Are You PCI Compliant? 12 Requirements for Customer Data Security
[Estimated read time: 7 minutes]
Consumers are increasingly choosing to pay with credit or debit cards over using cash. According to The Washington Post, the amount of people carrying cash has decreased, with close to 50 percent of Americans carrying $20 or less each day, including nine percent who don’t carry any cash. For consumer brands, this is just another item to consider when thinking about your customer’s loyalty and trust.
Keeping your customer’s confidential information private and secure is a substantial part of that. In fact, all companies who accept, process, store or transmit credit card information must maintain secure environments under compliance of Payment Card Industry Data Security Standard (PCI DSS). American Express, Visa, MasterCard, and Discover are just a few companies who have their own programs for the protection of their account data. Even if you use a service like PayPal or only accept credit cards over the phone, your organization will be held to PCI requirements.
Here are the twelve requirements as defined by the PCI Security Standard Council:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
Keeping in mind there is more to each requirement than their individual title states, including many sub-requirements, each of the twelve requirements covers business processes and how you manage credit card transactions. Each requirement can also be thought of as a best practice for privacy and information security. Since it can be difficult to know if you are fully meeting all of the requirements, here is a run-down of the requirements and what you should know about each, grouped by the actions you need to take.
1. Protect cardholder data (#1-2)
The first two requirements act as best practices for how you should conduct business in a secure manner and maintain security around sensitive information. The first step is installing and maintaining a firewall. The reason this is important is because the firewall monitors and controls all traffic based on security protocols and creates a line between sources you can trust and those who should not be trusted. By doing this, you create a divide between which environments should have permission to access the data.
The next requirement is do not use vendor-supplied defaults for your security settings and passwords! This applies both for software and hardware, since default system configurations for devices like routers or servers come equipped with passwords. This is done to help make the process of installation and implementation easier. Unfortunately, this also allows easy access to multiple hardware and software using the same configurations. To solve this issue, create strong passwords using different characters, numbers, and punctuation. Keeping your credentials updated and making them not obvious, like “admin” or “password,” also keeps the information secure and prevents unauthorized access.
2. Defend your systems from risk (#3-5)
As obvious as it may seem, you want to protect stored cardholder data. This means making sure all data and systems are protected from viruses, malware, and hackers. Preventing hackers from getting into your systems and exposing or stealing credit card data can be a difficult task due to near constant transmission. The firewall installation included in the first requirement is a first step in making sure this information is controlled or protected in some way.
A smart approach is to encrypt transmissions of cardholder data across open, public networks. There are different aspects of encryption to keep top-of-mind when doing this:
- Encryption for data “at rest” applies to information stored somewhere. This can be the cloud, a disc, or a hard drive.
- Encryption for data “in motion” refers to data that is actively being transmitted.
- Encryption for data “in use” means making sure information is still being encrypted as that person is viewing it on a screen to make sure it doesn’t get hacked or stolen. This includes client programs or mobile applications.
Additionally, it is imperative to protect all systems against malware and regularly update your anti-virus software or programs. Think of how people continue to get the flu vaccine year after year because the virus is constantly changing and replicating. The same principle applies here, since computer viruses are always changing and growing. Installing software and then not updating it won’t be enough, as hackers are continually refining their tactics and strategies.
3. Monitor and track access to all data and resources (#6-10)
Software is complex! Hundreds of decisions and miles of code go into its development. Thankfully, disciplines have arisen to help developers secure their products. One such discipline is the systems development life cycle (SDLC), the application development life cycle used in software and systems engineering to describe a process for planning, creating, testing, and deploying an information system. Developing and maintaining secure systems and applications should be part of that process. If you are looking for assistance, there are communities dedicated to guiding organization for software development. One such online community is the Open Web Application Security Project (OWASP), which creates free articles, methodologies, documents, and tools in the field of network security.
Restricting access to cardholder data by “business need to know” is the next important step towards being PCI compliant. This especially applies to restricting physical access to cardholder data. An example of this is letting your call center agents know to NOT write down a customer’s credit card number on paper or print it out, even during transactions. Providing the information on a compartmentalized, need-to-know basis helps reduce the chances of that information leaking out to a party that should not have access to it. Business processes can produce more issues than the technology itself. As the decision maker in charge of access to the system, the gatekeeper, you need to monitor who has access.
The reason for this is not just for security, but for auditing and forensics. If you are trying to prevent fraud, you need to be able to prove it. Most regulations require you to track access and transmission of data so if something happens, you can track it and provide it to law enforcement, your security people, and your compliance officer, and developers. Make sure everything you do is tracked and stored, including databases and applications.
4. Test security systems and processes regularly (#11)
Vulnerability management is a process, not a task. This is why you want to regularly check and test security systems and processes. Ensuring systems and processes are built in a secure manner will go a long way towards uncovering issues or noncompliance. As previously mentioned, installing software and implementing processes means nothing if you don’t test them regularly as part of an ongoing loop to find and resolve these issues.
5. Maintain a policy that addresses information security for all personnel (#12)
Technology is taking more precedence in our lives, so making everyone aware of IT security policies is a major factor in your risk management. Make sure everyone in your organization is clear on your security policy and that they know how to stay in compliance.
To learn more about Astute’s suite of solutions, watch this two-minute intro to who we are and what we do.
- Customer Data Security Part 1: Common Privacy Regulations for Consumers [Blog]
- Customer Data Security Part 2: What You Need to Know about PCI Compliance [Blog]
- Customer Data Security Part 3: Privacy Shield and Engaging Consumers in the EU [Blog]
- Customer Data Security Part 4: Consumer Privacy and You! The Shared Responsibility Model [Blog]