12 Steps to PCI DSS Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements for enhancing security around payment operations. PCI DSS was developed in January 2005 by the PCI Security Standards Council, which includes American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, and aims to help facilitate the broad adoption of consistent data security measures globally. Since its introduction, PCI DSS has continually evolved to reflect changes in the security landscape.
The PCI DSS is a multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. It is intended to help organisations proactively protect sensitive customer account data against hackers, internal misuse and fraud.
As more financial organisations use a wide variety of platforms to process card payment data, such as mobile phones and the Internet, there is a need for these companies to be aware of how to meet the requirements set out by PCI DSS.
In the past, PCI DSS was seen as something only relevant to credit card clearance web sites. However, this is now changing as more and more financial institutions are offering services over mobile phones and the Internet. Also, financial services organisations are increasingly being audited on PCI DSS, so it is becoming important to protect all web-facing applications against all known attacks.
Failure to meet PCI DSS can result in a company not being able to carry out card processing, seriously disrupting business operations and potentially tarnishing a company’s reputation. As such, here are some important steps that financial organisations can take to become PCI DSS compliant.
Firewalls are devices that secure Internet traffic going into and out of the corporate network, as well as controlling internal traffic to sensitive databases. They assess all network traffic and block transmissions that do not meet set security criteria.
Employees need to have the freedom to carry out work, which increasingly involves having remote access to the corporate network. However, organisations must maintain and protect the integrity of sensitive data from intentional and unintentional access.
Firewalls are a key protection mechanism for any computer network and one of the most important requirements to get right when becoming PCI DSS compliant.
Hackers, both external and internal, often use vendor default passwords and other default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information.
Always use an original password with a combination of letters and numbers to ensure the safety of databases that contain sensitive data.
Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person.
Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimising risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if the full primary account number (PAN) is not needed and not sending PAN in unencrypted emails.
Sensitive information travelling across the Internet should always be encrypted, as hackers often attempt to intercept, modify and divert data while in transit. To this end, the PCI DSS requirements make it clear that all organisations should use strong cryptography and security protocols, such as secure socket layer (SSL) and Internet protocol security, to safeguard sensitive cardholder data during transmission over open and public networks.
Many vulnerabilities and malicious viruses enter the network via employees’ email activities. Anti-virus software must be used on all systems connected to the network and at risk from viruses.
In addition, sensible IT policies and procedures need to be put in place to prevent employees from independently downloading anti-virus software from sources that could carry dangerous malware. Furthermore, it would be prudent to add an additional layer of defence with an intrusion prevention system to help monitor and control against malware not detected by antivirus software. Intrusion prevention systems proactively protect networks by using artificial intelligence to look for anomalies within network traffic.
Hackers use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches. All systems must have the most recently released, appropriate software patches to protect against exploitation by employees, external hackers, and viruses.
It is important to note that appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques.
It is also considered best practice to incorporate intrusion prevention systems at this level to ensure protection against vulnerabilities that have been discovered but have not had patches developed or deployed.
This requirement ensures that critical data can only be accessed by authorised personnel. This particular requirement is rather open-ended and covers the basic principle that data should not be accessible unless specifically allowed.
In order to achieve this level of control, the applications involved need to have a variety of systems in place including firewalls and intrusion prevention systems. Intrusion prevention systems in particular are very important as they enforce and control all access to systems and applications through the inspection of all network traffic in real-time.
Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorised users.
Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hard copies, and should be appropriately restricted.
IT departments need to implement logging mechanisms and have the ability to track user activity across the corporate network. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.
As well as tracking and monitoring activity logs, it is wise to ensure they are all maintained in a single reporting console to easily alert, access and report on all activity and potential vulnerabilities.
Vulnerabilities are being discovered continually by hackers and researchers, and being introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and with any changes in software.
A strong security policy sets the tone for the whole company and informs employees what is expected of them. All employees should be made aware on a regular basis of the sensitivity of data and their responsibilities for protecting it.
The development and adherence to an information security policy is essential for any organisation as most data breaches occur through employees not knowing how to deal with data properly.