PCI DSS stands for Payment Card Industry Data Security Standard. These standards are in place to help businesses protect themselves and their customers by outlining how sensitive personal information, like credit card data, gets stored. If you process payments using debit or credit cards, you must meet PCI DSS, or you might be fined or have your ability to process cards revoked altogether.
Payment card fraud accounts for over $21 billion in losses for businesses and consumers each year. That number could grow to over $40 billion by 2025. Fraud in this respect is a severe problem, and the issues come from both sides of the card; consumers who don’t practice necessary internet security measures and safe browsing habits, and businesses that don’t meet PCI compliance standards.
For PCI compliance, the data you need to protect is any data gleaned from a credit and debit card like the number, cardholder’s name, PINs, and any data from the chip or magnetic strip. Criminals commonly find ways to steal this data by compromising card readers, point of sale networks, databases, servers, wireless access points, and sometimes from within your employee ranks.
Fortunately, many of the data and network security policies you have in place now, or should have in place, cover the majority of your PCI compliance requirements. If you are running your workloads in the cloud then you already have a leg up towards getting to a compliant state because of all the products and services cloud providers offer to help you achieve your security and compliance requirements. You can accomplish full compliance by setting and maintaining simple goals and policies. In this post we outline twelve steps that will help you attain and maintain PCI DSS compliance.
12 Steps to PCI DSS Compliance
- Step One: Set up firewalls to protect sensitive systems and network from intruders and malicious software. A firewall can block a lot of the network traffic that might contain malicious software or attempts by criminals to breach your network. To stay in compliance, all your systems and networks must remain protected from any untrusted traffic sources or unauthorized access.
- Step Two: Never leave default passwords in place. Routers and some other devices you may use for PoS probably come with a default password. Some wireless routers use a default password like admin, password, or no password at all. Leaving default passwords in place is asking for trouble, and it makes breaching your network much easier for hackers.
- Step Three: Focus your sights on protecting all your cardholders’ data. There are several ways to protect their data as traffic or when you store it using encryption, hashing, and masking the information. Home Depot had to pay almost $20 million to consumers affected by their breach in 2014, and it only affected around 50 million cardholders. Home Depot was breached via third-party vendors.
- Step Four: Take steps to encrypt any cardholder data you transmit over open or public networks, like the internet, which is a vast public network. Any cardholder information you send must be encrypted to remain in PCI compliance. Encrypt all your traffic, and this problem solves itself.
- Step Five: Use and maintain anti-malware and anti-virus software. Malware can make its way into your network and computers in many different ways from an infected USB to hackers exploiting a vulnerability in your software or hardware. All it takes is one employee to click the wrong link in an email on an unprotected system to expose data and start an avalanche of compliance problems. Anti-malware and anti-virus software must remain installed on all systems that see cardholder data.
- Step Six: Make sure your applications, hardware, and operating systems are up to date and patched for security vulnerabilities. An easy way for malware to make it into your network is through security holes left by unpatched operating systems or known flaws in some hardware. You need to make every effort to ensure that these things are updated regularly to remain in PCI compliance.
- Step Seven: Remove and prevent access to cardholder data except for people and systems that need to see it. Employee mistakes are the leading reasons cardholder data is leaked or otherwise exposed. Grant access to employees and systems only if they need the data to do their job or perform a necessary task. This is an excellent place to set up strong policies to govern who sees the data and to start employee training programs.
- Step Eight: Set up unique credentials for anyone who has access to cardholder information. Sharing passwords and usernames is never a good idea, so create policies and train your employees to avoid sharing their credentials. Unique identifiers like usernames ensure that you always know who accessed data and when and may prove beneficial in an audit.
- Step Nine: Prevent physical access to servers or computers where cardholder data is stored or transmitted. Any removable device can be a gateway for malicious software and hackers, so make sure that only trusted employees have access to physical devices that contain cardholder information.
- Step Ten: Monitor and track everything that happens inside or around networks and systems that contain cardholder data. Computers log everything, so implement a log analyzing system to monitor access to sensitive data. You need to know who accessed anything within your infrastructure and when they did it.
- Step Eleven: Test your security measures, including employees. With enough time and access, anything is vulnerable whether the flaw is in hardware, software, or possibly an employee error. Penetration testing and constant testing via in-house security measures ensure that you are taking every precaution possible to protect cardholder data.
- Step Twelve: Develop policies that govern data security and the 11 previous steps. Policies give structure to your security, and they help employees, both new and veteran, understand what you expect from them.
PCI DSS Compliance Best Practices
The first goal you need to set is establishing and enforcing effective policies. Keep in mind that implementing a PCI DSS compliance program is not something you can do in phases over the next few years: You have to get it all in place now. Policies define how everything must be done as well as the appropriate way to respond to problems.
Never ignore a problem that comes up during a security test. Take immediate steps to define issues and their causes so you can correct them. Once you identify and resolve any problems, continue monitoring the system to make sure everything is working as intended. Save any logs or paperwork created during the process for future security audits or risk assessments.
Monitor networks and systems for authorized and unauthorized changes during update and high traffic periods. Even the best security measures and intrusion detection methods can’t catch everything. When new malware makes its way into the wild, it takes less than five minutes to infect a computer somewhere on the planet.
Some Final Notes
The best way to begin your PCI DSS compliance journey is by developing policies that define how your security works and how you restrict access to cardholder data. Following the 12 steps we have outlined above will help you get PCI compliant and help keep you there. If you fail to meet the PCI standards, you could face fines or lose the ability to process payment cards.
Companies can reduce their risk and streamline compliance by leveraging the right tools. Build compliance into your technology stack by leveraging a tool like Threat Stack’s Cloud Security Platform® which offers continuous cloud compliance to help you meet PCI DSS and other regulatory requirements. If you’re interested in how Threat Stack can help you with your security and compliance needs, feel free to contact us for a demo.