In order to handle cardholder data, businesses must comply with the Payment Card Industry Data Security Standard (PCI DSS), regardless of their size. Compliance with this standard must be maintained at all times and validated annually. Credit card companies typically mandate compliance with PCI DSS and include it in their network agreements.
It is presented as the minimum criteria that all merchants should strive to achieve to avoid data breaches. For those who provide PCI solutions to merchants, products must be compliant, which means they have to meet the 12 requirements.
In this blog, you will learn what the 12 requirements are of PCI DSS, what they involve and how you can maintain them.
Before we delve into the 12 PCI DSS requirements, it's first necessary to understand the 6 overarching principles behind them.
If all of these principles are met, then the payment card transaction environment that it happens in is compliant.
The operational and technical requirements mandated by the PCI SSC are primarily designed to safeguard cardholder data consistently and comprehensively. These rules serve as a core focus for all stakeholders involved in the payment card industry.
Once all of these 12 PCI DSS requirements are met, you can take payments over the phone and online.
A firewall is a control method that acts as a shield around your company network to prevent the "wrong" people from accessing your data. You can also create firewalls within your network to protect sensitive and confidential data from being seen by everyone in the company giving limited access to specific individuals. This means not all employees can access card information, adding another layer of security to your business.
In order to make a firewall more efficient, it should be monitored for traffic and review router configurations every six months and reconfigure them if necessary.
When operating systems, servers, firewalls, and other elements of your infrastructures arrive with factory-set defaults for usernames and passwords. Changing them as quickly as possible is essential as soon as they are received, as these passwords are usually easy to guess and can be shared on the internet.
In addition, users who create accounts to access applications should not accept a default password. This is because a skilled hacker or cyber criminal can tread through common default passwords and will try their luck to gain access to employee or customer records. PCI DSS suggests you disable all unnecessary default accounts before installing them on the network to avoid this complication altogether.
This requirement states that, unless necessary for business function, cardholder data should be kept from being stored anywhere. If the data has to be stored, it is important to follow steps to minimise the risks of exposure.
First, reduce the time to minimise the time the data is held and purge it periodically. Also, ensure that all authentication information is unreadable by rendering through encryption to hide the numbers, with only the first or last 4 numbers being shown. If you have to retain data, the last mandatory task is to ensure all the cryptographic keys and encryption tools are documented, recorded and protected.
While a firewall is excellent at keeping cybercriminals out of your internal networks, it can be more of a challenge to ensure that cardholder data is not intercepted while being transmitted across open public networks.
PCI enforces that merchants use encryption tools to ensure the data is unreadable throughout the transaction. The encryption allows for data to be protected before a hacker has a chance to decipher it.
Within this requirement, it states that it is necessary to have anti-virus software installed on all systems that malware attacks might impact. This includes all hardware that is located on-site and within the cloud.
It is also essential to update the anti-virus software and set periodic scans of your systems to ensure no breaches are lurking.
Requirement 6 of PCI DSS, lays out a comprehensive risk management framework that includes identifying vulnerabilities, implementing security patches, prioritising risks, and following a specific order of security measures. This requirement mandates that every stage of the software development process, from coding and patching to addressing vulnerabilities, must incorporate strict security measures to ensure the safety of customer data.
Only people who need to know cardholder data for business operations should have access to that data, and others should be restricted. This should be defined from the start, and access controls should be implemented if a user is terminated, leaves the company or changes roles.
All users with permission to access and handle cardholder data must be identifiable on the system so their activities can be traced, tracked and monitored. When given their unique ID, they must also have a strong password. Authentication tools must also be used to increase the security of this password.
Requirement 9 discusses how the environment that the card payments are accepted and where the card data is transmitted and stored should be maintained. In line with the security restrictions, PCI DSS requirements 7 and 8 should also be taken into consideration here.
Where the employees who handle the sensitive card information are located within the building is important. These should be restricted zones along with with all the documentation. If electronic data, this must be rendered to be unreadable.
Provide guidelines for logging, tracking and monitoring all user activities. It acts to make you create an audit log and audit trails to spot if there is unusual activity happening which could be because of a hacker trying to infiltrate the system. Audit logs or trails should include user id, date and time and should be reviewed by administrators with a high level of permission.
The requirement also states that these audits must be kept for a least a year with 3 months of data so that it can be accessible for review. This ensures that errors can be spotted before data is breached.
Requriment 11 discusses the need to run vulnerability scans and penetration tests. With the introduction of new software and malware attacks, there can be an increase in unknown vulnerabilities, and by running these scans, loopholes can be identified. This links to the PCI DSS requirements 5 and 6, which help maintain secure systems.
This aligns PCI DSS with IT governance. It covers employee training, risk reduction and creating a solid security policy to scope across the whole of your organisation. These should adhere to other risks, governance and cybersecurity frameworks. The policy should then be shared across your company so everyone is aware of them. It is also essential to perform regular risk assessments and introduce controls.
To be compliant, is is important that all of these PCI DSS requirements are met; otherwise, even if one is missing, you can not be fully secure when taking payments over the phone or online.
If you need to become PCI Compliant, please do not hesitate to contact the Silver Lining team to ensure your customers have peace of mind when they make a purchase with you. To find out more, please click the link below to our PCI solutions page, where we can hit all of the PCI DSS requirements for you. Call us on 0345 313 1111 or email us at info@silver-lining.com
