The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that helps businesses protect their payment systems from breaches, fraud and theft of cardholder data. Developed by the PCI Security Standards Council, PCI DSS compliance is required for all companies that process, store or transmit credit card information from the world’s biggest card schemes: American Express, Discover, JCB, MasterCard and Visa.
While not a legal requirement, PCI DSS was adopted as a general standard by financial institutions the world over which means that merchants will need to comply with it in order to be allowed by banks to accept card payments, whether in person, over the phone or online.
Noncompliance comes with dire consequences: not only do organizations face fines of up to $100,000/month and increased transaction fees, but might also find their relationship with their bank terminated or, worse, wind up on the dreaded MATCH (Merchant Alert to Control High-Risk) list which will ensure they are never allowed to process card payments again.
PCI DSS has twelve requirements that range from basic security measures such as installing firewalls and antivirus software to more complex requirements such as developing and maintaining secure systems and applications. How can organizations achieve compliance? Here are our five best practices:
1. Data transparency
In the age of compliance, not only of PCI DSS, but also data protection regulations such as the EU General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), knowing exactly where your data is and where it’s going are two fundamental requirements. After all, a company cannot protect something it has no knowledge of.
Requirement 3 of PCI-DSS states that data should only be stored in specific, known locations with limited access to protect credit card information. Organizations must therefore map their data flow and regularly conduct network scans to ensure credit card information has not been saved or forgotten in unpermitted locations by careless employees.
This can be done through Data Loss Prevention solutions such as Endpoint Protector which offer data discovery tools that can automatically or manually scan networks for credit card information and encrypt or delete it when it is found on unauthorized users’ computers.
2. Securing your data on the move
The two main ways data can be protected on the move are tokenization and encryption. Tokenization generates an alternate ID for a card number which can then be used for transactions, reducing the risk of the actual card information being exposed during transmission.
When it comes to encryption, as of 30 June 2018, SSL/early TLS are no longer considered secure forms of encryption and are therefore not enough for PCI DSS compliance. Organizations that want to use encryption to protect card data must use TLS v1.2 or higher.
Data’s mobility can also be checked through DLP tools that allow admins to not only monitor credit card information transfers through predefined policies, but also block its transfer altogether through exit points deemed insecure such as file sharing services or instant messaging applications.
3. Restrict access rights
Under requirement 7 of PCI DSS, access to data must be restricted to authorized personnel only. Companies must evaluate which of their employees need access to card data to fulfill their job responsibilities and then use the proper tools and processes to limit access based on business needs.
To achieve this, organizations must first and foremost implement unique ID credentials for every employee to track which users take actions on credit card information and to prevent concurrent logins. Access rights can then be set according to an employee’s job scope using appropriate Access Rights Management (ARM) software.
4. Employee training
The weakest link in any security strategy is often the human one: employees are behind over 54% of data breaches according to a survey conducted by the Ponemon Institute. It is important therefore that companies do not neglect the human element in PCI DSS compliance. Software, whether DLP, ARM or antivirus, while it can increase security greatly, is much more effective when employees understand its need.
An informed work force is less likely to look for ways to bypass security measures when they know their purpose. Companies must therefore invest in industry-specific employee training, ensuring that they comprehend the importance of PCI DSS and the risks and consequences of noncompliance.
5. Document and log everything
Part of requirement 12 of PCI DSS compliance, document everything underlines the need for organizations to keep records of all its security policies and procedures, its risk assessments and security incidents. Strong documentation helps CIOs and security professionals take informed decisions concerning future security measures and helps companies prove compliance.
Logs and log monitoring are found under requirement 10 of PCI DSS and include logs of all security events, servers and critical system components. Companies should ensure that their antivirus solution provides logs of security incidents. They can also generate logs of attempted unauthorized transfers and the users responsible for them through DLP solutions.