Payment Card Industry or PCI Compliance is critical for financial institutions and other organizations that store, process, and/or transmit credit card information. The Payment Card Industry Security Standards Council (PCI SSC) has released a set of standards or requirements for these companies to be “PCI Compliant.” The mission of the PCI SSC is “to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.”
With this in mind, below is what you need to know for your organization to be PCI Compliant in 2021. Note - the PCI SSC plans to release an update to their current standards in the middle of 2021 according to Payments Source. One of the big reasons they will be releasing this update is because “the COVID-19 pandemic has made it harder to accommodate on-site assessments. This task can be performed remotely, but there's a learning curve.” The update will address the “documents, self-assessment procedures, network reporting documents and training manuals” necessary to perform remote assessments and the upgraded procedures for ensuring compliance. We plan to update this post once the new standards are released, so bookmark this page.
PCI Security Standards for 2021
These are the current standards according to PCI SSC:
- Implement and maintain firewalls that will protect the data of cardholders - restrict traffic, both inbound and outbond, from all “untrusted” networks and hosts; Don’t allow public access directly between the internet and system components in the “cardholder data environment”
- Change your passwords as well as other security protocols rather than using vendor-supplied defaults - passwords and security protocols should use encryption and strong cryptography so that unauthorized access will be difficult if not impossible to obtain
- Have safeguards in place for protecting the data of cardholders up to and including the primary account number (PAN), cardholder name, service code, expiration date, PIN number, CAV2/CVC2/CVV2/CID codes, etc...
- All cardholder data that is transmitted across open and/or public networks must be encrypted - “Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks”
- Protect your systems from potential malware breaches and keep all of your antivirus software and/or programs up to date - You should “perform periodic scans [and] generate audit logs” and “ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.”
- Develop secure systems and applications and maintain them regularly to ensure they are always up to date - Determine the best process to seek out vulnerabilities, assign a risk ranking, and patch security vulnerabilities if and when they are found
- Only those who need to know cardholder data should be granted access - if the job a vendor, employee, or some other individual is doing doesn’t explicitly require access to cardholder data, it should be withheld from them without exception
- Assign a unique identification to each person that is accessing system components to ensure that only the people that are authorized have access to cardholder data. Use multifactor authentication and things like passwords, tokens or smartcards, biometrics, etc… to restrict access to authorized personnel
- Physical access to cardholder data must be restricted - there must be “appropriate facility entry controls [i.e. ID badges] to limit and monitor physical access to systems in the cardholder data environment”
- Any and all access to cardholder data and network resources must be tracked and monitored - “Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management,” and regular audits of the logs of access are highly recommended to regularly check and see if unauthorized users have been granted access. If so, the log must stipulate why they were granted access
- Regular testing of security processes and systems is required - both internal and external penetration tests for vulnerabilities must be implemented
- Develop a security policy that is regularly updated and maintained so that all personnel is aware of security protocols, rules, and regulations
Understanding PCI DSS Compliance
- Build and maintain a secure network and systems (requirements 1 and 2)
- Protect cardholder data (requirements 3 and 4)
- Maintain a vulnerability management program (requirements 5 and 6)
- Implement strong access control measures (requirements 7, 8, and 9)
- Regularly monitor and test networks (requirements 10 and 11)
- Maintain and information security policy (requirement 12)
You can read the full list of PCI Security Standards and all of the recommendations related to each requirement here.
What Happens If Your Company Doesn’t Adhere to the PCI Compliance Standards for 2021?
While these standards are not law, non-compliance can result in loss of reputation, lawsuits, insurance claims, fines from both the payment card issuers and governments, canceled accounts, loss of business, and more. Bottom line, it’s better to maintain PCI Data Security Compliance than risk being non-compliant. If you want help determining if your financial institution or organization is compliant, contact Rivial Security about our PCI self-assessment, or reach out for ongoing support with cybersecurity compliance.