I have worked in the payments industry as a systems administrator for over 15 years and have spent much of my career working on payment card industry compliance, which relates to security requirements for companies that process credit card information.
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
PCI compliance is a very complex field of guidelines that organizations in this industry must adhere to in order to handle payment processing.
What is PCI Compliance?
PCI compliance is a structure based on requirements mandated by the Payment Card Industry Security Standards Council to ensure that all businesses that process, store or transmit credit card information maintain a secure working environment to protect their business, customers and confidential information.
The guidelines, known as the Payment Card Industry Data Security Standard, were created on September 7, 2006 and directly affect all major credit card companies.
The PCI SSC was created by Visa, MasterCard, American Express, Discover and Japan Credit Bureau to administer and manage the PCI DSS. Companies that adhere to PCI DSS are confirmed PCI compliant and therefore reliable to do business with.
All merchants processing more than 1 million or 6 million payment card transactions annually, and service providers holding, transmitting or processing more than 300,000 card transactions annually, must be audited for PCI DSS compliance. The scope of this article is intended for companies that are subject to this annual audit.
It’s worth noting that PCI compliance is no guarantee against data breaches, any more than a house that complies with fire regulations is completely safe from fire. It simply means that the business operations are certified in accordance with strict security standards, giving these organizations the best possible protection against threats to create the highest level of trust with their customer base and regulatory requirements.
Failure to comply with PCI requirements can result in hefty financial penalties ranging from $5,000 to $100,000 per month. Companies that comply and still experience data breaches can receive significantly lower fines in the aftermath.
14 best PCI practices for your business
1. Know your cardholder’s data environment and document everything you can
There can be no surprises when it comes to PCI compliance; all systems, networks and resources must be thoroughly analyzed and documented. The last thing you want is an unknown server running somewhere or a series of mysterious accounts.
2. Be proactive in your approach and implement security policies across the board
It’s a big mistake to approach PCI compliance security as something to be “nailed down” or applied where necessary. The concepts should be embedded in the entire environment as standard. Elements such as requiring multi-factor authentication for production environments, using https instead of http and ssh instead of telnet, and requiring periodic password changes must be applied in advance. The more security-conscious your organization is, the less work there is to do after the audit time is up.
3. Conduct background checks on employees who handle cardholder information
All potential employees must be thoroughly vetted, including background checks for those who will work with cardholder data, either directly or in an administrative or support role. Any applicant with a serious charge should be turned down for employment, especially those involving financial crimes or identity theft.
4. Implement a centralized cybersecurity authority
For the best PCI compliance, you need a centralized authority that acts as the decision-making authority for all deployment, management, and recovery efforts. Typically, these are the IT and/or cybersecurity departments, which should be staffed by employees trained in this area and aware of PCI requirements.
5. Implement strong security controls
Across the board, you should use strong security controls in every possible element that processes cardholder data systems. To use firewallsNAT, segmented subnets, anti-malware software, complex passwords (don’t use default system passwords), encryption and tokenization to protect cardholder data.
As an additional tip, use as narrow a range as possible for cardholder data systems, dedicated networks, and resources so that you minimize the amount of effort involved in securing the minimal set of resources.
For example, don’t allow development accounts access to production (or vice versa), as the development environment is now considered sizable and subject to heightened security.
6. Implement least privileged access
Use dedicated user accounts when performing administrative work on cardholder systems, not root or domain administrator accounts. Ensure that only the bare minimum of access is granted to users, even those with administrative roles. Whenever possible, have them rely on “user level accounts” and separate “privileged accounts” used only to perform elevated privilege level tasks.
7. Implement logging, monitoring and alerting
All systems should rely on logging operational and access data to a centralized location. This logging should be comprehensive but not overwhelming, and a monitoring and alerting process should be in place to notify appropriate personnel of verified or potentially suspicious activity.
Examples of alerts include too many failed logins, locked accounts, a person logging in directly to a host as root or administrator, root or administrator password changes, unusually large amounts of network traffic, and anything else that could constitute a potential or incipient data breach .
8. Implement mechanisms for software updates and patches
Thanks to Step 1, you know which operating systems, applications and tools are running in your cardholder data. Make sure these are updated regularly, especially when critical vulnerabilities emerge. IT and cybersecurity must subscribe to vendor alerts to receive notifications of these vulnerabilities and obtain details about patch applications.
9. Implement standard system and application configurations
Any system built in a cardholder environment, as well as the applications running on it, must be part of a standard build, for example a live template. There should be as few inequalities and discrepancies between systems as possible, especially redundant or clustered systems. That live template must be routinely patched and maintained to ensure that new systems produced from it are completely secure and ready for deployment.
10. Implement a checklist for terminated privileged employees
Too many organizations don’t keep track of employee departures, especially when there are different departments and environments. The HR department should be tasked with notifying all application and environment owners of employee departures so that their access can be thoroughly removed.
A general checklist of all systems and environments that handle employee credit card information should be compiled and maintained by the IT and/or cybersecurity departments, and all steps followed to ensure 100% access is removed.
Do not delete accounts; disable them instead, as PCI auditors often require proof of disabled accounts.
For more information about onboarding or offboarding employees, the experts at Tech Republic Premium have put together a handy checklist to get you started.
11. Implement secure data destruction methods
When cardholder data is deleted, there must be a secure method of data destruction as per requirements. It may involve software or hardware based processes such as file deletion or disc/tape destruction. The destruction of physical media often requires evidence to confirm that it was done properly and witnessed.
12. Perform penetration tests
Arranging for in-house or external penetration testing to check your environment and confirm that everything is sufficiently secured. You would much rather find any issues that you can correct on your own before a PCI auditor does.
13. Educate your user base
Extensive user training is essential to maintain safe operations. Train users how to securely access and/or handle cardholder data, how to recognize security threats such as phishing or social engineering, how to secure their workstations and mobile devices, how to multifactor authenticationhow to detect anomalies and, most importantly, who to contact to report suspected or confirmed security breaches.
14. Be prepared to work with auditors
Now we come to audit time, where you will meet with a person or team whose goal is to analyze your organization’s PCI compliance. Don’t be nervous or worried; these people are here to help, not spy on you. Give them everything they ask for and only what they ask for – be honest but minimal. You hide nothing; you provide only the information and answers that sufficiently meet their needs.
In addition, keep evidence, such as screenshots of settings, system vulnerability reports, and user lists, as they may be helpful in future audit efforts. Please address all their recommendations for fixes and changes as soon as possible and prepare to submit evidence that this work has been completed.
Thoroughly investigate all proposed changes to ensure they do not negatively impact your operating environment. For example, I’ve seen scenarios where TLS 1.0 was requested to be removed in favor of newer TLS versions, but applying this recommendation would have broken the connectivity of older systems and caused an outage. Those systems first had to be updated to meet the requirements.
