If your company processes credit cards, you’ve probably heard of the PCI DSS.
The Payment Card Industry Data Security Standard, or PCI DSS, establishes security requirements for organizations that handle branded payment or credit card transactions. Any business that engages in payment card transactions with consumers must be PCI DSS compliant or risk facing steep fines.
This article will go over the six principles of PCI DSS, their 12 corresponding requirements and potential non-compliance penalties your business may face.
WHAT IS PCI DSS?
PCI DSS standards were developed by the PCI Security Standards Council (PCI SSC), a forum founded by American Express, Mastercard, Visa, Discover and JCB International in 2006. The Council’s mission is to help secure global payment data, protecting consumers against the continuing threat of data breaches.
What does this all mean to your company? Businesses that comply with PCI DSS requirements are less likely to suffer security breaches.
Data breaches and cyberattacks can be business killers. By following PCI DSS security standards, you can significantly reduce cardholder data compromise and strengthen consumer confidence. Moreover, not following PCI DSS requirements can result in substantial penalties.
6 PRINCIPLES OF PCI DSS
Communicating the six principles of PCI DSS to your IT staff and employees helps create a sound security environment, keeping your data safe and your business running smoothly. These principles are:
- Build and maintain a secure network and systems.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security policy.
THE 12 PCI DSS REQUIREMENTS
PCI DSS requirements correspond to each of the principles listed above. Let’s break them down.
1. Install and maintain firewalls to protect your cardholder data
Firewalls are your first line of defense against data breaches. Firewalls are security devices that control traffic through criteria set by your business, protecting your network against unwanted intrusions and malicious software.
Software firewalls are programs that protect against internal threats, like malware infections from phishing attacks. Software firewalls are easier to maintain and are less expensive than hardware firewalls.
Hardware firewalls are physical, protecting and segmenting your network but requiring proper configuration and regular maintenance. You must review your firewall settings every six months to retain their effectiveness.
You should install firewall software on any device (whether company or employee owned) that connects to the internet or is used to access cardholder data.
2. Change vendor-supplied and default passwords immediately
Many hardware and software applications come with pre-installed usernames and passwords.
Never use default passwords once you install equipment or software. Many of these default usernames and passwords are easy to guess and often publicly known. Retaining vendor-supplied or easy-to-guess passwords is a sure-fire way to comprise your cardholder data.
Using a password generator helps create complex passwords that aren’t easily hacked and customized for length and complexity requirements.
3. Avoid storing customer data unless absolutely necessary
Many merchants are unaware that they’re storing unencrypted primary account numbers (PAN). All stored cardholder data should be eliminated, except for what is required for regulatory, legal or business needs.
Cardholder data can be stored when necessary, but it must be unreadable. Cardholder data includes the cardholder name, PAN and expiration date.
You should regularly run data discovery tools to help identify the location of unencrypted PAN and other sensitive information, then securely delete or encrypt it. You must encrypt and protect both stored card data and the encryption keys themselves.
4. Encrypt transmission of cardholder data across open, public networks.
Any transmission of cardholder data over open or public networks must be encrypted to avoid being compromised.
You must use a secure encryption method with appropriate security protocols to guard against theft or intrusion. Personal account numbers can never be sent through messaging platforms like chat, IM, SMS or email.
5. Update antivirus software regularly
Are you running antivirus scans regularly? If your antivirus software is out of date, you may be wasting your time. Maintaining current versions of antivirus programs is the most effective way to prevent malicious software from infecting systems.
Stay up-to-date on current and emerging malware threats and viruses. You should set antivirus software to scan regularly and generate audit logs. Only administrators – not end users – should be authorized to enable or disable antivirus software for any time period.
6. Develop and maintain secure systems and applications
Make sure you have a system for handling regular patch management. Operating systems, firewalls, internet browsers and application software are subject to routine patch updates.
Implementing security updates quickly is key to ensuring data security. Installing critical patches within one month of their release is a PCI DSS compliance requirement.
7. Restrict employee access to cardholder data
Keeping sensitive data safe requires allowing employee access on a strict need-to-know basis. Users should possess the least amount of access and privileges necessary to perform their jobs.
Prevent unnecessary cardholder data exposure by configuring administrator and user accounts in a role-based access control system, or RBAC. An RBAC system defines roles and privilege levels. It maintains an active list of personnel who have appropriate access to cardholder data.
8. Identify and authenticate access to system components
The identity of system users must be authenticated to ensure traceability. Assigning unique usernames to authorized employees enables system usage tracking in case of data compromise. Sharing IDs should be strictly prohibited.
Using multi-factor authentication (MFA) to identify users is required as an additional layer of PCI DSS security. You can implement MFA in any of the following ways:
- What the user knows, like PINs or passwords
- What the user has, like an SMS code or USB tokens
- Who the user is, like fingerprints or facial recognition
9. Restrict physical access to cardholder data
Cardholder data cannot be stored in an open, easily accessed environment. You must restrict physical access to data to prevent theft by employees, contractors and consultants on your premises. Use ID badges to identify visitors or temporary workers to reduce data exposure danger.
Upon termination, any physical item that enables access (like keys or access cards) must be disabled or returned. Educate your staff on security procedures regularly.
10. Track, monitor and report all access to network resources and cardholder data
Tracking systems are useless if you don’t review logs for suspicious activity. Without accurate system activity logs, it’s almost impossible to determine the causes of system compromise.
Therefore, it’s essential to train employees on how to track, monitor and interpret security reports accurately — and then take action to remedy anomalies.
You should review system logs and audit trails daily to search for:
- User access to cardholder data
- Actions taken by employees with admin privileges
- Invalid access attempts
- ID and access changes (including new account creation and privilege changes)
11. Test security systems and processes regularly
Besides routine system monitoring, regular testing of systems and processes helps your company stay one step ahead of security threats and vulnerabilities. Ensure your security measures are effective and compliant by performing preventative testing of system controls.
In addition to routine testing, you should perform additional testing when you change system configurations or deploy new software. Vulnerability scans and penetration tests identify potential threats and are invaluable in maintaining system integrity.
The frequency required for performing these scans and tests varies depending on your infrastructure and company size.
12. Maintain a policy that addresses information security and risk assessments for all personnel
Your employees must understand their roles and duties related to maintaining necessary security standards. Your company must take cardholder data security seriously to ensure compliance with PCI DSS requirements.
Maintaining a strong security policy takes the guesswork out of compliance guidelines. It sets expectations for employee performance related to risk management. Your security policy should be reviewed annually and updated to reflect system or environment changes.
Additionally, you’ll need to perform an annual risk assessment to identify critical assets and areas of vulnerability.
PENALTIES FOR NON-COMPLIANCE
All businesses that store, process or transmit cardholder data must comply with PCI DSS regulations. While PCI DSS requirements are not laws, you may be subject to penalties if you fall out of compliance with them.
If your business is involved in a credit card breach and has not complied with PCI DSS standards, you may incur card replacement costs, fines (ranging from $5,000 to $100,000 per month) or forensic audits.
Additionally, your bank may increase your transaction fees or terminate your relationship altogether. Check with your merchant account agreement terms to understand your exposure risk.
STAY PCI DSS COMPLIANT WITH HELIXSTORM
To maintain PCI DSS requirements, you must monitor and evaluate your security policies regularly. Unfortunately, you may not have the staff or expertise to do it yourself.
Partnering with a managed services provider helps your business stay PCI DSS compliant, giving you the peace of mind necessary to focus on your business without the headaches. If you fear your company is susceptible to cardholder data risk, don’t wait another day to get the help you need.
Helixstorm can help you build your technology future. With expertise in manufacturing, ecommerce and government organizations, we’ve helped businesses scale and manage their IT more effectively.
Contact us today to get – and stay – PCI DSS compliant.
