What is PCI DSS Compliance?
PCI DSS is the short form for Payment Card Industry Data Security Standard. It is a set of security standards to ensure secure card transactions and data management. PCI DSS is a set of standards and requirements that ensure that all companies that process, store, and transmit credit cardholder data maintain a secure environment in order to reduce credit card fraud.
PCI DSS Compliance is a needed standard for any business that stores sensitive payment card data and uses mobile credit card processing.
PCI Security Standard Council was originally created by American Express, Visa, Discover, JCB and Mastercard in the year 2004. The credit card companies themselves enforce PCI compliance rather than PCI SSC.
PCI Security Standards Council, also known as PCI SSC, defines a set of specific Data Security Standards (DSS) that all merchants must abide by, irrespective of their revenue and credit card transaction volumes.
Twelve Requirements for PCI DSS Compliance
These requirements are set forth by PCI SSC and are as follows:
1. Use and Maintain Firewalls
Proper configuration of firewalls and routers are essential to blocking access of unknown or foreign entities from accessing private data. Firewalls are required for PCI DSS Compliance as it restricts incoming and outgoing traffic through rules and criteria set by the organisation and protects the card data environment.
2. Proper Password Protections
Most of the operating devices and systems such as servers, routers, point of sale (POS) systems, network devices, and other third-party products come with factory default settings. They have generic usernames, passwords, and other insecure configurations parameters. Ensuring PCI DSS Compliance in this area includes maintaining a list of all devices and software that require a password or other security keys to access. It is also necessary to maintain an inventory of all the systems, configuration and hardening procedures.
3. Protect Cardholder Data
The two-fold protection of cardholder data and prevention of data breaches is the third and most important requirement of PCI compliance. According to Requirement no. 3, card data must be encrypted using industry-accepted algorithms. Many merchant services do not know they are storing unencrypted primary account numbers (PAN); thus, they must do regular maintenance and scanning of PAN to ensure no unencrypted data exists.
4. Encrypt Transmitted Data
The card data must be secured through encryption when transmitted over open and public networks under this requirement.
1. Use and Maintain Anti-Virus
For PCI DSS compliance, the company needs to install anti-virus and anti-malware programs. These should be updated regularly to prevent malware from infecting systems.
2. Properly Updated Software
Application manufacturers release updates to patch security holes. As per Requirement 6.2, to maintain PCI DSS Compliance, the merchants must install critical patches within a month of its release.
3. Restrict Data Access
Under this requirement, companies need Role-based access control (RBAC) system. It restricts access to cardholder data, and only limited personnel are granted access based on a need-to-know basis. Limiting access to data reduces the chances of a security breach.
4. Unique IDs for Access
To meet this requirement of PCI DSS compliance, the company should not allow single login to the encrypted data. Every authorised user should have individual credentials and identification for access. All user IDs should be unique and complex to reduce vulnerability.
5. Restrict Physical Access
Limited personnel should have access to sensitive information. The company should keep all the data in a secure location. The data centre should be monitored using surveillance cameras and entry authentication to ensure a PCI compliant hosting environment.
6. Create and Maintain Access Logs
The most common contributor to data breaches is non-compliance with log management. A log entry should be made for all activities dealing with cardholder data and primary account numbers. The logs must be reviewed daily to search for anomalies, errors and suspicious activity. Log monitoring systems such as Security Information and Event Monitoring tools help the company to log system and network activities, inspect and monitor logs and alert on suspicious activity that occur inside your system.
7. Scan and Test for Vulnerabilities
Regular monitoring, scanning, and testing systems and processes can help the company identify the defects and vulnerabilities in the system. Conducting vulnerability scans frequently helps to ensure cardholder data is safe.
8. Document Policies
The final requirement of PCI DSS compliance is to implement and maintain an information security policy for all employees and other relevant parties and reviewing the policy yearly. It requires documentation of how information flows into the company, its storage and how it is used after the point of sale.
PCI DSS compliance requirements are a set of security controls that companies need to implement to protect credit cardholder data.