The Payment Card Industry Data Security Standard was established in 2004 as a collection of information security standards designed to help card payment processors secure their customers’ data and reduce credit card fraud.
Accurately measure risk & automate compliance with Rivial Security.
Over the years, it has expanded in scope and adoption and is now looked upon as the minimum level of security for storing, processing, and sharing cardholder data. PCI DSS 4.0 is the latest interaction of the protocol and it mirrors the same emphasis on protecting sensitive financial details better and closing loopholes bad actors might use to compromise cardholder data.
This article will breakdown PCI DSS compliance in detail to help you understand where your personnel & technical infrastructure might need upgrades, both to stay compliant and to take advantage of the security PCI DSS is designed to offer.
The goal of PCI DSS compliance is more preventive than it is reactive. Whether it’s to—
—the cost of non-compliance can be expensive. PCI DSS compliance helps you reduce the surface area that can be attacked while you’re handling sensitive card information, and protects you from legal and regulatory liability.
Accurately measure risk & automate compliance with Rivial Security.
The basic requirements you need to stay compliant with PCI DSS 4.0 are a crossover from previous versions (i.e., PCI-DSS 3.2.1, precisely) but now, they offer more flexibility into the methods and channels you can leverage to get to the final goal of building systems and infrastructure that’s designed to protect cardholder data.
1. Protect cardholder data with a firewallA firewall restricts access to your organization’s network & reduces the likelihood for your systems being breached by bad actors who may try to gain access by socially engineering your employees or slipping malware into devices on your network. To make sure you have maximum protection, you need to:
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Most mainstream networking device vendors have widely-known default passwords. If you don’t proactively encrypt your data and protect it with stronger, it’s going to be extremely easy for bad actors to gain access to your systems by trying common combinations or using brute-force password-guessing attacks.
The only way to limit this attack vector is to change default password with stringer combinations, create security SOPs for all your stakeholders, and keep updating your systems with patches from the manufacturer to ensure you’re secure from zero-day attacks.
3. Protect stored cardholder dataFor the most part, avoid storing cardholder data, except it’s absolutely essential. And, if it is, you need to follow certain precautions to limit exposure from any angle:
4. Encrypt transmission of cardholder data across open, public networks
Any data shared over a public network can be sniffed out by hackers through means such as man-in-the-middle attacks & rogue hotspots, set up by criminals to either steal data from their unsuspecting victims or inject malware into their devices.
5. Protect all systems against malware and regularly update anti-virus software or programs
When new vulnerabilities are discovered and exploited on your vendor’s network, it gives them the insight they need to ship a patch.
Accurately measure risk & automate compliance with Rivial Security.
On your end, your responsibility is to update your anti-malware software on a schedule and ensure work-related devices are periodically scanned, and that their audit logs are archived as per PCI DSS protocols.
To complete the loop, you need to adopt an always-on approach to cybersecurity & make sure your anti-malware software cannot be disabled or altered by users, except for special scenarios specifically approved by management.
6. Develop and maintain secure systems and applicationsThe best way to secure technical resources is to combine in-house expertise, open source research, and a proactive approach to network security. This helps you create a stronger network that’s continually hunting for vulnerabilities in your systems to reduce the chances that hackers will find and exploit them.
7. Restrict access to cardholder data on a need-to-know basis
Your cardholder data needs to be encrypted in transit & storage and should only be accessible to executives on a need-to-know basis. Likewise, your systems should be designed to create a digital footprint for each executive and the data they’ve had access to.
8. Create unique user authentication IDs to your staffNo. 8 is tied closely to No. 7 since you can only restrict access on a need-to-know basis when you have unique IDs to authenticate each staff member. This security stack can include biometric devices, hardware tokens, and smart cards that are exclusive to individuals.
9. Restrict physical access to cardholder dataAny physically unprotected environment is an attack surface bad actors can exploit, whether by using a thumb drive to inject malware into your systems or stealing unlocked devices.
To reduce the likelihood of that happening, you need to restrict access to your network infrastructure, especially if you use self-hosted servers that can be tampered with physically. Likewise, you’ll also have to backup your data, restrict access to devices & files, destroy disused company devices, and control access to your facilities.
10. Track and monitor all access to network resources and cardholder dataKeep detailed logs of whoever access cardholder data & when in order to help you determine when specific changes were made, track down breaches faster, and control access by revoking individual privileges.
11. Regularly test security systems and processesYour regimen needs a combination of internal assets & external professionals to help test your firewall security, review your networks for unauthorized WAPs, intrusion, and file modification. Depending on your company’s scale, it’s advisable to enlist the services of an Approved Scanning Vendor to help you run network vulnerability tests every quarter after you secure your PCI DSS approval.
12. Maintain a policy that addresses information security for all personnelIt’s easy to overlook basic personnel security even after you’ve invested heavily into security technical assets from attack. At the least, employees need to undergo background checks, as well as regular security awareness programs designed to help them detect common attack vectors.
When it comes to securing cardholder data, the stakes are high and attacks keep getting more sophisticated. Whether it’s a hacker trying to inject compromised code into your repository via GitHub, slip a thumb drive onto an employee’s unguarded device, or a rogue employee accessing your customers’ data, there are multiple ways bad actors can attack to cripple your business, exfiltrate funds, and ruin your customers' trust.
That’s what PCI DSS protocols aim to prevent—to reduce attack surface areas & reduce the likelihood of your enterprise falling victim. Rivial is an all-in-one cybersecurity management platform that’s designed for security leaders at banks and credit unions to accurately measure risk, automate compliance, and easily manage their security programs.
Accurately measure risk & automate compliance with Rivial Security.