What is PCI and why should you comply with it? In 2004 the Payment Card Industry (PCI) created the PCI DSS(Payment Card Industry Data Security Standard), an information security standard for all branded credit cards. The standard ensures that all cardholder data (your customers) are protected from credit card fraud and other malicious acts.
Complying with the PCI DSS not only saves your business from potential lawsuits and fines, it also gives current and potential customers confidence in doing business with your company.
The road to PCI Compliance might seem daunting at first glance. If you took a gander at the official PCI DSS handbook for guidance, you’ll be greeted with 100+ pages of dry text, clumsily trying to tell you how to be compliant.
Luckily, we here at Techonsite have condensed the handbook and are happy to present the 12 requirements to become PCI compliant, simplified into 6 different fields:
- Build and Maintain a Secure Net
- Protect Cardholder Data
- Maintain Security Against Malware/Ransomware
- Implement an Access and Control system
- Monitor Network
- Maintain a Sort of Info Security Policy for Personnel
In the following sections of the this guide, we will explain in detail how to tackle each of the 12 compliance steps.
A. Build and Maintain a Secure Net
1. Install and Maintain a Firewall
There are many ways to implement a firewall to prevent any unauthorized access to your machines and possibly your customer’s data. Here are some ideas on what to implement:
- For Windows machines, please enable Windows Firewall as this is a built-in feature in all Windows machines.
- On the other hand, Macs have a firewall called “Application Firewall”–which is also a built-in feature on any Mac machine OS X v10.5 and newer.
- Having physical hardware that handles firewall is strongly recommended. Cisco and Sonicwall are some of our trusted brands.
2. Change vendor-supplied default passwords and other security parameters
Although this seems to be a no-brainer, this is one of the first things that a PCI compliance evaluation crew would check. It’s so essential that the manual has a whole section dedicated to this–so please be diligent.
B. Protect Cardholder Data
3. Set a maximum amount of retention time of cardholder info in storage
Cardholder info should be deleted about a set amount of time. This can be done through Group Policy or if you’re dealing with cards from the internet, try Credit Card Tokenization (more on that below).
4. Encryption and/or Tokenization
Encrypt cardholder data when transmitting across open, public networks, and the internet. There are many debates on whether encryption or tokenization is the better of the two security measures. Allow us to use analogies to differentiate the two–Encryption would be like placing your credit card in a locked box, the store you are purchasing from will receive the box with the keys to open/decrypt it. The cons to this tried and tested method is that locks can be forced open or keys can be stolen.
Tokenization on the the other hand converts your card’s information into a random string of characters–a token or placeholder is created. Only your bank would know which token corresponds to which credit card. Now if you bought something online, all that is being exchanged between you and the store is a placeholder token. It does not matter if the token gets intercepted (usually it’s encrypted as well) since the culprits will just see random characters that have no meaning to them. This is randomized per purchase so repeat tokens never occur.
C. Maintain Security Against Malware/Crypto
5. Keep AV, anti-malware, and anti-ransomware suites/programs active in machines storing the cardholder data
Not only having them is enough, you and your IT team must keep the programs up-to-date and active. Here’s our suggestions on what to use:
- Anti-Virus/Malware: AVG, MalwareBytes Premium,
- Anti-Ransomware: Cryptoprevent, MalwareBytes Anti-Ransomware
6. Develop and maintain secure systems and applications
You and your IT team must have a system in place that allows for regular audits and lockdowns.
The system would need to be able to monitor all machines in a top down view at the same time. We personally use Maxfocus for this task.
D. Implement an Access and Control System
7. Must restrict access to cardholder data on a need to know basis
Access to your server storage’s folders and files must be locked down. In this case, if the company ever stores cardholder data in a folder (even for an instant), only authorized users should be able to access it. The best tools to implement this would be Active Directory and Group Policy.
8. Identify and authenticate access to system components
All users and guests accessing your network or any machine in your company must be identifiable. The easiest way to do this is to give all personnel a unique user account.
9. Restrict physical access to cardholder data
A quick way to get around #9 is to opt to never keep cardholder data at all. For example, the tokenization system would eliminate the need to keep cardholder data. The risk of keeping a physical in-house copy of cardholder data outweighs its benefits by a mile. We strongly suggest against it.
E. Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
Basically, doing regular audits on your network and machines will make you pass this checkpoint. Create a regular audit routine schedule–this could be daily or every 2 days. If your company went with a managed service software like Maxfocus, this can be done daily due to the program’s ease of use.
11. Regularly test security systems and processes
This seems to be tied into #10–make sure that your team also check if your AV suites, any used software, OS are up-to-date and running on their audit routine.
VI. Maintain an Information Security Policy
12. Personnel must be given a policy on cardholder data
Create a policy with your team letting them know that client/customer data is to be protected at all costs. A good place to start is by telling them about the PCI standards and ways to be compliant. For instance, keeping their programs up-to-date, locking machines when unattended, not sharing passwords, etc.
There you have it, the 12 steps of PCI DSS Compliance. Now that you have a better idea on how to tackle the checklist, converse with your IT team with the methods you’ve just learned. Remember to be vigilant and thorough with your planning–you’ll be complaint in no time.