Financial data is one of the most sought pieces of information in the darknet marketplaces. As a result, merchants handling it are prime targets for cyberattacks. Therefore, five major credit card companies outlined the security guidelines to combat this situation.
They came up with a standard known as PCI DSS, which aimed to tighten the card-processing ecosystem against various vulnerabilities. For organizations looking at how to protect cardholder data, it’s an essential document.
However, at first glance, it can be a bit difficult to wrap your head around. We wrote a brief guide detailing PCI compliance requirements and how it’s used to protect your payment data.
What is PCI DSS?
Payment Card Industry Data Security Standard or PCI DSS is an operational requirement for cardholder’s data protection. The standard applies to all entities that store, process, or transfer financial customer data.
Obtaining this certificate can be costly as it requires yearly certification. This can also include additional lines in the budget for people training, onsite audits, required remediation to hardware and software, etc.
The primary purpose of PCI DSS is to provide an international framework to establish secure cardholder data handling mechanisms. These can be further classified into 6 categories and consist of 12 steps. The categories are as follows:
1. Building and maintenance of secure network and systems
2. Cardholder’s data protection
3. Vulnerability management plan
4. Access control restrictions
5. Network monitoring
6. Information security policy
Each category governs vital security controls of payment data protection. The highest security standards can’t be achieved if at least one of the categories is neglected. Each of them supplements the remaining one, creating a solid foundation for users’ financial data security.
Who needs PCI DSS compliance?
PCI DSS compliance requirements apply to all companies involved in storing, processing, and transmitting credit card information. For instance, if you’re shopping online your bank, merchant’s bank, and website’s payment technology provider are all subject to PCI DSS regulation.
Generally speaking, PCI DSS covers all merchants, credit card issuing banks, processors, intermediaries, developers, and other involved parties. Its purpose is to make sure that there are no weak links in the system that could be exploited. A rule of thumb is — if, during your line of work you come into contact with credit card information, you’re probably regulated by PCI DSS.
The compliance is enforced by the major credit card payment brands that established the Payment Card Industry Security Standards Council:
Discover Financial Services
UnionPay (while this one didn’t establish the standard it provides banking card services supervision in mainland China)
Risks if you aren’t PCI DSS Compliant
Fines are the primary risk if your organization is found to be non-compliant with PCI DSS requirements. Depending on the scope and violation’s severity, they can vary from $5,000 to $500,000 per month. Fines can also increase depending on the length of non-compliance time, pushing the total amount even higher.
While it isn’t directly related, each brand involved in the PCI DSS guidelines has its separate compliance validation requirements. Compliance for American Express might have different requirements from MasterCard even though they both follow the same PCI DSS guidelines.
Non-compliance to a specific brand’s set of rules may impose additional fines. For instance, the merchant is held responsible for covering all card re-issuance and remediation expenses after the data breach. Even if the merchant survives after such a financial blow, they still risk getting their privileges revoked.
PCI DSS compliance requirement checklist
PCI DSS contains 12 compliance requirements that have to be met. The standard is universal and applies both to large corporations and small businesses. Here’s a short overview of each of them.
1. Install and maintain a firewall
Firewalls protect your network by allowing or denying online traffic. This is often the first line of defense against cyber threats.
Establishment of firewall and router rules to block unapproved traffic.
Public access restriction from the internet to the cardholder data environment.
Firewall deployment on devices used to access the organization’s network.
2. Reconfigure default vendor settings
One of the easiest ways for a hacker to gain entry into an internal network is by trying the default password combinations. For most hardware devices and network services, default passwords are widely known, and it’s not difficult to quickly run them through. If they aren’t changed, hackers can gain an entry inside the system without any sophisticated hacking techniques.
Before deploying a system on the network, it’s imperative to change its default credentials.
Have custom configuration standards for all system components.
Non-console administrative access has to be encrypted and password protected.
Shared hosting providers should also change default credentials from their server management software side.
3. Protect stored cardholder data
As a merchant, you have to know where the cardholder's data is going and how it will be stored. No matter what storage compartment is used, most sensitive data should be stored only in an encrypted form.
Minimize data retention time.
Don’t collect any data after the user has passed authorization.
Mask displayed a permanent account number.
Cryptographic keys used for cardholder data encryption should be encrypted.
Have full documentation regarding crucial management procedures.
4. Encrypt cardholder data transmission
The same standards that hold for payment data storage should also be applied for its transmission. Cardholder data transfers should be performed only via encrypted networks to avoid alterations in transit.
Rely on strong cryptography protocols like SSL/TLS for cardholder’s data encryption in transit.
Avoid storing PANs in plain text.
5. Protect against malware
Malware can infiltrate your network via e-mail attachments, thumb drives brought by your employees, and other methods. Therefore, PCI DSS includes requirements to have anti-malware countermeasures and adequately maintain them. This should consist of all devices used by the staff and technical department.
Install antivirus software on your devices to protect each endpoint against malware.
Regularly patch your antivirus software to keep up with the latest malware developments.
6. Maintain your system’s and applications' security
It’s essential to have a thorough risk assessment for your organization’s systems. This should allow you to identify potential attack vectors that could be used to breach the company’s network to obtain financial information. Discovered vulnerabilities should also be patched up as soon as possible.
Always install the latest vendor-supplied security updates.
Have a framework for timely new vulnerabilities identification.
Make sure your developed applications also follow PCI DSS
Protect your public infrastructure against known attacks
7. Restrict access to cardholder data
Access to payment data should be provided only on a need-to-know basis and for specific roles. In a nutshell, only if your role requires access to a customer’s payment data, it’s the only case when permission could be granted.
System components dealing with cardholder’s data should be accessible to personnel directly required to have such access.
Have access control systems in cases when the same components are shared between multiple users.
8. Assign user access identification
According to PCI DSS, every user should be assigned their unique credentials for accessing critical systems. Shared passwords for several user groups should be avoided as they increase the risks of falling into a malicious individual’s hands. It also ensures a trace of user logs to use as a reference in a data breach.
User names should be assigned to each user accessing the system.
Enforce strict user authentication methods.
Add two-factor authentication to increase further the complexity required to log in.
Don’t store passwords in plain text.
9. Restrict physical access to cardholder data
Physical security is another security side that organizations have to take care of to be PCI DSS compliant. Protection of physical hardware is crucial as hackers could install various bypass mechanisms to tap into the network directly. Therefore, physical access to servers housing cardholder data should be restricted with video cameras and general electronic monitoring.
Enforce strict entry controls to buildings and rooms housing hardware that processes cardholder’s data.
Develop authorization mechanisms that only employees would be able to get into the premises.
Use video surveillance and keep visitor logs to maintain a physical audit trail.
Store backups off-site in a secured location.
Shred media containing cardholder data when it’s no longer needed.
10. Track and monitor network access
It’s always a good bet to assume that your company’s network is in someone’s sights. Therefore, it’s necessary to keep all networks properly protected and monitor each access. Network activity logs should help you discover irregular patterns, which could be used to deter attacks.
Link access to specific components to specific users.
Automate your auditing to have data to reconstruct the events.
Review and evaluate system component logs daily.
11. Perpetual security systems testing
Your system should be tested against vulnerabilities that would allow the execution of malicious code. In-depth penetration tests can provide a good insight into the system’s security status and highlight the areas that should be improved. Perpetual security maintenance allows for patching up the holes that could be used to get into your network.
Use wireless analyzers to find the presence of wireless points on-premise.
Perform vulnerability scans on internal and external networks.
Monitor your traffic with a network intrusion system.
12. Have a cybersecurity policy
Your cybersecurity policy should cover employees, management, and third-parties responsibilities. It’s a foundation that sets the tone for how all cybersecurity matters will be handled in your organization. All your employees should be aware of the responsibility that falls on their shoulders.
Have a security policy that addresses all PCI DSS requirements
Ensure that your policy clearly defines all cybersecurity responsibilities.
Implement a mandatory cybersecurity awareness program and test with period cybersecurity exercises.
Have an incident response plan.
How can NordLayer help?
NordLayer provides remote access software for companies. While it single-handedly doesn’t address all PCI DSS requirements, it can contribute to your overall safety and serve as a step in the right direction. Most certainly it can help you to protect access to your internal organization, which stores the most sensitive pieces a customer might have — its financial information.
With NordLayer, it’s possible to secure every endpoint in your organization and better segment your network. This is without unnecessary complicated deployment and deployments on users' devices.
Get in touch with our team to learn how your organization can benefit from our enterprise solutions.
Disclaimer: This article has been prepared for general informational purposes only and does not constitute legal advice. We hope that you will find the information helpful. However, you should use the information provided in this article at your own risk and consider seeking advice on this matter from a professional counsel licensed in your state or country. The materials presented on this site may not reflect the most current legal developments or the law of the jurisdiction in which you reside. This article may be changed, improved, or updated without notice.