The industry data security standard for PCI DSS compliance - Payment Card Industry Data Security Standard (PCI DSS) - is not new for organizations in the business of dealing with credit card data. As cash is used less and less and businesses of all sizes embrace e-commerce, securing payment information has never been more important. From multi-factor authentication to reporting for service providers, there's a wealth of requirements for those in payment card industry data security to comply with and monitor. Especially for big brands or upcoming businesses with lots of momentum, becoming the focus of another Target credit card scandal is not something on anyone's wishlist. The fear of being the next big scandal is one reason why PCI DSS compliance is so important, and why you and your team should take your PCI security assessment seriously. PCI compliance tools - most often those that help to accelerate governance, risk and compliance activities in addition to PCI DSS compliance - helps to keep all of these requirements measured, monitored, and on track with program objectives.
According to the PCI Security Standards Council, "PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council, American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc."
Some key PCI DSS compliance requirements included in a typical self assessment questionnaire (SAQ) are on the checklist are below, including guidelines and remediation steps. These functions can be accelerated using PCI compliance tools that help automate governance, risk and compliance activities. We also dive into the PCI DSS Compliance Prioritized Approach, completing a PCI DSS compliance assessment, and how you can achieve PCI DSS compliance at scale.
Understanding The Prioritized Approach to PCI DSS Compliance
According to the PCI Security Standards Council Prioritized Approach document, the Prioritized Approach provides a roadmap of compliance activities based on the risk associated with storing, processing, and/or transmitting cardholder data. Approved vendors, such as approved scanning vendors (ASV) for vulnerability scanning as an example, must be used and are sometimes included in the requirements.
PCI DSS Compliance tools help to automate and accelerate the Prioritized Approach to PCI DSS Compliance when teams feel their objectives are bogged down in manual effort and self-attestation that isn’t trackable or reportable outside of spreadsheets. The roadmap helps to achieve compliance, establish milestone target controls, lowers the risk of cardholder data breaches sooner in the compliance process and helps acquirers objectively measure PCI DSS compliance activities and risk reduction by merchants, service providers, and others.
The Prioritized Approach for PCI DSS compliance was devised after factoring data from actual breaches, and feedback from Qualified Security Assessors, forensic investigators, and the PCI Security Standards Council Board of Advisors.
PCI Requirement 1: Install and Maintain a Firewall and Router Configuration to Protect Cardholder Data
Your firewall functionality must be robust enough to thoroughly and accurately control traffic in and out of your network. Both routers and firewalls are within scope for PCI Requirement One as long as they're used in the cardholder data environment. PCI compliance tools can help you keep track of how often you are testing your firewalls and determining compliance against these requirements.
- Make sure to formalize the processes by which you test your firewalls at a determined cadence. Identify wireless and non-wireless connections to cardholder data that are possible. Review your settings every six months at the very minimum.
- Restrict points of access between any system component in the CDE and public internet access.
- Install personal firewall software on and all mobile and computers if owned by your employees. If they use your company internet to access the organization’s network and sensitive data, these devices need to be protected.
PCI Requirement 4: Encrypt Transmission of Cardholder Data Across Open Public Networks
Merchants processing this data through any point of sale system, for example, and similarly service providers, must ensure the safety and security of sensitive information when offering their products and services, especially when traveling across unprotected networks. Information security organizations can have specific challenges with PCI DSS compliance requirement 4. All vulnerable encryption protocols have to be removed while ensuring cardholder data is protected at the same time for inputting into publicly accessible e-commerce ordering systems. Unencrypted fax or email, plus end-user messaging systems are unencrypted and unfortunately, unprotected. AKA keep your debit card/credit card cardholder data out of reach. PCI compliance tools can help organizations maintain their posture against these controls while minimizing duplicative efforts across other frameworks and industry standards by intelligently mapping requirements across other compliance controls.
PCI Requirement 8.3: Two Factor or Multi-Factor Authentication
We're all aware that passwords are no longer sufficient to secure access rights to sensitive data. In fact, compromised passwords are the leading cause of data breaches according to the 2016 Verizon Data Breach Investigations Report. PCI DSS Compliance Standard 3.2 changed the two-factor authentication (2FA) requirement to multi-factor authentication (MFA), clarifying that you’re not limited to only two. Anyone with access to the cardholder data environment (CDE) has to use multi-factor auth whether they're working remotely or on-premise.
Pick 2 or more of these methods to be 'PCI DSS compliant' with this requirement:
- A password or passphrase
- A physical device or smart card, token device
- A retinal or fingerprint scan
Achieve a Prioritized Approach to PCI DSS Compliance
The goal of the prioritized approach is to help develop a roadmap that an organization can use to address its risks in priority order that empowers a pragmatic approach that allows for “quick wins” in milestone target controls, supports financial and operational planning in compliance efforts and ensures objective and measurable progress towards finalizing remaining compliance efforts, and helps promote consistency among assessors. PCI compliance tools help organizations achieve these goals and more, leveraging measurement, automation, visualisation, and reporting to create a more proactive, manageable program whose value is understood by technical and non-technical leadership.
If you want to implement the Prioritized Approach to PCI DSS Compliance, CyberStrong can get you there with a systematic and optimized approach. CyberStrong uses credible risk data to help you prioritize your PCI control remediation plan. In addition, you'll get an AI-optimized roadmap that incorporates the controls within your existing gaps, presenting you and your team with the highest impact and lowest cost plan of action on how to proceed.