The PCI DSS Compliance Requirements Sheet

Home » The PCI DSS Compliance Requirements Sheet

PCI DSS (Payment Card Industry Data Security Standard) is the baseline standard mandated by the government to achieve cardholder data security. The main goals of PCI DSS Compliance are as follows:

  • Maintain a secure network
  • Protect Cardholder data
  • Establish a Vulnerability management program
  • Implement strong access control
  • Monitor networks regularly
  • Maintain an information security policy

 

Need for PCI DSS Compliance

With increased data theft and security breaches, PCI Compliance has become invaluable for every organization that accept/transmit/process/store cardholder data.  The consequence of non-compliance with PCI DSS regulation is not limited to legal fines. A data breach or data theft of the cardholder data affects the entire payment ecosystem, and the entities might face many financial liabilities. It results in loss of reputation, contract cancellation and other costs of addressing the issue. Also, it is critical to safeguard the customer information as the customer would be less inclined to continue their business with a breached entity.

Key Business Benefits

  • Secures Valuable Business Data
  • Boosts Customer Confidence
  • Reduces Cost
  • Helps Meet Global Standards
  • Improves Brand Reputation

 

 

PCI DSS: Compliance Requirements

  1. Install and maintain a firewall configuration
    • Identify Cardholder Data Environment (CDE)
    • Establish and implement firewall/router configuration standards
    • Build firewall and router configurations that restrict traffic from untrusted networks.
    • Restrict direct public access between the internet and any system component in the CDE.
    • Install personal firewall software or any other equivalent functionality
    • Ensure that the related security policies are documented and in use

 

  1. Do not use vendor-supplied defaults for passwords
    • Change all the vendor-supplied default passwords and accounts
    • Develop configuration standards for all system components that address all known security vulnerabilities
    • Encrypt all non-console administrative access using strong cryptography
    • Maintain an inventory of system components that are in scope for PCI DSS
    • Shared hosting providers must protect each entity’s hosted environment and cardholder data

 

  1. Protect stored cardholder data
    • Limit cardholder data storage and retention time as per the business/legal requirement
    • Do not store sensitive authentication data even after authorization
    • Mask PAN (first six or last four digits must be displayed), so that only authorized personnel with legitimate business needs can view the details
    • Render PAN unreadable anywhere it is stored with the help of strong encryption or one-way hash functions
    • Protect the keys used for encryption of cardholder data from misuse and disclosure by implementing required procedures.
    • Document and implement the key management processes and procedures for cryptographic keys used for encryption of cardholder data

 

  1. Encrypt transmission of cardholder data
    • Use strong security protocols and encryption to protect cardholder data while transmission over an open network
    • Do not send unprotected PANs using end-user messaging technologies like e-mail, SMS, chat, etc

 

  1. Update antivirus software or programs regularly
    • Deploy Antivirus software on all systems commonly affected by malwares and other threats.
    • Ensure that the antivirus software is regularly updated and periodic scans are done.
    • Ensure that the antivirus mechanism cannot be disabled by any users

 

  1. Develop and maintain secure systems
    • Establish a process to identify security vulnerabilities and assign risk rankings (high, medium or low)
    • Install all the applicable vendor-supplied security patches and update them regularly
    • Incorporate information security throughout the software development life cycle
    • Ensure relevant PCI DSS requirements are implemented on new or updated systems and networks
    • Train developers on secure coding techniques to prevent common coding vulnerabilities
    • Ensure that all public-facing web applications are protected against known attacks by performing application vulnerability assessments at least annually and also after any changes.

 

  1. Restrict access to cardholder data
    • Limit access to system components and cardholder data
    • Establish an access control system for all the system components
    • Ensure that the related security policies are documented and in use

 

  1. Assign unique id to each person with computer access
    • Define and implement policies and procedures to ensure proper user identification management and assign a unique username for all users
    • Use strong authentication methods and render all passwords/passphrases unreadable during transmission and storage using strong cryptography
    • Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication.
    • Develop, implement, and communicate authentication policies and procedures to all the users
    • Do not use group, shared, or generic IDs or other authentication methods. Instead, use a unique authentication credential (such as a password/passphrase) for each customer environment
    • Use of other authentication mechanisms such as physical security tokens, smart cards, and certificates must be assigned to an individual account
    • All-access to any database containing cardholder data must be restricted

 

  1. Restrict physical access to cardholder data
    • Use appropriate facility entry controls to limit physical access to the systems in the cardholder data environment
    • Develop procedures to easily distinguish between onsite personnel and visitors
    • Control physical access for onsite personnel to the sensitive areas according to the job function
    • Ensure all visitors are authorized before entering areas where cardholder data is processed or maintained
    • Physically secure all media, store media back-ups in a secure location
    • Maintain strict control over the internal or external distribution of any kind of media.
    • Maintain strict control over the storage and accessibility of media
    • Destroy media when it is no longer needed
    • Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution

 

  1. Track and monitor all access to network resources and cardholder data
    • Implement activity logs to link all access to system components to each user
    • Implement automated activity logs for all system components
    • Record audit trail entries for all system components for each event
    • Using time synchronization technology, synchronize all critical system clocks and times and implement controls for acquiring, distributing, and storing time
    • Secure audit trails so they cannot be altered
    • Review logs and security events for all system components to identify anomalies or suspicious activities
    • Retain audit trail history for at least one year
    • Service providers must implement a process for timely detection and reporting of failures of critical security control systems

 

  1. Test security systems and processes regularly
    • Implement processes to test for the presence of wireless access points, detect and identify all authorized and unauthorized wireless access points on a quarterly basis
    • Run internal and external network vulnerability scans at least quarterly and after any significant change in the network
    • Develop and implement a methodology for penetration testing that includes external and internal penetration testing at least annually and after any significant upgrade/modification
    • Use network intrusion detection and/or intrusion prevention techniques to detect and/or prevent intrusions into the network
    • Deploy a change detection mechanism to alert personnel on unauthorized modification

 

  1. Maintain a policy that addresses information security
    • Establish, publish, maintain, and disseminate a security policy; review it at least annually
    • Implement a risk assessment process that is performed at least annually and upon significant changes to the environment
    • Develop usage policies for critical technologies to define their proper use by all personnel
    • Ensure that the security policy and procedures clearly define information security responsibilities for all personnel
    • Assign to an individual or team all the information security responsibilities
    • Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures
    • Screen potential personnel prior to hire to minimize the risk of attacks from internal sources
    • Maintain and implement policies and procedures to manage service providers
    • Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data that they possess
    • Implement an incident response plan and be prepared to respond immediately to a system breach
    • Service providers must perform and document reviews at least quarterly to confirm personnel are following security policies and operational procedures

 

PCI DSS Compliance can be time-consuming and difficult to accomplish without the help of a certified PCI QSA. A PCI QSA (Payment Card Industry Qualified Security Assessor) company is qualified by the PCI Security Standards Council to validate the adherence of a service provider or merchant, who has a contractual obligation to comply with PCI DSS requirements. Hence, it is always advisable to select a trusted cybersecurity partner who will provide you with top-notch services to secure your sensitive data.

Contact us to know more about our services