A Comprehensive Checklist for PCI Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards established by major credit card companies to protect against credit card fraud and unauthorized access to sensitive information. Compliance with PCI DSS is mandatory for all organizations that accept credit card payments. Businesses are required to comply with a range of security measures to reduce costs, increase efficiency, and improve accuracy of transactions.
PCI compliance comes in four different levels, depending on the range of credit card transactions a seller processes in a year. Failing a PCI audit can result in loss of confidence (forcing customers to go to other merchants), diminished sales, fraud losses, fines and penalties, lost jobs, going out of business, and legal costs, settlements, and judgements.
To increase your chances of complying with PCI requirements, follow this detailed checklist:
1. Implement a strong password policy
Passwords must have no less than seven characters and must contain both letters and numbers. Passwords must be changed every 90 days, at the very least, and should differ from previous passwords.
If a user enters the wrong password after six attempts, their account must be locked, and they must remain locked out of their account for a minimum of 30 minutes or until a system administrator resets their account. Vendor-supplied default passwords and settings must be changed for all servers, devices, and applications. Passwords must be encrypted, both at rest and in transit.
2. Protect stored cardholder data
There are tools available to protect and keep track of cardholder data. Use data discovery and classification tools for information about the cardholder data you store and where it is located.
There need to be standards set up to determine where the data came from and where it will go (such as a merchant, payment gateway, or payment processor), who has access to the data, how the data is accessed and used, and how long the cardholder data should be retained. All cardholder data must be encrypted both at rest and in transit, and the card numbers should be redacted so that only the first six or last four digits are shown.
3. Maintain secure systems and applications
Install and maintain a firewall by properly configuring your firewall and routers to protect your payment card data. Deploy standards for them to determine the type of network traffic that is permissible. You should be able to scrutinize your antivirus logs for anomalies. Similarly, make sure that all software applications, including point-of-sale (POS) devices, operating systems, and database engines, are patched in a timely manner.
4. Restrict access to cardholder data
All cardholder data should be restricted to only those who need to know. Accordingly, all access controls must be clearly documented, and protocols should be in place to grant and revoke access.
In addition, there needs to be physical security measures put in place to protect cardholder data, such as, locks, alarms, ID badges, and cameras. Enforce strict controls to safeguard your systems, such as restricted entry to buildings and server rooms. Keep recordings and access logs for at least 90 days.
5. Assign a unique ID to each person with computer access
It is imperative that each user has their own unique ID or login credentials that they should never share. When possible, multi-factor authentication (MFA) is a useful tool to establish their own credentials.
6. Monitor access to network resources and cardholder data
Continuously surveil network resources and cardholder data to ensure that your record of relevant network activity is resolute. To monitor network activity, you might want to leverage Firewalls, IPS, DLP, and SIEM solutions. To monitor access to cardholder data, use a DCAP/UBA solution to find out information on who, why, when, and from where the data is being accessed.
7. Test security systems and processes
On a quarterly basis, conduct assessments to test your security systems and processes for vulnerabilities. Conduct thorough scans and tests to identify unauthorized access points and check applications that consume cardholder data for weaknesses. Use a PCI Approved Scanning Vendor (ASV) to scan external IPs and domains.
8. Develop documentation and conduct risk assessment
Since you are handling cardholder data, it is essential that you be extra vigilant when executing background checks and onboarding procedures. Additionally, you should have a comprehensive policy regarding information security and risk assessments, that cover employees, managers, business associates, vendors, etc. This policy should be reviewed company-wide annually.
9. Change default vendor settings
Trying default passwords is one way for hackers to gain access to internal networks. These passwords are not meant to be kept and must be changed before deploying it on the network.
10. Encrypt cardholder data in transit
The same level of security standards for storing payment data needs to be followed when transmitting it. It is crucial to use encrypted networks to protect the transmission of cardholder data.
11. Protect against malware
Email attachments, USB drives, and software vulnerabilities are just a few ways in which malicious software can breach your network. PCI DSS mandates that businesses have the necessary measures set up and updated to protect against malware.
If your organization suffers a data breach while non-compliant, fees or fines could be incurred, including increased transaction fees, compensation fees associated with affected consumers, costs associated with forensic investigations, and fees related to associated lawsuits. Depending on how long the company is found non-compliant, these fines could range from $5,000 to $100,000 a month. Along with that, customer compensation fees could range from $50 to $90 per customer.
It is important to note that PCI DSS compliance checklist is not a one-time process. Compliance is an ongoing effort that requires regular attention and updates to ensure that security controls remain effective in the face of evolving threats and changing business practices.
At DDKinfotech, we can assist with installing and maintaining network security controls, protecting account data, implementing access control measures, applying secure configurations to system components, and maintaining a vulnerability management program, among other services. Contact us for more information about how we can meet your key compliance requirements.