PCI DSS Compliance What should I do?

About PCI DSS Compliance Requirements

PCI DSS was created by the Payment Card Industry Security Standards Council, and is comprised of American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. They have recently updated their global PCI compliance policies to protect cardholder data. As a result of increased credit card fraud, the Security Standards Council has modernized the PCI compliance standards in an effort to obstruct and prevent further theft of personal information, hence PCI DSS. The new PCI compliance requirements are strictly enforced by the payment card brands to all merchants who transmit, store, or process credit card information. Click here for more information about all PCI DSS and making your website PCI compliant.

PCI DSS Standards

PCI DSS apply to merchants, manufacturers of PIN entry terminals, and the software used to store, process, and/or transmit cardholder data.

PCI DSS : All merchants who store, process, and/or transmit cardholder data must comply with the standards.

The new PCI compliance regulations were developed to meet the Payment Card Industry Security Standards Council’s goals to help thwart the theft of sensitive cardholder information. The main goals of PCI DSS 1.2:

  1. Build and Maintain a Secure Network that is PCI compliant
  2. Protect Cardholder Data
  3. Maintain a Vulnerability Management Program
  4. Implement Strong Access Control Measures
  5. Regularly Monitor and Test Networks
  6. Maintain an Information Security Policy

Goal 1: Build and Maintain a Secure Network

1.1 Requirement: All merchants must protect cardholder information by installing a firewall and router system. Installing a firewall system provides control over who can access an organization’s network and a router is a device that connects networks, and is therefore, PCI compliant.

Program the standards of firewall and router to:

  1. Perform testing when configurations change
  2. Identify all connections to cardholder information
  3. Review configuration rules every six months

Configure firewall to prohibit unauthorized access from networks and hosts and deny direct public access to any information about the cardholder. Additionally, install firewall software on all computers that access the organization’s PCI compliance network.

1.2 Requirement: Change all default passwords. Default passwords provided when first setting up software are discernible and can be easily discovered by hackers to access sensitive information.

Goal 2: Protect Cardholder Data

2.1 Requirement: Cardholder data is any personal information about the cardholder that is found on the payment card and can never be saved by a merchant - this includes preserving encrypted authentication data after authorization. Merchants can only display the maximum of the first six and last four digits of the primary account number (PAN). If merchant stores PAN, ensure that the data is secure by saving it in a cryptographic form.

2.2 Requirement: It is required that all information is encrypted when transmitting the data across public networks, such as the Internet, to prevent criminals from stealing the personal information during the process.

Goal 3: Maintain a Vulnerability Management Program

3.1 Requirement: Computer viruses make their way onto computer’s many ways, but mainly through email and other online activities. The viruses compromise the security of personal cardholder information on a merchant’s computer, and therefore anti-virus software must be present on all computers associated on the network.

3.2 Requirement: In addition to anti-virus software, computers are also susceptible to a breech in the applications and systems installed on the computer. Merchants must install vendor-provided security patches within a month of their release to avoid exposing cardholder data. Security alert programs, scanning services, or software may be used signal the merchant of any vulnerable information.

Goal 4: Implement Strong Access Control Measures

4.1 Requirement: As a merchant, you must limit the accessibility of cardholder information. Install passwords and other security measurements to limit employee’s access to cardholder data. Only employees who must access the information to complete their job are allowed to access the information.

4.2 Requirement: In order to trace employee’s activities when accessing sensitive information, assign each user an unreadable password used to access the cardholder data.

4.3 Requirement: Monitor the physical access to cardholder data; do not allow unauthorized persons the opportunity to retrieve the information by securing printed information as well as digital. Destroy all out-dated cardholder information. Maintain a visitor log and save the log for at least three months.

Goal 5: Regularly Monitor and Test Networks

5.1 Requirement: Keep system activity logs that trace all activity and review daily. The information stored in the logs is useful in the event of a security breach to trace employee activities and locate the source of the violation. Record entries reflect at a minimum: the user, event, date and time, success or failure signal, source of the affected data and the system component.

5.2 Requirement: Each quarter, use a wireless analyzer to check for wireless access points to prevent unauthorized access. Also, scan internal and external networks to identify any possible vulnerable areas in the system. Install software to recognize any modification by unauthorized personnel. Additionally, ensure that all IDS/IPS engines are up to date.

Goal 6: Maintain an Information Security Policy

Requirement: Establish a security policy that covers all PCI DSS compliance requirements and includes annual procedures to recognize any security breaches and day-to-day security policies. Perform background checks on potential employees and educate new and current employees about the new compliance regulations.

How do I become PCI DSS compliant?

To become a PCI compliant merchant, please fill out the first part of the self-assessment questionnaire found on the home page. This questionnaire consists of yes-or-no questions about your current processing service practices, and allows for flexibility depending on each individual business.

PIN Entry Device Security Requirements (PCI PED)

While these standards apply to the manufacturers of PIN devices, the PCI DSS mandates that all merchants be required to use a certified PED device. Insure all of you PIN entry devices are PCI compliant.

Payment Application Data Security Standard (PCI PA-DSS)

Merchants must install certified PCI compliant payment software on their terminal. These certified applications are installed to thwart cardholder data theft.