit or debit cards in any way or form (online, offline, via telephone, etc.).
Fraud and identity theft can result in costly lawsuits, reputation damage, and customer loss. Less than the most strict adherence to PCI DSS can lead to loss of the right to process credit and debit cards altogether. However, the challenge of creating effective, comprehensive protection and PCI DSS compliance is becoming increasingly complicated.
As Verizon’s latest Payment Security Report shows web applications are now the main vector for retail breaches. Only 9 percent of attacks received alerts, 53 percent of attacks successfully infiltrated without detection and only 33 percent of attacks were prevented by the security tools in place.
In this article, we will cover the basics of PCI DSS requirements and compliance levels. Moreover, we will discuss the key steps necessary to best comply with them, compliance that is essential to any business who wants to avoid being fined or losing the license to use payment cards.
The 6 goals and 12 requirements of PCI DSS
The PCI DSS specifies 12 requirements that are commonly grouped under six main goals:
1. Build and Maintain a Secure Network
- Use and maintain a firewall to protect cardholder’s sensitive data.
- Change and modify default security parameters such as vendor-supplied passwords.
2. Protect Cardholder Data
- Use encryption, hashing, masking, truncation, and erase data when needed.
- Data must be encrypted when stored or transferred, especially when using public networks (using encryption standards such as SSH, TLS, etc.).
3. Maintain a Vulnerability Management Program
- Install antivirus applications on all systems and constantly update them.
- Immediately update any application with the latest security patches.
4. Implement Strong Access Control Measures
- Restrict access to cardholder’s data to authorized personnel on a need-to-know basis.
- Assign a unique ID to each person having access to the system and its components.
- Restrict physical access to systems containing sensitive cardholder data.
- Monitor all access points to avoid misconfigured access that could lead to a data leak.
5. Regularly Monitor and Test Networks
- Continuously track all access to cardholder data and network resources.
- Regularly test/ check every security system, application, and process to reveal vulnerabilities proactively.
- Onboard data protection software.
6. Maintain an Information Security Policy
- All personnel such as employees, vendors, contractors, etc. must be managed under a security policy including regular background checks, routine security briefings, etc.
The three main aspects of managing PCI DSS
In practice, managing PCI DSS compliance boils down to three main aspects (each done in accordance with the 12 PCI DSS requirements mentioned above):
- Guaranteeing that sensitive card data is securely gathered, transmitted, processed, and accessed (use a firewall, up-to-date antivirus applications, change default passwords, erase data when needed, use encryption, hashing, masking, truncation, etc.).
- Storing sensitive data in the most secure manner (use a firewall and up-to-date antivirus applications, use encryption, restrict access to authorized personnel with a unique ID on a need-to-know basis, restrict physical access, etc.).
- Annual inspection and validation to ensure that all security checks are fully and properly implemented (conduct 3rd party audits, test/ scan for vulnerabilities, conduct security surveys, etc.).
Achieving PCI DSS compliance – The four levels
As mentioned above, there are four levels of compliance (depending on the volume and type of transactions processed by the business). Here is a complete guide to PCI DSS compliance according to each level.
Level 1
Definition:
Enterprises that process annually more than 6 million transactions of Visa or MasterCard, more than 2.5 million for American Express; or had a data breach in the past.
Annual requirements
Submit:
- An annual Report on Compliance (ROC) done by a Qualified Security Assessor (QSA) or by an internal auditor if signed by an officer of the company.
- an Attestation of Compliance (AOC) Form.
Quarterly requirements:
Conduct a network scan by an Approved Scan Vendor (ASV).
Level 2
Definition
Enterprises that annually process between 1 – 6 million payment card transactions on all channels.
Annual requirements
Submit:
- A Report on Compliance (ROC) or Self Assessment Questionnaire (SAQ) by a Qualified Security Assessor (QSA) or an internal assessor if signed by a company officer.
- An Attestation of Compliance (AOC).
Quarterly requirements
Conduct a quarterly network scan by an Approved Scan Vendor (ASV).
Level 3
Definition
Enterprises that annually process 20,000 – 1 million payment card transactions on all channels.
Annual requirements:
- Complete a Self-Assessment Questionnaire (SAQ) signed by a company officer.
- Submit an Attestation of Compliance (AOC) Form.
Quarterly requirements
Conduct a Network scan by an Approved Scan Vendor (ASV).
Level 4
Definition
Enterprises that annually process fewer than 20,000 payment card transactions on all channels.
Annual requirements:
- Complete a Self-Assessment Questionnaire (SAQ) signed by a company officer.
- Submit an Attestation of Compliance (AOC) Form.
Quarterly requirements
Conduct a Network scan by an Approved Scan Vendor (ASV).
Maintaining PCI DSS compliance – A “To-Do-List”
Until now, we have discussed what PCI DSS is and its importance, its 12 main security requirements, the four levels of compliance, and what is needed to fulfill them. Now it is time to talk about practical actions that security personnel (CISOs, InfoSec, corporate security executives and security operations managers, cyber security professionals, etc.) must take to achieve PCI DSS compliance.
1. Detecting and mapping Data and Data flow
The first step is to locate and map all of the organization’s sensitive credit card data (i.e where it is and how it gets there).
Check and map all systems, applications, networks, and processes in the organization that interact with credit card data (on-site payment terminals, online shopping sites, networks, local and cloud databases, phone calls logs, ERP and CRM platforms, sales emails, etc.).
2. Conduct a risk assessment and check for vulnerabilities
After mapping the sensitive credit card data’s location and flow, it is time to assess the risks and vulnerabilities.
Every system component that stores, transfers, or processes such data, should be examined and analyzed. A comprehensive list should be created, detailing potential risks facing each component and assessing its vulnerability.
Based on that list the security team must decide how to protect each component to best comply with PCI DSS requirements while considering the organization’s security resources.
3. Test, monitor, and update
All relevant security systems, systems components, networks, application, processes, protocols (and their adherence) must be regularly tested and constantly monitored to find old and new breaches. Security tools and protocols should be continuously maintained and updated to best resist new threats.
4. Constant security compliance and awareness training
One of the most vulnerable points in each system is the human operators (from the call center operators to the CISO and his security team). The most secure data transfer protocol is useless if bypassed via unprotected email or text messaging. The best antivirus application will be compromised if it’s not regularly updated.
Therefore, it is vital to constantly conduct security briefings regarding old and new threats and train all personnel to comply with all security requirements.
Conclusion
As discussed above, PCI DSS compliance is crucial for every vendor using or processing payment cards since non-compliance means losing the right to use payment cards altogether.
The PCI DSS always starts and ends with the human factor – detect and map data flows, check for risks and vulnerabilities, test, monitor, update, and most importantly, train personnel and conduct PCI DSS audits. These are all actions that must be done regularly and proactively by CISOs, InfoSec, corporate security execs and managers, and their team.
This is exactly where CybeReady enters the scene. CybeReady’s end-to-end corporate cyber security training platform changes employees’ behavior to better cope with security breach dangers (using tools like security awareness training and phishing simulations).
Moreover, tools like AuditReady will help your enterprise best prepare for the annual/ quarterly PCI DSS audits.
Contact Cybeready to start improving the effectiveness of your security training program today.
