Security: PCI Compliance and Regulations #8
Welcome back my DNS-overridden Reader,
As the closing Article for our Security MiniSeries, today we’re going to introduce you to PCI Compliance and Regulations. For although we haven’t but scraped the surface of Security as a Field, this journey started together over 4 months ago and hopefully laid the basis for further, more advanced Articles in the Security space as we move forward.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to guarantee that ALL Companies that process, keep or transmitcredit card data preserve a secure environment. This security standard was set in order to help companies to process credit cards safely as well as to reduce the number of credit card extortions and frauds. PCI Compliance and Regulations are primarily used by the major organizations that handle credit cards such as MasterCard, Visa, American Express, JCB and Discover. Private credit cards – which are not part of a major credit card scheme – aren’t included in the PCI Compliance and Regulation Standards.
The PCI Standard is authorized by the card brands and managed by the Payment Card Industry Security Standards Council. Validation of Compliance is performed annually, either by an external Qualified Security Assessor (QSA) that makes a Report on Compliance (ROC) for Associations taking care of large volumes of transactions, or by Self-Assessment Questionnaire for Organizations taking care of smaller volumes.
PCI DSS gives a baseline of technical and operational prerequisites intended to protect account informations. PCI DSS applies to all entities included in payment card processing such as merchants, processors, issuers, acquirers and service providers. PCI DSS likewise applies to all those entities related to storing, processing or transmitting cardholder data and/or sensitive authentication data.
Let’s take a look at 12 PCI DSS requirements.
1. Install and maintain a firewall configuration to protect cardholder data
Establish and implement firewall and router configuration standards that include a set of rules presented in Payment Card Industry Data Security Standards document provided by PCI Security Standards Council.
Firewalls are devices that examine and control all network traffic and block those transmissions that do not meet the provided security criteria. Firewalls can monitor traffic between internal and external networks as well as traffic into and out of sensitive areas within internal trusted network. The cardholder data is considered to be an example of sensitive area within internal trusted network.
All systems must be protected from unauthorized access from untrusted sources, including employee Internet access, employee e-mail access, entering system via the Internet, Business-to-business connections, access via wireless networks or other sources.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.).
Malicious individuals (both external and internal) often use default passwords set by vendor and other vendor default settings to hack systems. These passwords and settings are easily exploited by hacker communities because they are publicly available and it takes little effort to determine them. Changing these settings and passwords can make systems less vulnerable to attacks. Even if a default account is not used, changing the default password to a strong unique password and afterwards disabling the account can prevent hacker from re-enabling the account and gaining unauthorized access with the default password.
3. Protect stored cardholder data
Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage:
- -Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements
- -Specific retention requirements for cardholder data
- -Processes for secure deletion of data when no longer needed
- -A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.
Protection methods like encryption, masking, truncation and hashing are the most important parts of cardholder data security. In case if a hacker bypasses other security and gains access to encrypted data, without the unique cryptographic keys the data is completely unusable to that individual.
4. Encrypt transmission of cardholder data and sensitive information across public networks
Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
- -Only trusted keys and certificates are accepted.
- -The protocol in use only supports secure versions or configurations.
- -The encryption strength is appropriate for the encryption methodology in use.
Note: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.
Sensitive data must be encrypted during transmission over unsecure networks that can be easily accessed by hackers. Misconfigured wireless networks as well as vulnerabilities in legacy encryption and authentication protocols are still targets of crooks who exploit these vulnerabilities in order to get access to cardholder data environments.
5. Protect all systems against malware and regularly update anti-virus software or programs
Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
Malware can enter the network during many activities online, resulting in the exploitation of network vulnerabilities. Anti-virus software must be used on all system in order to protect systems from malicious threats.
6. Develop and maintain secure systems and applications
Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.
Malicious individuals use vulnerabilities in security to gain unauthorized access to systems. Many of these vulnerabilities can be fixed by security patches provided by vendor, which must be installed by administrators of the systems. All system must have up-to-date patches in order to stay safe against exploits and malware.
7. Restrict access to cardholder data by business need-to-know
Limit access to system components and cardholder data to only those individuals whose job requires such access.
In order to make sure that sensitive data can only be accessed by authorized personnel, systems need to place access limitations based on job responsibilities and information’s needed to know in order to perform a job.
8. Identify and authenticate access to system components
Define and implement policies and procedures to ensure proper user identification management for no consumer users and administrators on all system components as follows:
- Assign all users a unique ID before allowing them to access system components or cardholder data.
- Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
- Immediately revoke access for any terminated users.
Assigning a unique identification (ID) to each person with access to the system ensures that each individual is accountable for their actions. Each action taken on sensitive data and system can be traced to authorized users and processes. How effective will the password be is mainly determined by the design and implementation of the authentication system – how many attempts can be made by the hacker, how frequently and what type of security is used during transmission as well as at the entrance to the system.
9. Restrict physical access to cardholder data
Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment:
- Use video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas.
- Review collected data and correlate with other entries.
- Store for at least three months, unless otherwise stated by law.
Any physical access to systems or sensitive data provides the chance for malicious individuals to access devices or data, modify or delete them, and should be restricted. This point refers to full-time and part-time employees, consultants and contractors who are physically present on the entity’s premises. A “visitor” is a vendor, guest or anyone who needs to enter the premises for a short amount of time, usually not more that one day.
10. Track and monitor all access to network resources and cardholder data
Implement audit trails to link all access to system components to each individual user. Implement automated audit trails for all system components to reconstruct the following events:
- All individual user accesses to cardholder data.
- All actions taken by any individual with root or administrative privileges.
Logging mechanisms and the ability to track user activities are very important for prevention as well as detection of a data compromise. The log’s presence in the system allows tracking, alerting and analysis when something isn’t right.
11. Regularly test security systems and processes
Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis. Vulnerabilities are being discovered continually by researchers as well as hackers. Systems and processes should be tested often in order to ensure maximum security in a changing environment.
12. Maintain a policy that addresses Information Security for all personnel
Establish, publish, maintain, and disseminate a security policy. Review the security policy at least annually and update the policy when the environment changes. A strong security policy creates the security tone for the whole entity and informs employees what is expected of them. Everyone must be aware of their responsibilities for protecting the sensitive data.
In order to keep your business safe, it is extremely important to become compliant with PCI DSS. Per example, Target’s reputation never completely recovered from its credit card breach. Some smaller Business may end up shut down if a breach occurs due to their ignoring PCI compliance.
Also, this is a great way to build trust in your Company, stating that your Company is up to date with latest Compliance and Security Regulations. If clients are not sure that you are doing everything you can to protect their personal and financial data, they will find another Company that will. Keep that in mind.
Did you like this Article? Share your comments with us.