I have worked in the payments industry as a systems administrator for more than 15 years and have spent most of my career working with payment card industry compliance, which pertains to security requirements involving companies that handle card data of credit.
SEE: Password Cracking: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
PCI compliance is a very complex field with guidelines that organizations in this industry are required to adhere to in order to handle payment processing.
What is PCI Compliance?
PCI compliance is a framework based on requirements set forth by the Payment Card Industry Security Standards Council to ensure that all businesses that process, store or transmit credit card information maintain a secure operating environment to protect their business, customers and confidential data .
The guidelines, known as the Payment Card Industry Data Security Standard, were issued on September 7, 2006 and directly affect all major credit card companies.
The PCI SSC was created by Visa, MasterCard, American Express, Discover and the Japan Credit Bureau to administer and manage the PCI DSS. Companies that join the PCI DSS are confirmed PCI compliant and therefore reliable to do business with.
All merchants that process more than 1 million or 6 million payment card transactions each year and service providers that store, transmit or process more than 300,000 card transactions each year must be audited for PCI DSS compliance. The scope of this article is intended for companies subject to this annual review.
It’s worth noting that PCI compliance is no more guaranteed against data breaches than a fire-compliant home is completely safe against a fire. It simply means that business operations are certified to meet stringent security standards, giving these organizations the best possible protection against threats to produce the highest level of trust between their customer base and regulatory requirements.
Failure to meet PCI requirements can result in hefty financial penalties of $5,000 to $100,000 per month. Compliant businesses that face data breaches can face significantly reduced fines afterwards.
14 PCI best practices for your business
1. Understand your cardholder data environment and document everything you can
There can be no surprises when it comes to implementing PCI compliance; all systems, networks and resources must be thoroughly analyzed and documented. The last thing you want is an unknown server operating somewhere or a bunch of mysterious accounts.
2. Be proactive in your approach and implement security policies across the board
It is a grave mistake to view PCI compliance security as something to be “added on” or applied as needed where required. Concepts should be incorporated into the entire environment by default. Things like requiring multi-factor authentication in production environments, using https instead of http and ssh instead of telnet, and requiring periodic password changes should be enforced in advance. The more security conscious your organization is, the less work will need to be done at the end of the audit time.
3. Conduct background checks on employees who handle cardholder data
All prospective employees should be thoroughly vetted, including background checks for those who will be working with cardholder data, whether directly or in an administrative or support position. Any candidate with a serious charge on their criminal record should be rejected for employment, particularly if it involves financial crime or identity theft.
4. Implement a centralized information security authority
For best PCI compliance, you need a centralized body that serves as the decision-making authority for all implementation, management, and remediation activities. These are typically IT and/or information security departments, which should be staffed with employees trained in this field and familiar with PCI requirements.
5. Implement stringent environmental safety controls
Across the board, you should employ strong security controls in every possible element that manages cardholder data systems. Use firewalls, NATs, segmented subnets, anti-malware software, strong passwords (do not use default system passwords), encryption, and tokenization to protect cardholder data.
As an additional suggestion, use as little scope as possible for cardholder data systems, networks, and dedicated resources to minimize the amount of effort required to protect as few resources as possible.
For example, don’t allow development accounts to access production (or vice versa), as the development environment is now considered in scope and subject to increased security.
6. Implement the minimum access required for privileges
Use dedicated user accounts when performing administrative tasks on cardholder systems, not root or domain administrator accounts. Make sure users are granted only the bare minimum of access, even those with admin roles. Where possible, have them rely on separate “user-level accounts” and “privileged accounts” that are only used to perform highly privileged tasks.
7. Implement logging, monitoring and alerting
All systems should rely on logging of operational data and access to a centralized location. This logging should be comprehensive but not overwhelming, and a monitoring and alert process should be in place to notify appropriate personnel of verified or potentially suspicious activity.
Examples of alerts include too many failed logins, locked out accounts, a person logging into a host directly as root or administrator, root or administrator password changes, unusually high amounts of network traffic, and anything else that could be a potential or incipient data breach.
8. Implement software patching and updating mechanisms
With step 1, you know what operating systems, applications, and tools are running in your cardholder data. Make sure these are regularly updated, especially when critical vulnerabilities appear. IT and cybersecurity should subscribe to vendor alerts to receive notifications of these vulnerabilities and get details on patching applications.
9. Implement standard system and application configurations
Every system built in a cardholder environment, as well as applications running on it, should be part of a standard build, such as from a live model. There should be as few disparities and discrepancies as possible between systems, especially redundant or clustered systems. That live model should be regularly updated and maintained to ensure that new systems produced from it are fully secure and ready for deployment.
10. Implement a checklist of terminated privileged employees
Too many organizations don’t track employee departures, especially when there are different departments and environments. The HR department should be responsible for notifying all application and environment owners of employee departures so that their access can be completely removed.
A cross-sectional checklist of all employees of systems and environments handling credit card data should be compiled and maintained by IT and/or cybersecurity departments, and all steps should be followed to ensure removal of access to the 100%.
Do not delete accounts; disable them instead, as proof of disabled accounts is often required by PCI auditors.
For more guidance on adding or deleting employees, the experts at TechRepublic Premium have put together a handy checklist to get you started.
11. Implement secure data destruction methodologies
When cardholder data is removed, per requirement, a secure method of data destruction must be involved. It may involve software or hardware based processes such as deletion of files or destruction of disks/tapes. Often, destruction of physical media will require evidence to confirm that this was done correctly and witnessed.
12. Conduct penetration testing
Organize internal or external penetration tests to check your environment and confirm that everything is secure enough. You’d much rather find any problems you can fix independently before a PCI auditor does.
13. Educate your user base
Thorough user training is essential to maintain safe operations. Educate users on how to securely access and/or manage cardholder data, how to recognize security threats such as phishing scams or social engineering, how to secure their workstations and mobile devices, how to use authentication multi-factor, such as detecting anomalies and most importantly, who to contact to report any suspected or confirmed security breaches.
14. Be prepared to work with reviewers
Now we come to the time of the audit, where you will meet with an individual or a team whose objective is to analyze the PCI compliance of your organization. Don’t be nervous or apprehensive; these people are here to help you, not spy on you. Give them everything they ask for and only what they ask for – be honest but minimal. You are not hiding anything; you are only providing the information and answers that sufficiently satisfy their needs.
Also, keep evidence like settings screenshots, system vulnerability reports, and user lists, as they might come in handy to send in future auditing efforts. Address all of their recommendations for fixes and changes as quickly as possible, and be prepared to present evidence that this work has been completed.
Carefully review any proposed changes to ensure they do not negatively impact your operating environment. For example, I’ve seen scenarios where it was requested to remove TLS 1.0 in favor of newer TLS versions, but applying this recommendation would break connectivity from legacy systems and cause an outage. Those systems had to be upgraded sooner to meet the requirements.