In the rapidly evolving digital era, the landscape of fraud has shifted its gaze from traditional bank robberies to a new target: institutions responsible for handling cardholder data.
Whether you are an individual or an organisation involved in payment card transactions, safeguarding both yourself and card users from potential data breaches is of utmost importance.
This is where compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) comes into play as a crucial tool for mitigating vulnerabilities and protecting cardholder data.
By adhering to PCI DSS guidelines, you can effectively minimise risks and uphold the security of sensitive financial information.
What is PCI DSS?
PCI DSS is a set of security standards established by the Payment Card Industry Security Standards Council (PCI SSC) to ensure the protection of cardholder data and enhance the security of payment card transactions. It applies to all organisations that process, store, or transmit payment card information, including merchants, service providers, financial institutions, and other entities involved in the payment card ecosystem.
Why does PCI DSS matter?
The increasing reliance on card payments and the rise of cyber threats have necessitated a unified standard for ensuring the security of sensitive financial information. With each transaction processed, merchants expose themselves to potential data breaches. PCI DSS serves as a comprehensive framework, outlining security requirements and best practices for handling such data. Adhering to PCI DSS enables businesses to establish robust security measures, detect vulnerabilities, and mitigate risks, safeguarding cardholders and enhancing trust. It also aids organisations in maintaining compliance and protecting their reputation.
Whom does it apply to?
PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers. It encompasses individuals or organisations that store, process, accept, or transmit card information within the payment card ecosystem. This includes not only financial institutions but also merchants who accept credit or debit card payments, regardless of the channel used.
While not legally binding, PCI DSS has been widely adopted as a global standard by financial institutions. Therefore, organisations outsourcing any payment card-related operations must verify that their third-party providers are PCI compliant, ensuring the ongoing protection of cardholder data.
What type of data does PCI DSS protect?
PCI DSS primarily protects two types of data: cardholder data (CHD) and sensitive authentication data (SAD). CHD includes the primary account number (PAN), cardholder name, expiration date, and the security code (CVV/CVC). SAD, meanwhile, includes data elements used for authentication, such as full magnetic stripe data, PINs, or PIN blocks.
The PCI DSS Principles & Requirements
I) Build and Maintain a Secure Network
Install and maintain a firewall configuration to protect your cardholder data
Firewalls act as barriers between trusted internal networks and untrusted external networks, monitoring and controlling network traffic to prevent unauthorised access and malicious software. Firewall and router configuration standards should be implemented to identify all connections to cardholder data, deny traffic from untrusted networks and permit only necessary protocols. Additionally, direct public access to the cardholder data environment must be strictly prohibited and personal firewall software should be installed on any devices with direct internet connectivity used to access the organisation’s network. Regular review of configuration rules should be conducted every six months for optimal security.
Do not use vendor-supplied defaults for system passwords and other security parameters
Default passwords and security settings are often publicly known and easily guessed, posing a significant risk to the protection of cardholder data. Always change defaults to unique and strong passwords before installing systems on the network to enhance overall security.
II) Protect Cardholder Data
Protect stored cardholder data
In general, cardholder data should never be stored unless it’s necessary to meet business needs. If necessary to store, the information stored and time it's retained for should be limited to that required for business or legal purposes. Sensitive authentication data should never be stored after authentication even if it's encrypted. Cardholder data such as PAN, expiration date, and cardholder name can be stored when necessary, but must be rendered unreadable. Any cryptographic keys used for encryption of cardholder data should be protected from disclosure and misuse.
Encrypt transmission of cardholder data across open, public networks
As cardholder data transmission can be intercepted over open networks, encryption is necessary to render transmitted data unreadable by any unauthorised person. Strong cryptography and security protocols such as SSL/TLS or IPSEC should be used to safeguard sensitive cardholder data, and unencrypted PANs should never be sent by end user messaging technologies like chat, email etc.
III) Maintain a Vulnerability Management Program
Use and regularly update anti-virus software or programs
To protect against existing and evolving malicious software threats, anti-virus software must be utilised on all malware-affected systems. Employees' email and online activities often serve as entry points for such threats. Deploy the software on all relevant systems, including personal computers and servers, ensuring it remains active, regularly updated with the latest technology and signatures, and capable of generating audit logs.
Develop and maintain secure systems and applications
To protect cardholder data, system and application vulnerabilities should be addressed by promptly installing vendor-supplied security patches. Keep all systems up to date with the latest security patches, establish a process to identify new vulnerabilities, and develop web applications based on secure coding guidelines. Regularly review code and utilise a web application firewall for public-facing applications.
IV) Implement Strong Access Control Measures
Restrict access to cardholder data by business need-to-know
Cardholder data access should be limited to only those who require it to do their job. In systems with multiple users, access should be set to "deny all" by default, and only explicitly authorised access should be allowed.
Assign a unique ID to each person with computer access
Providing a unique identification (ID) to each individual with access ensures that actions performed on critical data and systems can be attributed to known and authorised users, allowing for traceability. Implement authentication measures like passwords, passphrases, or two-factor authentication, especially for remote network access. Additionally, passwords should be encrypted to make them unreadable during storage and transmission.
Restrict physical access to cardholder data
Physical access to data should be restricted as it provides the opportunity to tamper with it. This includes implementing facility entry controls, distinguishing employees from visitors, authorising and tracking visitors, securely storing media backups, physically securing cardholder data-containing media, and controlling its distribution with management approval.
V) Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder data
When conducting forensic investigations after an incident, having comprehensive logs across all environments becomes essential. These logs enable thorough tracking and monitoring of user activities, aiding in the determination of the compromise's cause. It is crucial to record audit trail entries for all system components, ensuring they are secured from alterations and retained for a minimum of one year. Additionally, regular daily reviews of logs for system components related to security functions are necessary.
Regularly test security systems and processes
To maintain security over time, it is essential to regularly test security systems and processes. Given the continuous discovery of vulnerabilities and the emergence of new software by malicious individuals, frequent testing becomes necessary. Conduct vulnerability scans at least quarterly and perform annual penetration testing to identify potential weaknesses. Utilise network intrusion detection systems and file integrity monitoring to detect suspected compromises and promptly alert affected personnel.
VI) Maintain an Information Security Policy
Maintain a policy that addresses information security for employees and contractors
By having a comprehensive security policy, employees and contractors are informed about their responsibilities and the necessary procedures to follow to protect cardholder data. Regular assessments, screening of employees, and implementing usage policies for critical technologies further enhance security measures. Additionally, requiring service providers to adhere to PCI DSS policies safeguards the integrity of shared cardholder data. Lastly, having an incident response plan enables organisations to respond effectively and minimise the impact of any security breaches.
Penalties for non-compliance
The penalties for non-compliance with PCI DSS vary depending on the specific circumstances and the payment card brands involved. While PCI DSS itself does not impose direct penalties, the card brands (such as Visa, Mastercard, American Express, etc.) have their own enforcement programs and may impose fines or penalties on non-compliant organisations. These penalties can include monetary fines, increased transaction fees, restrictions on card acceptance, and even the potential loss of card processing privileges. Additionally, non-compliance may also result in reputational damage, loss of customer trust, and potential legal consequences in case of data breaches or fraudulent activities.