The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.
PCI DSS compliance is built around six goals. Here we outline how we meet each of these:
-
Build and Maintain a Secure Network and Systems
-
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
-
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
-
-
Protect Cardholder Data
-
Requirement 3: Protect stored cardholder data
-
Requirement 4: Encrypt transmission of cardholder data across open, public networks
-
-
Maintain a Vulnerability Management Program
-
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
-
Requirement 6: Develop and maintain secure systems and applications
-
-
Implement Strong Access Control Measures
-
Requirement 7: Restrict access to cardholder data by business need to know
-
Requirement 8: Identify and authenticate access to system components
-
Requirement 9: Restrict physical access to cardholder data
-
-
Regularly Monitor and Test Networks
-
Requirement 10: Track and monitor all access to network resources and cardholder data
-
Requirement 11: Regularly test security systems and processes
-
-
Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security for all personnel
-
Understanding PCI Compliance: PCI compliance is a regulation aimed at protecting consumer credit card information from theft and disclosure. It applies to any organization that stores, processes, or transmits credit card information.
-
Compliance Levels: PCI compliance levels (1 through 4) are dictated by the number of credit card transactions processed per year. Each level has different modules that need to be met.
-
Compliance Modules: For level one compliance, there are over twelve distinct modules that need to be met. These include segmenting your network, running quarterly or annual vulnerability scans, and restricting user access to certain information and applications.
-
Compliance Requirements: Within the 12 modules, there are over 220 specific individual items that need to be met. Compliance is not a one-time task but needs to be maintained over time as the organization, network, and business needs change.
-
Qualified Security Assessor (QSA): To meet compliance, you need to hire a QSA. They help you understand what you need to do to meet compliance and audit and assess that over time.
-
Approved Scanning Vendor (ASV): You also need to hire an ASV. They are certified by the PCI Council to scan your perimeter and any cardholder assets. They run a quarterly or annual scan depending on your organization.
-
Vendor Interaction: It's important to choose vendors who can interact with you, answer questions, and help solve problems as you strive to maintain compliance over time.
-
Expertise: Ensure your ASV and QSA have certified individuals who understand PCI compliance and can guide you through the process.
-
Trust: Avoid conflicts of interest by ensuring there's no overlap between the organization advising you on compliance and the one running your scans.
-
Vulnerabilities: Vulnerabilities are measured by CVSS scores. Any vulnerabilities above a 4 on the CVSS scale (which runs from 1 to 10) will fail you for compliance. Certain vulnerabilities, like those in the OWASP top ten, will fail you automatically regardless of score.
-
Cost of Non-Compliance: The cost of a breach can add up quickly, usually averaging $37 per record, with potentially thousands to millions of records per incident. These costs include detection of the breach, staff response, remediation costs, and fines.
Here we outline the key features and measures to meet the compliance:
-
Secure Transaction Processing
-
Encryption: Encrypt sensitive data such as credit card numbers and CVV codes during transmission. This can be done using SSL/TLS encryption.
-
Secure Sockets Layer (SSL): Implement SSL for all connections that involve sensitive data. This ensures that data transmitted between the server and the client is encrypted and secure.
-
Payment Gateway: Use a secure and trusted payment gateway. The payment gateway should be PCI DSS compliant.
-
Tokenization: Instead of storing sensitive data, use tokenization. This involves replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.
-
Authentication: Implement strong authentication measures such as two-factor authentication (2FA) to verify the identity of users.
-
Fraud Detection: Implement fraud detection mechanisms to identify and prevent suspicious activities.
-
-
Data Encryption
-
Encryption Algorithms: Use strong encryption algorithms such as AES (Advanced Encryption Standard) for encrypting data. AES is a symmetric encryption algorithm that is widely used and trusted.
-
Key Management: Implement secure key management practices. Encryption keys should be stored securely and rotated regularly. Access to keys should be strictly controlled.
-
End-to-End Encryption: Implement end-to-end encryption for data in transit. This ensures that data is encrypted from the point it leaves the sender until it reaches the recipient.
-
At Rest Encryption: Encrypt data at rest. This means that data stored in databases, files, or other storage methods is encrypted.
-
Hashing: Use hashing for storing sensitive data like passwords. Hashing is a one-way function that scrambles data. When combined with a salt (random data), it's very secure.
-
-
Access Control
-
Authentication: Implement strong authentication mechanisms. This could be through passwords, two-factor authentication, biometric verification, etc.
-
Authorization: Implement role-based access control (RBAC). This means that access to resources is based on the role of the user, and not the individual user themselves.
-
Access Control Lists (ACLs): Use ACLs to define who can access what resources. ACLs can be used to grant or deny permissions to specific users or groups of users.
-
Least Privilege: Follow the principle of least privilege. This means that users should be given the minimum levels of access – or permissions – that they need to complete their job functions.
-
Regular Audits: Conduct regular audits of access controls to ensure they are still appropriate and that there are no unnecessary permissions.
-
-
Regular Audits and Monitoring
-
Audit Logs: Maintain detailed audit logs of all system activity. This includes user logins, file accesses, system changes, and other activities.
-
Automated Monitoring Tools: Use automated monitoring tools to continuously monitor your systems for any unusual or suspicious activity.
-
Regular Audit Reviews: Regularly review audit logs to identify any potential security incidents or policy violations.
-
Alerts: Set up alerts for specific events or activities that could indicate a security issue.
-
Third-Party Audits: Consider having third-party security audits conducted on a regular basis. These audits can provide an unbiased review of your security posture.
-
Compliance Reports: Regularly generate and review compliance reports to ensure that you are meeting all necessary regulatory requirements.
-
-
Vulnerability Management
-
Vulnerability Scanning: Regularly scan your systems for vulnerabilities. This can be done using automated vulnerability scanning tools.
-
Patch Management: Regularly update and patch your systems to fix known vulnerabilities.
-
Risk Assessment: Conduct risk assessments to identify the most critical vulnerabilities that need to be addressed first.
-
Remediation: Remediate identified vulnerabilities in a timely manner. This could involve patching, configuration changes, or other mitigation strategies.
-
Incident Response Plan: Have an incident response plan in place for handling any security incidents that do occur.
-