The world of financial transactions is better safeguarded thanks to the Payment Card Industry Data Security Standard (PCI DSS) compliance framework.
Cyberattacks and data leaks are unfortunately widespread, and they have a detrimental impact on all payment parties—from merchants to consumers to banks — so PCI compliance is more important than ever.
But to implement it within your organization, you need to know certain things, twelve of them in particular. These are the 12 requirements of the PCI DSS compliance framework.
In this blog, we will discuss each of them and bring you up to speed on what you need to know on your PCI DSS compliance journey.
Let’s jump to it then!
The 12 Requirements of PCI DSS: An Overview
Here’s a brief overview of all 12 requirements and what steps you need to take to implement them.
# 1: Protect your system with firewalls
- Install a firewall, including hardware and software.
- Tune your system’s firewall setup.
- Establish tight firewall policies.
# 2: Configure passwords and settings
- Safeguard your account information
- Keep a Vulnerability Management Program in place.
- Avoid default passwords.
- Secure your systems.
- System configuration management should be implemented.
# 3: Protect stored cardholder data
- Encrypt data on storage cards.
- Find out where your credit card information is stored.
- Make a card data flow diagram.
# 4: Encrypt transmission of cardholder data across open, public networks
- Understand where data is sent and received.
- Encrypt any cardholder data that is transferred.
- Stop using SSL and start using TLS now.
# 5: Use and regularly update anti-virus software
- Develop a vulnerability management strategy.
- Update your anti-virus software on a regular basis.
- Keep your anti-malware program up to date.
# 6: Regularly update and patch systems
- Keep your systems up to date.
- All important systems and software should be regularly patched.
- Create software development procedures.
# 7: Restrict access to cardholder data to business need to know
- Access to cardholder data should be restricted.
- Document who has access to the card data environment.
- Create an access management system.
# 8: Assign a unique ID to each person with computer access
- Each employee should have their own ID credentials.
- Change your ID password from the default
- Set up two-factor authentication.
# 9: Restrict physical access to workplace and cardholder data
- Control physical access to your place of business.
- Maintain a list of POS terminals.
- Regularly train your personnel on security procedures.
# 10: Implement logging and log management
- Set up a log management system
- Alerts should be included.
# 11: Conduct vulnerability scans and penetration tests
- Understand your threat environment.
- Conduct quarterly vulnerability scans.
- Execute penetration tests regularly.
# 12: Documentation and risk assessments
- Record everything.
- Create a risk assessment procedure.
- Document an incident response strategy.
Next, let’s get into this in more detail.
PCI DSS: The 12 Requirements in More Detail
1. Protect your systems with firewalls:
The first PCI DSS requirement is to use firewalls to secure your system. Firewalls that are properly designed protect your card data environment. Firewalls impose restrictions on incoming and outgoing network traffic based on rules and criteria set by your company.
Both hardware and software firewalls should be installed. Both serve as a network’s first line of defense. Hardware firewalls provide a more secure choice. They may secure an entire network and divide it into sections. Hardware firewalls are often more expensive, take longer to configure, and require regular maintenance and evaluation.
Software firewalls are less expensive to install and maintain. They’re designed to keep a single host safe from internal dangers, such as those posed by employees’ mobile devices, which can enter and exit the secure environment. A software firewall should prevent malware infection if an employee clicks on a link in a phishing email.
2. Configure passwords and settings:
Defaults provided by vendors should be avoided. Factory settings, such as default usernames and passwords, are included with out-of-the-box devices like routers and POS systems. Defaults simplify device setup and support, but they also mean that every model starts with the same username and password. Default passwords are easy to guess, and many are even available online.
Unfortunately, third parties service providers frequently install hardware or software without informing businesses that their entire system is protected by an easy-to-guess/crack password. To make access easier, vendors may purposefully leave weak or default passwords. But that’s the same as leaving your front door unlocked just to avoid ever having to hunt for your housekeys.
Inventorying and then properly configuring all security settings on all systems and devices is required to meet criterion #2. This information will need to be compiled and reviewed.
3. Protect stored cardholder data:
The 12 PCI criteria are designed to preserve and secure stored cardholder data while also preventing data breaches. Furthermore, stored card data must be secured using industry-accepted techniques, according to requirement 3 (e.g., AES-256). The issue is that many merchants are unaware that they are storing unencrypted primary account details (PAN).
Card data must be encrypted, but the encryption keys must be secured as well. Using a robust PCI DSS encryption key management process, for example, will help you avoid placing the key in the “lock.”
You must design and document a current cardholder data (CHD) flow diagram for all card data flows in your company to meet this criterion. A CHD flow diagram depicts how card data goes across an organization graphically (see adjacent example). It’s critical to ask all companies and departments if they receive cardholder information as you build your environment, and then document how their responses may impact card data flows.
You should use a data discovery tool like PANscan or PIIscan on a frequent basis. These technologies assist in locating unencrypted PAN and other sensitive data so that it can be securely deleted or encrypted.
4. Encrypt transmission of cardholder data across open, public networks:
For criterion 4, you must know where cardholder data is sent. Primary account numbers (PANs) are commonly sent to the following locations:
- Backup servers
- Processors
- Third parties who handle or store PAN
- Outsourced system or infrastructure management
- Corporate offices
When transmitting cardholder data over open, public networks, you must utilize encryption and follow security regulations.
A reminder about SSL and early TLS online encryption: the PCI Security Standards Council issued a policy on June 30, 2018, stating that you must move from SSL and early TLS to secure versions of TLS due to vulnerabilities in web encryption.
5. Use and regularly update anti-virus software:
All systems that are regularly infected with malware should have anti-virus software installed. To detect known malware, make sure anti-virus or anti-malware products are updated on a regular basis. Anti-malware software that is kept up to date will prevent known malware from infecting computers.
Make sure you or your POS vendor is doing anti-virus checks on your software on a frequent basis.
You should also stay informed about new and emerging malware dangers. Merchants can learn about developing malware and attacks on systems by using outside sources such as vendor/anti-virus threat feeds. Then you can set up systems to warn and report on unusual behavior, such as new files being added to known malware directories or attempts at unauthorized access.
6. Regularly update and patch systems:
Manufacturers often offer updates to remedy security holes because applications will never be flawless. Patch updates are sometimes time-sensitive. When a hacker discovers a security flaw, they share their information with the rest of the hacker community, who subsequently exploit the flaw until the patch is updated.
Implementing security upgrades as soon as possible is critical to your security posture. All important components in the card flow pathway should be patched, including:
- Browsers (internet browsers)
- Firewalls
- Application software
- Databases
- POS machines
- System software
Keep an eye on your system’s software and make sure it’s up to date. To stay in compliance, merchants must install important patches within a month of release, according to requirement 6.2. Remember to keep key software installations, such as credit card payment programs and mobile devices, up to date. To stay current, request to be added to your software vendor’s patch/upgrade notification list.
7. Restrict access to cardholder data to business “need to know”:
To meet requirement 7, you’ll need a role-based access control (RBAC) system, which gives need-to-know access to card data and systems. Configure administrator and user accounts to protect sensitive data from being exposed to people who don’t need it.
An up-to-date list of the specific roles or individuals with access to the card data environment is required by PCI DSS. Each role, its definition, access to data resources, current privilege level, and the required privilege level for each employee to complete routine business activities should all be included on this list. Users who are authorized must fall into one of the roles you specify.
8. Assign a unique ID to each person with computer access:
User IDs and passwords must be sufficiently difficult and unique, according to rule 8. Group or shared passwords should not be used.
However, the security of your system should not be primarily determined by the complexity of a single password. Because no password should be regarded as “uncrackable,” all non-console administrative access (remote access) to in-scope systems requires multi-factor authentication.
9. Restrict physical access to workplace and cardholder data:
Employees may believe that physical security only applies during working hours. Most data thefts (such as social engineering attacks) happen during the day, when busy employees are often too preoccupied to notice someone strolling out of the office with a server, corporate laptop, phone, or other valuables.
You can’t keep critical information like credit card numbers out in the open. For convenient reservation access, some hotels maintain binders full of credit card information behind the front desk. Unfortunately, while this collection of files makes life easier for employees, it also provides easy access to crooks.
According to Requirement 9, you must restrict physical access to areas containing cardholder data and document the following:
1. Who has access to protected environments, and why do they require it?
2. What devices are used, when, where, and why?
3. Which applications are available on the device?
4. A list of device users with their permissions
5. Locations where the device is permitted and prohibited
You’ll also need to set up automated lockout/timeout restrictions on workstations, inspect all devices on a regular basis, and most importantly, regularly train your employees on security policies and procedures as well as social engineering techniques to beware of.
10. Implement logging and log management:
Past experience has shown that non-compliance with criterion 10 is the most common cause of data breaches. Only when logs are reviewed are they valuable.
System event logs contain information on actions performed on computer systems such as firewalls, office PCs, and printers. You must analyze logs at least once a day to look for mistakes, anomalies, and suspicious activity that differ from the usual to meet criterion 10. You must also have a procedure in place to deal with these abnormalities and exceptions.
To make such log monitoring feasible, products such as a SIEM (Security Information and Event Monitoring) system can help you keep track of network activity, generate alerts, investigate system events, and track user actions.
11. Conduct vulnerability scans and penetration tests:
Defects in web servers, web browsers, email clients, POS software, operating systems, and server interfaces could leave your data susceptible. Yes, completing requirement 6 (installing security updates and patches) can assist in the correction of many of these vulnerabilities before they are exploited by attackers. However, you must be able to locate and test these vulnerabilities in order to be certain that they have been correctly patched. Regular vulnerability scanning and penetration testing are required for this.
A vulnerability scan is a high-level automated test that looks for and reports potential security flaws. All external IPs and domains exposed in the CDE must be scanned at least quarterly by a PCI Approved Scanning Vendor (ASV).
A penetration test (“pen test”) is an automated or semi-automated test that aims to find security flaws in your systems. Penetration testers and pen test software can probe network infrastructure, discover potential vulnerabilities, then attempt to exploit those weaknesses, just like a malicious hacker would.
The frequency and type of penetration test required will differ depending on your risk assessment, business size, threat environment, potential impact of a breach, and other factors.
12. Documentation and risk assessments:
The final PCI compliance criterion has two aspects. The first is to document the policies, procedures, and proof relevant to your company’s security measures.
When you are audited for PCI compliance, a Qualified Security Assessor (an auditor who is certified by the PCI Security Standards Council) will check that PCI standards are being followed in corporate policies and controls. Then they’ll go through a series of tests to ensure that the controls have actually been implemented.
The following information must be included in your documentation:
1. Employee handbook
2. Procedures and policies
3. Agreements with third-party vendors
4. Incident response plans
The second element of requirement 12 is an annual risk assessment that examines essential assets, threats, and vulnerabilities. This requirement will assist you in identifying, prioritizing, and managing risks to your data security.
PCI DSS Compliance with Akitra!
Establishing trust is a crucial competitive differentiator when courting new business in today’s era of data breaches and compromised privacy. Customers and partners want assurances that the organizations with whom they do business are doing everything possible to prevent disclosing sensitive data and putting them at risk. Compliance certification fills that need.
Akitra offers an industry-leading, AI-powered Compliance Automation platform for SaaS companies. Using automated evidence collection and continuous monitoring, together with a full suite of customizable policies and controls as a compliance foundation, our service helps customers become certified for PCI DSS, along with other frameworks like SOC 1, SOC 2, ISO 27001, HIPAA, GDPR and NIST 800-53. Our compliance and security experts will also provide you with the customized guidance you need to confidently navigate the end-to-end compliance process.
The benefits of our solution include enormous savings in time, human resources, and money — including discounted audit fees with our audit firm partners. Customers achieve compliance certification fast and cost-effectively, stay continuously compliant as they grow, and can become certified under additional frameworks using a single compliance automation platform.
Build customer trust. Choose Akitra TODAY!
To book your FREE DEMO, contact us right here.
