As a payment merchant or service provider, securing payment card and cardholder information will be of the utmost importance to you. PCI DSS compliance can help you do just that. In this article, we navigate its requirements.

PCI DSS (Payment Card Industry Data Security Standard) compliance is a mechanism for ensuring data security where payment cards are used. It enforces very tight controls surrounding how card data is stored, transmitted and processed, so personal information from cards is not misused and stays safe.

Although PCI DSS compliance is not a legal requirement in the UK, it is recommended because the world’s biggest payment merchants and banks require it. For example, Visa and Mastercard require compliance of all entities that store, process or transmit their cardholder information. This should be reason alone to get onboard.

Note: PCI DSS is the standard for merchants and service providers. The standard for manufacturers is PCI PTS, and the standard for software developers is PCI PD-DSS. These are the three PCI security standards. We only cover PCI DSS in this article.

PCI DSS details baseline security requirements for businesses that store, process or transmit payment card information. There are twelve of these.

Businesses in the UK who meet these requirements can demonstrate they take payment card and payment system security seriously by design and by default as part of their core business activities. Below, we will take a closer look at these requirements, so you can easily navigate them to get your business suited, booted and onboard.

The 12 Commandments

The 12 commandments (requirements) of the PCI DSS always have an end goal. We’ll cover these below as an introduction to the Standard.

Goal: Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect data

Firewalls control and secure the transmission of data between networks. Or in a merchant’s case, between one trusted internal network and an untrusted external network. PCI DSS requires a firewall to be in place to prevent unauthorised access to the network and protect data. Firewalls should also be reviewed periodically.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

The default passwords supplied by vendors are well-known, easily exploitable and widely targeted by cybercriminals. Passwords should be changed immediately, or accounts removed or disabled before a system on the network is installed. Also, it is good practice not to use default ID names or login names.

Goal: Protect cardholder data

Requirement 3: Protect stored data

You must protect stored cardholder data, and the minimum amount of cardholder data should be stored with an appropriate data retention policy. This is also a legal requirement under the EU’s General Data Protection Regulation (GDPR). Certain types of data should also never be stored, such as the CVN and chip data.

Requirement 4: Encrypt transmission of cardholder data and sensitive information across open, public networks

You must use strong cryptography and security protocols such as SSL certificates to safeguard sensitive cardholder information. This should be at the point of use, immediately, to ensure stored sensitive information is always encrypted. Your policies and procedures for encrypting the transmission of cardholder data must be documented.

Goal: Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software

This one’s simple. You must protect all systems against malware and regularly update anti-virus software or programs. The onus is on you to ensure this, not the anti-virus and malware vendor. If you have systems that are not commonly affected by malware you must still periodically review the risks and consider installing software.

Requirement 6: Develop and maintain secure systems and applications

Organisations must have a vulnerability management program in place so that they can identify security vulnerabilities early. All software applications and software must be secure by design and by default. Appropriate measures must be taken to ensure these systems stay secure throughout their entire lifecycle.

Goal: Implement Strong Access Control Measures

Requirement 7: Restrict access to data by business need-to-know

The goal of this requirement is to limit access to system components to those who need it only as part of your core business activities. This way, criminal hackers will be unable to exploit or blackmail workers to gain access to your system. Access control systems should be managed and operated only by authorised personnel.

Requirement 8: Assign a unique ID to each person with computer access

This requirement is necessary to ensure proper user identification management for all users and to create an auditable trail if there’s an incident. All users must be assigned a unique ID, and if possible, it is good practice to periodically change this ID. Controlled user authentication management should be implemented, and 2FA (two-factor authentication) is a requirement wherever remote network access is concerned.

Requirement 9: Restrict physical access to cardholder data

To reduce the risk of a data breach physical access to cardholder data must be restricted using appropriate measures. Access to server rooms and data centres should be restricted to authorised personal only and security should be in place to prevent authorised access. All media should be physically secured, ideally under lock and key.

Goal: Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Tracking and monitoring access to network resources and cardholder data is necessary to detect data breach. Audits should be regularly carried out to review logs and ensure absolutely no unauthorised access occurs. The use of logging mechanisms is necessary for this and these logs should be retained for at least 12 months.

Requirement 11: Regularly test security systems and processes

Security vulnerabilities must be reviewed ongoingly and it is essential that both internal and external network scans are carried out to achieve this. These must be carried out at least quarterly. There must also be verification of policies and procedures to detect and identify authorised and unauthorised wireless devices.

Goal: Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

The PCI DSS requires businesses to establish, publish, maintain, and disseminate a security policy; implement a risk assessment process; develop usage policies for critical technologies; define security responsibilities for all personnel; and implement a formal security awareness program to ensure all personnel are aware of their responsibilities.

Implementing these 12 requirements is necessary to comply with the PCI DSS. Many of these requirements will also help payment merchants and service providers comply with the GDPR. Cases in point include requirement 3 (data retention and storage limitation, relevant principles under the GDPR – storage limitation, data minimisation). Use points can be found in many other cases, making PCI DSS compliance very helpful.