What are the 12 Requirements of PCI DSS Compliance
When a merchant deals in credit cards, it is highly likely that they will have to store and transmit the data. When doing such, the data is posed to risks of breach and can be used for fraudulent purposes. To maintain the security of cardholder data, PCI DSS was introduced. The PCI compliance must be maintained by all merchants dealing in credit card or cashless transactions. This has to be validated every year.
These standards are defined by the Security Standards Council (SSC). The SSC ensures that the complete transaction process remains secure, from the merchant to the payment processor. The standards include technical and operational measures that merchants and MSPs must meet. The SSC puts forth 12 commonly known standards. They are described below.
Installation and Maintenance of a firewall configuration
Cardholder data does not need to be available physically for someone to misuse it in this day and age. All significant organizations that process their transactions through the internet are vulnerable to data breach attempts online.
Therefore, having a proper order of firewalls and routers (if used) is essential to the security of cardholder data. All personnel affiliated with the business and access the information through their phones or computers should go through the firewalls before accessing it.
Change the Default Passwords and Security Parameters
When a vendor ships their products, such as routers or firewalls, they sell the hardware or software with generic defaults that allow them to become easy to use for the end-user. But the generic passwords and usernames allow exploiters to compromise the data easily. These default passwords need to be changed by the business so unauthorized personnel cannot access the data or interfere with the systems in any way.
Protection of Stored Cardholder Information
The protection of Cardholder information goes beyond just passwords and security systems. Businesses must only store the cardholders’ data if needed for legal or regulatory purposes. If it is necessary to store the data, securing the data is very important.
Once the data is stored, procedures to maximize the data’s protection need to be taken.
Firstly, the data should be kept within the record for as short a time as possible. Once the need for the data ends, it should be purged. Secondly, displaying the data such as the card number should be done without revealing the complete account or card number online when needed.
Encryption of Cardholder Data While Transmission
A prevalent way cybercriminal get access to sensitive information is when it is transmitted over public channels. The best way to protect the data transmitted is to encrypt it before sending it and decrypt it when it is received. In this case, even if someone gets hold of the data, they cannot make meaningful use of it until decrypted.
Antivirus Software or Systems Should be used and Regularly Updated.
One of the PCI compliance validation aspects is a yearly vulnerability check by an approved tester. One of the core requirements for a system to be immune to weaknesses is to have antivirus software installed. This should not just be on the core system but all systems that have access to the ecosystem of transactions. This antivirus software should have the latest libraries and should always be active.
Ensure that Developed Applications and Systems are Secure.
Merchants need to install security patches as soon as they are available, and ISV’s need to relay this information to them. Other than that, timely recognition and removal of vulnerabilities are crucial to security.
Access to Cardholder Data should be on Need-to-Know Basis
Unauthorized access to data is limited to people outside the business to the organization. Not all personnel in the company need to have access to cardholder information. Therefore, employees must be allowed or denied access to the data based on the scenario for which it is required.
Assign Individual IDs to people with Access to the Computer and Network
Each individual must have a unique username that they can use to access information if granted. This allows for a business to detect the user that caused a breach in data if one occurs. Systems such as two-factor authentication should be used in coordination with unique IDs to make it more secure.
Access to Cardholder Data Should be Restricted Physically.
There should be restricted areas to contractors, guests, vendors, and even employees, for that matter. These places should be under surveillance, and any person that does not belong there should be identified and removed immediately. Personnel to enforce this should be present on the installation as well.
Furthermore, backups of the data should be present at a location other than the primary one. Moreover, businesses should destroy data as soon as it is no longer needed.
Network Access Should be Monitored and Tracked.
The system must allow the re-construction of data and, there must be a standard to which the data can be linked to its source. All the data of the transaction must be available quickly to authorized personnel. This would allow unauthorized access to be visible and traceable to the source. The system must synchronize this information with time as well.
Test Security Systems and Processes Regularly
Vulnerabilities in the system can be highlighted by criminals or researchers. Systems must regularly undergo vulnerability scans to expose any vulnerability before they become a threat or a breach. When a new update or network change is made, its strength needs to be tested. Also, the system should generate an alert if any file is modified in an unauthorized way.
Information Security Should be addressed in a Policy for all Personnel.
A policy that correctly defines security is published and disseminated publicly, illustrated by security protocols and procedures. This should be following the information security policy and should be challenged and revised whenever deemed necessary. A person should be in charge of carrying out these obligations as well.