As a payment merchant or service provider, securing payment card and cardholder information will be of the utmost importance to you. PCI DSS compliance can help you do just that. In this article, we navigate its requirements.
PCI DSS (Payment Card Industry Data Security Standard) compliance is a mechanism for ensuring data security where payment cards are used. It enforces very tight controls surrounding how card data is stored, transmitted and processed, so personal information from cards is not misused and stays safe.
Although PCI DSS compliance is not a legal requirement in the UK, it is recommended because the world’s biggest payment merchants and banks require it. For example, Visa and Mastercard require compliance of all entities that store, process or transmit their cardholder information. This should be reason alone to get onboard.
Note: PCI DSS is the standard for merchants and service providers. The standard for manufacturers is PCI PTS, and the standard for software developers is PCI PD-DSS. These are the three PCI security standards. We only cover PCI DSS in this article.
PCI DSS details baseline security requirements for businesses that store, process or transmit payment card information. There are twelve of these.
Businesses in the UK who meet these requirements can demonstrate they take payment card and payment system security seriously by design and by default as part of their core business activities. Below, we will take a closer look at these requirements, so you can easily navigate them to get your business suited, booted and onboard.
The 12 Commandments
The 12 commandments (requirements) of the PCI DSS always have an end goal. We’ll cover these below as an introduction to the Standard:
Goal: Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect data
Firewalls control and secure the transmission of data between networks. Or in a merchant’s case, between one trusted internal network and an untrusted external network. PCI DSS requires a firewall to be in place to prevent unauthorised access to the network and protect data. Firewalls should also be reviewed periodically.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
The default passwords supplied by vendors are well-known, easily exploitable and widely targeted by cybercriminals. Passwords should be changed immediately, or accounts removed or disabled before a system on the network is installed. Also, it is good practice not to use default ID names or login names.
Goal: Protect cardholder data
Requirement 3: Protect stored data
You must protect stored cardholder data, and the minimum amount of cardholder data should be stored with an appropriate data retention policy. This is also a legal requirement under the EU’s General Data Protection Regulation (GDPR). Certain types of data should also never be stored, such as the CVN and chip data.
Requirement 4: Encrypt transmission of cardholder data and sensitive information across open, public networks
You must use strong cryptography and security protocols such as SSL certificates to safeguard sensitive cardholder information. This should be at the point of use, immediately, to ensure stored sensitive information is always encrypted. Your policies and procedures for encrypting the transmission of cardholder data must be documented.
Goal: Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
This one’s simple. You must protect all systems against malware and regularly update anti-virus software or programs. The onus is on you to ensure this, not the anti-virus and malware vendor. If you have systems that are not commonly affected by malware you must still periodically review the risks and consider installing software.
Requirement 6: Develop and maintain secure systems and applications
Organisations must have a vulnerability management program in place so that they can identify security vulnerabilities early. All software applications and software must be secure by design and by default. Appropriate measures must be taken to ensure these systems stay secure throughout their entire lifecycle.
Goal: Implement Strong Access Control Measures
Requirement 7: Restrict access to data by business need-to-know
The goal of this requirement is to limit access to system components to those who need it only as part of your core business activities. This way, criminal hackers will be unable to exploit or blackmail workers to gain access to your system. Access control systems should be managed and operated only by authorised personnel.
Requirement 8: Assign a unique ID to each person with computer access
This requirement is necessary to ensure proper user identification management for all users and to create an auditable trail if there’s an incident. All users must be assigned a unique ID, and if possible, it is good practice to periodically change this ID. Controlled user authentication management should be implemented, and 2FA (two-factor authentication) is a requirement wherever remote network access is concerned.
Requirement 9: Restrict physical access to cardholder data
To reduce the risk of a data breach physical access to cardholder data must be restricted using appropriate measures. Access to server rooms and data centres should be restricted to authorised personal only and security should be in place to prevent authorised access. All media should be physically secured, ideally under lock and key.
Goal: Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Tracking and monitoring access to network resources and cardholder data is necessary to detect data breach. Audits should be regularly carried out to review logs and ensure absolutely no unauthorised access occurs. The use of logging mechanisms is necessary for this and these logs should be retained for at least 12 months.
Requirement 11: Regularly test security systems and processes
Security vulnerabilities must be reviewed ongoingly and it is essential that both internal and external network scans are carried out to achieve this. These must be carried out at least quarterly. There must also be verification of policies and procedures to detect and identify authorised and unauthorised wireless devices.
Goal: Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
The PCI DSS requires businesses to establish, publish, maintain, and disseminate a security policy; implement a risk assessment process; develop usage policies for critical technologies; define security responsibilities for all personnel; and implement a formal security awareness program to ensure all personnel are aware of their responsibilities.
Implementing these 12 requirements is necessary to comply with the PCI DSS. Many of these requirements will also help payment merchants and service providers comply with the GDPR. Cases in point include requirement 3 (data retention and storage limitation, relevant principles under the GDPR - storage limitation, data minimisation). Use points can be found in many other cases, making PCI DSS compliance very helpful.