The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures aimed at ensuring the security of credit, debit and cash card transactions and protecting cardholders from misuse of their personal information. PCI DSS was co-created in 2004 by the four major credit card companies. These are: Visa, MasterCard, Discover and American Express.
12 Requirements of PCI-DSS
The PCI DSS standard is organized into 12 requirements divided into six main headings.
1- Creating a Secure Network
*Install and activate a firewall configuration that protects cardholder data.
This requirement, as the title suggests, includes the use of advanced firewalls to prevent unauthorized access. The firewall is responsible for communication between the company’s trusted internal networks and untrusted external networks.
*Avoid using vendor-supplied default information when processing system passwords and security parameters.
Default passwords or security parameters are generally known and are almost inevitable to be abused. Changing the default information instantly will further improve the quality of the security environment.
2- Protect Cardholders’ Data
*Protect data received from cardholder.
Only the minimum required data should be stored and protected by encryption, masking and hashing. Besides, CVN and PIN data should never be stored by the company.
*Transmission of cardholder information over open and public networks must be encrypted.
Security protocols such as TLS, IPSec, and SSH are needed to protect sensitive data, while security policies regarding data transfer on public networks should be clearly published and documented.
3- Have a Vulnerability Management Program
*Make sure all systems are properly protected against malware and updated with antivirus software.
It is necessary to use cyber security tools to detect all malicious software 24/7 and to remove malicious software from the system. Disabling them should only happen when a certain action has been authorized.
*Develop secure applications and systems.
While vulnerabilities must be identified and graded based on risk factors, all software updates and patches from specific vendors must be installed within 30 days of release. Maintenance issues relate to applications developed internally and externally.
4- Implement Access Control Precautions
*Restrict access to cardholder data.
Abuse of user privileges is one of the most common forms of online attacks and can be very difficult to identify. Access rights should be limited to sensitive data, and access control defaults should be set to deny access.
*Define and verify access to the system.
Documented policies and procedures should be used in all system components with a special focus on non-consumer users and administrators. All users must have user IDs, while two-factor authentication must be implemented for access over remote networks.
*Restrict access to cardholder data at the physical level.
Access to server rooms, data centers, and other locations that host sensitive data should be restricted. Storage, access, and distribution should take place in a controlled environment.
5- Monitor and Test Networks Regularly
*Monitor access to network and cardholder data.
Data logging prevents, detects, and minimizes damage, so controls must be implemented securely. A 3-month real-time analysis should be provided to the security team upon request and all data should be retained for a minimum of one year.
*Test security items regularly.
It should cover systems and processes. Weekly critical file comparisons can quickly alert staff to unauthorized system changes.
6- Create an Information Security Policy
*Create a policy that addresses data protection and information security.
For best results, security policy should be established, published, maintained and disseminated. Risk assessments, usage policies and incident response plans should also be established so that any attack or breach can be dealt with efficiently.
Are you PCI DSS Compliant?
PCI-DSS is a set of requirements that establishes globally accepted standards for the processing of sensitive cardholder data, including personal details and payment information.