PCI DSS Requirements
PCI DSS compliance is a must for all businesses that create, process and store sensitive digital information. To ensure the protection of businesses and their customers, the Payment Card Industry Security Standards Council publishes a checklist of security requirements for companies that engage in credit card transactions.
What is PCI DSS?
In 2014, a reported 16.31 billion dollars were lost to payment card fraud. This number is expected to surge upwards of 35.54 billion by the year 2020.
Many companies unknowingly add to these statistics by having inadequate, little, or no controls around sensitive data. For example, in 2014 there were 1,540 data breaches at companies worldwide—up 46 percent from the year before—that led to the compromise of more than one billion data records.
The monetary results of this fraud alone are daunting, yet there are further consequences of not protecting sensitive cardholder data, including:
- The client losing confidence
- The cost of reissuing new payment cards
- Higher subsequent costs of compliance
- Legal costs, settlements, and judgments
- Fines and penalties
- Termination of your client's ability to accept payment cards
- Lost jobs
- Bankruptcy or even going out of business
To combat this staggering fraud and theft, all businesses that process, store, and transmit sensitive digital payment information (e.g., credit card information) for consumer transactions must comply with the Payment Card Industry Data Security Standards (PCI DSS) established and maintained by the Payment Card Industry Security Standards Council (PCI SSC).
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard of data security for businesses that process credit card transactions. PCI DSS standards were created to protect consumers by ensuring businesses adhere to best-practice security standards when processing payment card transactions. The PCI SSC does not enforce compliance: individual payment brands or acquiring banks are responsible for ensuring compliance.
PCI DSS is intended to protect both sensitive cardholder data and the businesses that process, store and transmit that data.
Who Does PCI DSS Affect?
PCI DSS applies to all businesses that store, process, or transmit cardholder data and/or sensitive authentication data. If a business outsources its payment processing to a third party, the business is responsible for ensuring that the account data is adequately protected by that third party as required by PCI DSS requirements.
What Does PCI DSS Impact?
PCI DSS is designed to protect cardholder's sensitive information by ensuring the processes, people and systems that access the data have adequate controls around their usage.
Cardholder data and sensitive authentication data is defined as follows:
- Cardholder Data includes Primary Account Number (PAN), Cardholder Name, Expiration Date, and Service Code.
- Sensitive Authentication Data includes full track data (magnetic-stripe data or the equivalent data contained on a chip), CAV2/CVC2/CVV2/CID, and PINs or PIN blocks.
The PAN is the critical element associated with cardholder data. If the cardholder name, service code and/or expiration date are stored, processed or transmitted with the PAN, or are existing there in the cardholder data environment (CDE), they must be guarded in accordance with PCI DSS requirements.
Where Does Sensitive Data Loss Occur?
Cardholder data and sensitive authentication data loss can occur in multiple areas and in numerous scenarios, including:
- Compromised card reader
- Point of sale system
- Storage networks
- Online portals
- Wireless routers
- Filing cabinet
- Varying electronic eavesdropping methods (e.g., hidden cameras or wiretaps)
What Are PCI DSS Requirements?
In April 2016, the Payment Card Industry Security Standards Council updated the PCI DSS standards to accommodate emerging threats and new methods of data processing and storage. These new requirements are considered best practices until January 31, 2018. After February 1, 2018, businesses that engage in credit card transactions will be expected to be in compliance with the updated standards.
The 12 requirements outlined in the PCI DSS are considered data security best practice by all major credit card companies for processing sensitive payment information and are categorized into six sections.
Businesses are considered compliant with PCI DSS standards by implementing tight controls surrounding the storage, transmission and processing of cardholder data, and maintaining adequate monitoring, testing and reporting of yearly results.
Goal: Build and Maintain a Secure Network and Systems
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
Goal: Protect Cardholder Data
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
Goal: Maintain a Vulnerability Management Program
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
Goal: Implement Strong Access Control Measures
- Restrict access to cardholder data by business justification (i.e., "need to know").
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
Goal: Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
Goal: Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel.
Additional PCI DSS Requirements for Shared Hosting Providers: Shared hosting providers must protect the cardholder data environment.
Achieving PCI DSS Compliance
To be in compliance with current PCI DSS requirements, businesses must implement controls that are focused on attaining six functional high-level goals. The goals are separated into 12 actionable steps. Once these controls are implemented, a process must be put in place to monitor, test, report and remediate results of your client's PCI DSS compliance efforts.
Build and Maintain a Secure Network and Systems
The first two requirements detail how a firewall should be implemented, maintained, and managed.
1. Install and maintain a firewall configuration to protect cardholder data.
Firewalls are a vital component of any computer network and are the first line of defense for Internet traffic.
A firewall identifies all network traffic and blocks any transmissions that don't meet the business's specified security criteria. All systems must be protected from unauthorized access from untrusted networks—regardless of the method of entry (e.g., Internet e-commerce, employee Internet access, employee e-mail access, business-to-business connections or wireless networks).
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Criminals and data thieves use vendor default passwords and default settings to compromise systems.
It is critically important to change vendor-supplied default passwords/settings and remove/disable unnecessary default accounts before introducing new systems into your environment.
Protect Cardholder Data
The third and fourth requirements detail how to protect cardholder data, during processing, transmittal and storage.
3. Protect stored cardholder data.
There are many methods of protecting your client's sensitive data: encryption, truncation, masking, and hashing can each become a critical component of your business's cardholder data protection plan. Additionally, don't store cardholder data unless necessary, and don't send unprotected information via e-mail.
Protecting cardholder data is critical for numerous direct and indirect financial reasons. Target stores had a massive data breach in 2013 - 2014, while the direct financial cost was extensive—145 million over both years—the indirect toll is staggering: 110 million customers had their sensitive data accessed.
4. Encrypt transmission of cardholder data across open, public networks.
Cardholder's sensitive data and authentication information must be encrypted during transmission over open, public networks. These networks are targeted by individuals who exploit the open, visible nature of the network to gain unauthorized system access.
Maintain a Vulnerability Management Program
The fifth and sixth requirements involve developing, maintaining and protecting all in-scope payment systems with a vulnerability management plan to ensure any existing vulnerabilities are addressed and remediated.
5. Protect all systems against malware and regularly update anti-virus software or programs.
Malware is malicious software that can be introduced into your network during any typical business activity, such as employee e-mail, Internet usage, using personal employee computers, cell phones or by utilizing an infected storage device such as a USB drive.
Antivirus software must be installed and operating on all business systems to protect your client's environments. The security software must be correctly configured and maintained as there are constantly evolving malicious software threats found every day.
6. Develop and maintain secure systems and applications.
Intruders use security vulnerabilities in your systems and applications to gain privileged access to cardholder sensitive data. These security vulnerabilities are typically remediated through the application of security patches (typically provided by the vendor), and must be installed by whoever manages those systems.
It is required for all applications and systems to have appropriate, current software patches to protect against the exploitation and compromise of cardholder data.
Implement Strong Access Control Measures
The seventh and eighth requirements require access and access points to impacted systems, data to be secure, and that access to be commensurate with the role of the resource.
All access must be restricted to only authorized resources, and includes system access and access to physical areas.
7. Restrict access to cardholder data by business need to know.
Access to data should be granted on a need to know basis, so systems and processes must be in place to ensure limited access. Need to know dictates that access is granted only at the minimum level and only if needed in order to perform a job responsibility.
Employee error is the leading cause of data breaches as of 2015. The best way to reduce this problem is by having strong access controls in place for all impacted systems.
8. Identify and authenticate access to system components.
It is imperative to assign a unique identification set of credentials to each person with access to sensitive information. This ensures that each individual is solely accountable for his or her actions and that a level of traceability is available.
9. Restrict physical access to cardholder data.
Physical access to all data and systems should be restricted.
Regularly Monitor and Test Networks
The ninth and tenth requirements include tracking and monitoring all access to network resources and cardholder data, including the regular testing of controls, systems and processes.
10. Track and monitor all access to network resources and cardholder data.
Log files, system traces or any tool enabling the tracking of access to sensitive data is critical in preventing, detecting or minimizing a data breach. The availability of logs enables tracking, alerting and analysis when an intrusion occurs. It is almost impossible to identify and diagnose a breach without system logs.
11. Regularly test security systems and processes.
System vulnerabilities are constantly being discovered, and as such, all systems, processes and software should be tested.
Maintain an Information Security Policy
Your client must implement and maintain a policy that addresses information security for all personnel.
12. Maintain a policy that addresses information security for all personnel.
A strong, PCI DSS compliant security policy secures your PCI DSS-scoped infrastructure and sets a standard for what is expected of your employees.
It is critical to ensure every employee understands what is expected of him or her regarding the security of your client's sensitive data. All personnel should be aware of the data's sensitivity and the individual and group responsibilities for protecting it.
The security policy is critical for good reason: cyber-attacks are vicious and lightning-quick. Once a new malware is released, it only takes an average of 82 seconds for someone to unknowingly become a victim.
Best Practices for Implementing PCI DSS
PCI DSS should be integrated into everyday business activities, as it is an essential part of overall security and allows a company to ensure compliance.
Examples of how to implement PCI DSS into your regular activities include:
1. Constant monitoring of all security controls to ensure they are operating effectively and as intended.
2. Make sure to identify and respond to all security control failures in a timely manner. The process around these failures should include:
- Restoring the security control
- Identifying the cause of failure
- Identifying and remediating any security issues occurring during the control failure
- Implementing mitigation to prevent the failure from recurring
- Resuming to monitor the security control to verify the control is operating effectively
3. Determine if any changes have been made prior to completing the change. Ensure you perform the following tasks:
- Identify any impact to PCI DSS scope that occurs as a result of a new or modified system introduced into your PCI DSS environment.
- Identify PCI DSS requirements that are in scope for systems and networks that are affected by the change.
- Update your PCI DSS scope and implement necessary security controls.
4. Review changes to the organizational structure resulting in a formal review of the impact to PCI DSS scope and requirements.
This can be done at the individual and group role levels to ensure that current access is commensurate with the employee's responsibilities and his or her job role.
5. Performing regular reviews and report findings to confirm that PCI DSS requirements are implemented and secure processes are in place as necessary.
These reviews should cover all company locations and include reviewing system components to verify that PCI DSS requirements have been adhered to and are implemented. The frequency of these reviews is determined by the business as appropriate for the size and complexity of their environment.
These reviews can be used to verify that appropriate evidence is being maintained for PCI DSS compliance efforts.
6. Document and review hardware and software technologies regularly.
You must verify that all equipment is supported by the vendor and can meet your client's PCI DSS security requirements. Take action if the equipment is not supported or compliance requirements are not met.
The cost of neglecting software currency is alarming. In 2015, 44% of breaches were the direct result of having two- to four-year-old unpatched software. Imagine how many of these situations could have been avoided by simply observing software currency.
It is important to assess. monitor, remediate and report on your PCI DSS security controls on a regular basis!
Scoping a PCI DSS Environment
PCI Data Security Standard implementation and compliance begins with accurately scoping your PCI DSS environment. This scoping process includes identifying all system components that are located within, or connected to, the environment containing cardholder data.
The PCI SSC has provided basic guidance for compliance, including a three-step process to assess, remediate, and report PCI DSS in-scope data.
SolarWinds MSP (formerly LOGICnow) facilitates PCI DSS compliance at multiple levels by providing your clients' with a superior product designed to meet and exceed compliance thresholds for all PCI DSS requirements.
Go beyond the PCI DSS requirements checklist and fully protect your clients and their customers. Try the remote management tools from SolarWinds MSP for free and see how comprehensive our MSP and IT provider software is and how it can make your job much easier.