PCI DSS compliance is not new for organizations who have been in the business of dealing with credit card data. From multi-factor authentication to reporting for service providers, there's something for everyone to comply to and monitor. Especially for big brands or upcoming businesses with lots of momentum, becoming the next star of another Target credit card scandal isn't something on anyone's wishlist. The fear of being the next big scandal is one reason why PCI compliance is so important, and why you and your team should take your security assessment seriously.
According to the PCI Security Standards Counsil, "PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council, American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc."
Some key PCI requirements on the checklist are below, including guidelines and remediation steps. We also dive into the PCI Prioritized Approach, and how you can achieve PCI Compliance.
PCI Requirement 1: Install and Maintain a Firewall and Router Configuration to Protect Cardholder Data
Your firewall functionality must be robust enough to thoroughly and accurately control traffick in and out of your network. Both routers and firewalls are within scope for PCI requirement 1 as long as they're used in the cardholder data environment.
Make sure to formalize the processes by which you test your firewalls at a determined cadence. Identify wireless and non-wireless connections to card holder data that are possible. Review your settings every 6 months at the very minimum.
Restrict access between any system component in the CDE and public internet access.
Install personal firewall software on and and all mobile and computers if owned by your employees. If they use your company Internet to access the organization’s network and sensitive data, these devices need to be protected.
PCI Requirement 4: Encrypt Transmission of Cardholder Data Across Open Public Networks
Merchants and service providers must ensure the safety and security of sensitive information especially when traveling across unprotected networks. Organizations can have specific challenges with PCI DSS Requirement 4. All vulnerable encryption protocols have to be removed while ensuring cardholder data is protected at the same time for inputing into publically accessible e-commerce ordering systems. Unencrypted fax or email, plus end-user messaging systems are unencrypted and unfortunately, unprotected. AKA keep your cardholder data off.
PCI Requirement 8.3: Two Factor or Multi Factor Authentication
We're all aware that passwords are no longer sufficient to secure access rights to sensitive data. In fact, compromised passwords are the leading cause of data breaches according to the 2016 Verizon Data Breach Investigations Report. PCI DSS 3.2 changed the two-factor authentication (2FA) requirement to multi-factor authentication (MFA), clarifying that you’re not limited to only two. Anyone with access to the cardholder data environment (CDE) has to use multi-factor auth whether they're working remotely or on premise.
Pick 2 or more of these methods to be 'PCI compliant' with this requirement:
- A password or passphrase
- A physcial device or smart card, token device
- A retinal or fingerprint scan
The Prioritized Approach to PCI DSS Compliance
According to the PCI Security Standards Counsil Prioritized Approach document, the Prioritized Approach provides a roadmap of compliance activities based on risk associated with storing, processing, and/or transmitting cardholder data. The roadmap helps to achieve compliance, establish milestones, lower the risk of cardholder data breaches sooner in the compliance process, and helps acquirers objectively measure compliance activities and risk reduction by merchants, service providers, and others.
The Prioritized Approach was devised after factoring data from actual breaches, and feedback from Qualifed Security Assessors, forensic investigators, and the PCI Security Standards Council Board of Advisors.
The goal of the prioritized approach is to help develop a:
Roadmap that an organization can use to address its risks in priority order
Pragmatic approach that allows for “quick wins”
Supports financial and operational planning
Promotes objective and measurable progress indicators
Helps promote consistency among assessors
If you want to implement the Prioritized Approach to PCI DSS Compliance, CyberStrong can get you there with a systematic and optimized approach. CyberStrong uses credible risk data to help you prioritize your PCI control remediation plan. In addition, you'll get an AI-optimized roadmap that incorporates the controls within your existing gaps, presenting you and your team with the hightest imact and lowest cost plan of action on how to proceed.