PCI DSS Requirements: Checklist

To help ensure the protection of businesses and their customers, the Payment Card Industry Security Standards Council (PCI SSC) publishes a checklist of security requirements for companies that handle credit card transactions. These requirements are known as Payment Card Industry Data Security Standards, or PCI DSS, and compliance is essential for all businesses that process, store, and transmit sensitive digital payment information (e.g., credit card information) for consumer transactions.

What is PCI DSS?

PCI DSS is a worldwide standard of data security that has been put in place to directly combat the staggering level of fraud and theft that takes place in credit card transactions. In 2019, a reported $28.65 billion were lost to payment card fraud. This number is expected to surge upwards of $38.50 billion by the year 2027.

The monetary results of this fraud alone are daunting, yet there are further consequences of not protecting sensitive cardholder data, including:

• Lost client confidence
• The cost of reissuing new payment cards
• Higher subsequent costs of compliance and monitoring
• Legal costs, settlements, and judgments
• Fines and penalties
• Termination of your client’s ability to accept payment cards
• Lost jobs
• Bankruptcy or even going out of business

PCI DSS standards were created to protect consumers by ensuring businesses adhere to best-practice security standards when processing payment card transactions. The PCI SSC does not enforce compliance: individual payment brands or acquiring banks are responsible for ensuring compliance.

PCI DSS is intended to protect both sensitive cardholder data and the businesses that process, store, and transmit that data.

Who does PCI DSS affect?

PCI DSS applies to all businesses that store, process, or transmit credit or debit cardholder data and/or sensitive authentication data. If a business outsources its payment processing to a third party, the business is responsible for ensuring that the account data is adequately protected by that third party as required by PCI DSS requirements.

What does PCI DSS impact?

PCI DSS is designed to protect cardholder’s sensitive information by ensuring that adequate controls are in place to govern the processes, people, and systems that access the data.

Cardholder data and sensitive authentication data is defined as follows:

• Cardholder data includes primary account number (PAN), cardholder name, expiration date, and service code.
• Sensitive authentication data includes full track data (magnetic-stripe data or the equivalent data contained on a chip), CAV2/CVC2/CVV2/CID, and PINs or PIN blocks.

The PAN is the critical element associated with cardholder data. If the cardholder name, service code, and/or expiration date are stored, processed, or transmitted with the PAN, or are existing there in the cardholder data environment (CDE), they must be guarded in accordance with PCI DSS requirements.

Where does sensitive data loss occur?

Cardholder data and sensitive authentication data loss can occur in multiple areas and in numerous scenarios, including:

• Compromised card reader
• Point of sale system
• Storage networks
• Database
• Online portals
• Wireless routers
• Filing cabinet
• Varying electronic eavesdropping methods (e.g., hidden cameras or wiretaps)

What are PCI DSS requirements?

In May 2018, the Payment Card Industry Security Standards Council updated the PCI DSS standards to  address emerging threats and new methods of data processing and storage.

These 12 requirements outlined in the PCI DSS are considered data security best practice by major credit card companies for processing sensitive payment information and are categorized into six sections.

Businesses can demonstrate compliance with PCI DSS standards by implementing tight controls surrounding the storage, transmission, and processing of cardholder data, and maintaining adequate monitoring, testing, and reporting of yearly results.

12-step PCI DSS requirements checklist

Goal: Build and maintain a secure network and systems

1. Install a firewall and maintain appropriate configurations to protect cardholder data.
2. Immediately change vendor-supplied defaults for system passwords and other security parameters.

Goal: Protect cardholder data

3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.

Goal: Maintain a vulnerability management program

5. Protect all systems against malware and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.

Goal:  Implement strong access control measures

7. Restrict access to cardholder data to the minimum users as necessary (i.e., “need to know”).
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.

Goal: Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.

Goal: Maintain an information security policy

12. Maintain a policy that addresses information security for all personnel.

Additional PCI DSS requirements for shared hosting providers: Shared hosting providers must protect the cardholder data environment.

Achieving PCI DSS compliance

To demonstrate compliance with current PCI DSS requirements, businesses must implement controls that are focused on attaining six functional high-level goals. The goals are separated into 12 actionable steps. Once these controls are implemented, a process must be put in place to monitor, test, report, and remediate results of your client’s PCI DSS compliance efforts.

Build and maintain a secure network and systems

The first two requirements detail how a firewall should be implemented, maintained, and managed.

1. Install and maintain a firewall configuration to protect cardholder data.

Firewalls are integral to the security of any computer network and are the first line of defense for Internet traffic.

A firewall identifies network traffic and blocks any transmissions that don’t meet the business’s specified security criteria. All systems must be protected from unauthorized access from untrusted networks—regardless of the method of entry (e.g., internet e-commerce, employee internet access, employee e-mail access, business-to-business connections or wireless networks).

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Criminals and data thieves use vendor default passwords and default settings to compromise systems.

It is critically important to change vendor-supplied default passwords/settings and remove/disable unnecessary default accounts before introducing new systems into your environment.

Protect cardholder data

The third and fourth requirements detail how to protect cardholder data, during processing, transmittal and storage.

3. Protect stored cardholder data.

There are many methods of protecting your client’s sensitive data: encryption, truncation, masking, and hashing can each become a critical component of your business’s cardholder data protection plan. Additionally, don’t store cardholder data unless necessary, and don’t send unprotected information via e-mail or via other unsecured delivery (FTP, etc.).

4. Encrypt transmission of cardholder data across open, public networks.

Cardholder’s sensitive data and authentication information must be encrypted during transmission over open, public networks. These networks are targeted by individuals who exploit the open, visible nature of the network to gain unauthorized system access.

Maintain a vulnerability management program

The fifth and sixth requirements involve developing, maintaining, and protecting all in-scope payment systems with a vulnerability management plan to ensure any existing vulnerabilities are addressed and remediated.

5. Protect all systems against malware and regularly update anti-virus software or programs.

Malware is malicious software that can be introduced into your network during any typical business activity, such as employee e-mail, internet usage, using personal computers (BYOD), cell phones, or by utilizing an infected storage device such as a USB drive.

Antivirus software must be installed and operating on all business systems to protect your client’s environments. The security software must be correctly configured and maintained as there are constantly evolving malicious software threats found every day.

6. Develop and maintain secure systems and applications.

Intruders use security vulnerabilities in your systems and applications to gain privileged access to cardholder sensitive data. These security vulnerabilities are typically remediated through the application of security patches (typically provided by the vendor), and must be installed by whoever manages those systems.

All applications and systems are required to have appropriate, current software patches to protect against the exploitation and compromise of cardholder data.

Implement strong access control measures

The seventh, eighth, and ninth requirements focus on securing and controlling access to systems and cardholder data.

7. Restrict access to cardholder data by business need to know.

Access to data should be granted on a need to know basis, so systems and processes must be in place to ensure minimum necessary access. Need to know dictates that access is granted only at the minimum level and only if needed in order to perform a job responsibility. This includes system access and access to physical areas.

8. Identify and authenticate access to system components.

Each person with access to sensitive information must have unique credentials and there must be no password sharing. This helps ensure each individual is solely accountable for his or her actions and that a level of traceability is available.

9. Restrict physical access to cardholder data.

Physical access to all data and systems should be restricted.

Regularly monitor and test networks

The tenth and eleventh requirements include tracking and monitoring all access to network resources and cardholder data, including the regular testing of controls, systems, and processes.

10. Track and monitor all access to network resources and cardholder data.

Log files, system traces, or any tool enabling the tracking of access to sensitive data is critical in preventing, detecting, or minimizing a data breach. The availability of logs enables tracking, alerting, and analysis when an intrusion occurs. It is almost impossible to identify and diagnose a breach without system logs.

11. Regularly test security systems and processes.

System vulnerabilities are constantly being discovered, and as such, all systems, processes, and software should be tested.

Maintain an information security policy

Your client must implement and maintain a policy that addresses information security for all personnel.

12. Maintain a policy that addresses information security for all personnel.

A strong, PCI DSS compliant security policy secures your PCI DSS-scoped infrastructure and sets a standard for what is expected of your employees.

It is critical to ensure every employee understands what is expected of him or her regarding the security of your client’s sensitive data. All personnel should be aware of the data’s sensitivity and the individual and group responsibilities for protecting it.

The security policy is critical for good reason: cyberattacks are vicious and lightning-quick. Once a new malware is released, it only takes an average of 82 seconds for someone to unknowingly become a victim.

Best practices for implementing PCI DSS

PCI DSS should be integrated into everyday business activities, as it is an essential part of overall security and allows a company to demonstrate compliance.

Examples of how to implement PCI DSS into your regular activities include:

1. Constant monitoring of all security controls to ensure they are operating effectively and as intended.

2. Make sure to identify and respond to all security control failures in a timely manner. The process around these failures should include:

• Restoring the security control
• Identifying the cause of failure
• Identifying and remediating any security issues occurring during the control failure
• Implementing mitigation to prevent the failure from recurring
• Resuming to monitor the security control to verify the control is operating effectively

3. Determine if any changes have been made prior to completing the change. Ensure you perform the following tasks:

• Identify any impact to PCI DSS scope that occurs as a result of a new or modified system introduced into your PCI DSS environment
• Identify PCI DSS requirements that are in scope for systems and networks that are affected by the change
• Update your PCI DSS scope and implement necessary security controls

4. Review changes to the organizational structure resulting in a formal review of the impact to PCI DSS scope and requirements.

This can be done at the individual and group role levels to help ensure that current access is commensurate with the employee’s responsibilities and his or her job role.

5. Performing regular reviews and report findings to confirm that PCI DSS requirements are implemented and secure processes are in place as necessary.

These reviews should cover all company locations and include reviewing system components to verify that PCI DSS requirements have been adhered to and are implemented. The frequency of these reviews is determined by the business as appropriate for the size and complexity of their environment.

These reviews can be used to verify that appropriate evidence is being maintained for PCI DSS compliance efforts.

6. Document and review hardware and software technologies regularly.

You must verify that all equipment is supported by the vendor and can meet your client’s PCI DSS security requirements. Take action if the equipment is not supported or compliance requirements are not met.

Scoping a PCI DSS environment

PCI Data Security Standard implementation and compliance begins with accurately scoping your PCI DSS environment. This scoping process includes identifying all system components that are located within, or connected to, the environment containing cardholder data.

The PCI SSC has provided basic guidance for compliance, including a three-step process to assess, remediate, and report PCI DSS in-scope data.

SolarWinds MSP can help your customers meet PCI DSS compliance, offering a range of different functionality including patch management, antivirus, and asset inventory. Try the remote management tools from SolarWinds MSP for free and see how comprehensive our MSP and IT provider software is and how it can make your job much easier.