PCI DSS Compliance Checklist & Requirements

What is PCI DSS 4.0?

The Payment Card Industry Data Security Standard was established in 2004 as a collection of information security standards designed to help card payment processors secure their customers’ data and reduce credit card fraud.

Need Help With Your Cybersecurity Program?

Accurately measure risk & automate compliance with Rivial Security.

Over the years, it has expanded in scope and adoption and is now looked upon as the minimum level of security for storing, processing, and sharing cardholder data. PCI DSS 4.0 is the latest interaction of the protocol and it mirrors the same emphasis on protecting sensitive financial details better and closing loopholes bad actors might use to compromise cardholder data.

This article will breakdown PCI DSS compliance in detail to help you understand where your personnel & technical infrastructure might need upgrades, both to stay compliant and to take advantage of the security PCI DSS is designed to offer.

Why do you need to maintain PCI DSS compliance?

The goal of PCI DSS compliance is more preventive than it is reactive. Whether it’s to—

• Reduce the risk of internal & external security breaches,
• Secure your customers’ confidence with industry standards
• Meet global data protection benchmarks, or to
• Avoid fines (that range between $5K & $100K per month, until you achieve compliance)

—the cost of non-compliance can be expensive. PCI DSS compliance helps you reduce the surface area that can be attacked while you’re handling sensitive card information, and protects you from legal and regulatory liability.

Need Help With Your Cybersecurity Program?

Accurately measure risk & automate compliance with Rivial Security.

PCI DSS compliance checklist

The basic requirements you need to stay compliant with PCI DSS 4.0 are a crossover from previous versions (i.e., PCI-DSS 3.2.1, precisely) but now, they offer more flexibility into the methods and channels you can leverage to get to the final goal of building systems and infrastructure that’s designed to protect cardholder data.

A firewall restricts access to your organization’s network & reduces the likelihood for your systems being breached by bad actors who may try to gain access by socially engineering your employees or slipping malware into devices on your network. To make sure you have maximum protection, you need to:

• Configure your firewall & routers to restrict any traffic from untrusted networks,
• Airgap your internal cardholder data environment from the internet,
• Ensure that of your company- or employee-owned devices that connect to the internet are protected with firewalls & anti-malware software, and
• Establish SOPs for routine security checks for for responding to suspected breaches

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Most mainstream networking device vendors have widely-known default passwords. If you don’t proactively encrypt your data and protect it with stronger, it’s going to be extremely easy for bad actors to gain access to your systems by trying common combinations or using brute-force password-guessing attacks.

The only way to limit this attack vector is to change default password with stringer combinations, create security SOPs for all your stakeholders, and keep updating your systems with patches from the manufacturer to ensure you’re secure from zero-day attacks.

For the most part, avoid storing cardholder data, except it’s absolutely essential. And, if it is, you need to follow certain precautions to limit exposure from any angle:

• Limit store cardholder data to the minimum & delete unnecessary records frequently
• Encrypt card PANs to ensure they’re unreadable in storage & transit
• Delete any sensitive authentication data after completing the authorization process

4. Encrypt transmission of cardholder data across open, public networks

Any data shared over a public network can be sniffed out by hackers through means such as man-in-the-middle attacks & rogue hotspots, set up by criminals to either steal data from their unsuspecting victims or inject malware into their devices.

• Never share unencrypted PANs through consumer messaging platforms like email, SMS, WhatsApp, etc.
• Use strong cryptography (at least 128-bit RSA) to encrypt cardholder data whenever they’re been transmitted over public networks that are susceptible to attack

5. Protect all systems against malware and regularly update anti-virus software or programs

When new vulnerabilities are discovered and exploited on your vendor’s network, it gives them the insight they need to ship a patch.

Need Help With Your Cybersecurity Program?

Accurately measure risk & automate compliance with Rivial Security.

On your end, your responsibility is to update your anti-malware software on a schedule and ensure work-related devices are periodically scanned, and that their audit logs are archived as per PCI DSS protocols.

To complete the loop, you need to adopt an always-on approach to cybersecurity & make sure your anti-malware software cannot be disabled or altered by users, except for special scenarios specifically approved by management.

The best way to secure technical resources is to combine in-house expertise, open source research, and a proactive approach to network security. This helps you create a stronger network that’s continually hunting for vulnerabilities in your systems to reduce the chances that hackers will find and exploit them.

• Crowdsource your penetration testing via a bug bounty program
• Set your systems to automatically install vendor-supplied security patches & updates
• Coach your developers in secure coding practices, such as handling sensitive data in local memory

7. Restrict access to cardholder data on a need-to-know basis

Your cardholder data needs to be encrypted in transit & storage and should only be accessible to executives on a need-to-know basis. Likewise, your systems should be designed to create a digital footprint for each executive and the data they’ve had access to.

No. 8 is tied closely to No. 7 since you can only restrict access on a need-to-know basis when you have unique IDs to authenticate each staff member. This security stack can include biometric devices, hardware tokens, and smart cards that are exclusive to individuals.

Any physically unprotected environment is an attack surface bad actors can exploit, whether by using a thumb drive to inject malware into your systems or stealing unlocked devices.

To reduce the likelihood of that happening, you need to restrict access to your network infrastructure, especially if you use self-hosted servers that can be tampered with physically. Likewise, you’ll also have to backup your data, restrict access to devices & files, destroy disused company devices, and control access to your facilities.

Keep detailed logs of whoever access cardholder data & when in order to help you determine when specific changes were made, track down breaches faster, and control access by revoking individual privileges.

Your regimen needs a combination of internal assets & external professionals to help test your firewall security, review your networks for unauthorized WAPs, intrusion, and file modification. Depending on your company’s scale, it’s advisable to enlist the services of an Approved Scanning Vendor to help you run network vulnerability tests every quarter after you secure your PCI DSS approval.

It’s easy to overlook basic personnel security even after you’ve invested heavily into security technical assets from attack. At the least, employees need to undergo background checks, as well as regular security awareness programs designed to help them detect common attack vectors.

Get help with your cybersecurity compliance with Rivial

When it comes to securing cardholder data, the stakes are high and attacks keep getting more sophisticated. Whether it’s a hacker trying to inject compromised code into your repository via GitHub, slip a thumb drive onto an employee’s unguarded device, or a rogue employee accessing your customers’ data, there are multiple ways bad actors can attack to cripple your business, exfiltrate funds, and ruin your customers' trust.

That’s what PCI DSS protocols aim to prevent—to reduce attack surface areas & reduce the likelihood of your enterprise falling victim. Rivial is an all-in-one cybersecurity management platform that’s designed for security leaders at banks and credit unions to accurately measure risk, automate compliance, and easily manage their security programs.

Need Help With Your Cybersecurity Program?

Accurately measure risk & automate compliance with Rivial Security.