12 Steps to PCI DSS Compliance (Part 1)

Posted by John Feucht on Aug 8, 2014 9:43:50 AM

This is Part 1 in a 2-part series on the 12 requirements of PCI DSS.

Up close shot of a credit cardIf you run a small business that handles credit and debit cards, your business is subject to the rules of the Payment Card Industry Data Security Standard (PCI DSS). Most small business owners know by now that they need to be PCI compliant—but many aren’t sure what the PCI DSS even is, never mind how to comply.

PCI DSS (Payment Card Industry Data Security Standard) was created to protect cardholder data and prevent credit card fraud by requiring all merchants or businesses who transmit, process, or store credit card data to use strong technical safeguards.

There are 12 main requirements outlined in the official standards. In this post, we’ll tackle the first six:

Section 1 – Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data

Data is transmitted in and out of a network in all sorts of ways: phone, Internet (http and https), file transfer (ftp), remote desktop, etc. Each of these methods has a specific port through which the data flows.

An effective firewall is a physical piece of hardware that’s controlled via a software interface. The best practice is to lock down your firewall entirely except for approved parties accessing specific ports from specific locations. So, for example, a firewall configured this way would prevent all file transfer access except those coming from or being sent to approved vendors or customers. People trying to access information like cardholder data from unapproved IP addresses would be blocked because the file transfer port would be locked down with the firewall.

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Every piece of hardware (including firewalls and routers) and software on a network has a default password. For example, the username/password for most Cisco firewalls is “cisco,” and for most SonicWALL brand firewalls, it’s “admin” or “access.” This information is easily available, and unless these defaults are changed, unauthorized users can easily log in and make changes.

Section 2 – Protect Cardholder Data

3. Protect stored cardholder data

Cardholder data should be disposed of as soon as it’s no longer needed. As it is stored, the location of the stored information should be identifiable. It needs to be encrypted and/or masked in some way everywhere it is stored.

For example, an accounting program should only show the last four digits of a customer’s credit card number. The CV (3 digit number on back of card) should not be retained after use at all.

4. Encrypt transmission of cardholder data across open, public networks

Data needs to be encrypted as it travels out of your network, and even within it. For example: If (at any point) data is transferred over a Wi-Fi network that’s not password-protected, that’s not secure. In addition to password protection though, you need a strong encryption method.

Cardholder data should not be sent via email or instant messages, especially to anybody outside of your protected network. For example, sending customers an email with their current credit card information asking them to update it is not safe, since their email provider may not provide a strong encryption method.

Basically, you’re responsible for all credit card data from the moment it enters your system—as you store it, as you process it, and definitely if you expose it in any way.

Section 3 – Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs

Viruses exploit vulnerabilities and transmit data out of your network. In addition to periodically scanning for viruses, your company’s antivirus software must be constantly updated. Antivirus software should be scanning all data as it enters your network—this includes emails, websites visited, and all files downloaded from any outside source.

6. Develop and maintain secure systems and applications

A business should constantly evaluate its vulnerabilities, and take every possible step to mitigate them. Software updates often include security patches.

New Call-to-action For example, a good CRM system (one location where customers’ card data might be stored) should always have the latest updates installed. Proposed software and custom modules added to any software should be carefully vetted for security. Documentation is key here; keep track of all changes and always update your written policies and protocol to reflect current and best practices.

Want to learn more?

Next week we’ll review the final six requirements of PCI DSS. Until then, why not check out how we help our clients comply with PCI DSS in our free guide, “Compliance and Data Security in the Cloud with C3 Solutions.”

Topics: PCI DSS

Comments