This is Part 2 in a 2-part series on the 12 requirements of PCI DSS. For Part 1, click here.
Last week we started our review of the first 6 of the 12 requirements of the Payment Card Industry Data Security Standard (PCI DSS). Just to recap, these are the rules regarding information security that every business must follow if it wants to continue accepting credit or debit cards. Today we’ll be covering the final 6 requirements:
Section 4 – Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
Not everybody in a business organization needs access to credit card data to perform their duties. If somebody is not processing payments, or has another role directly related to card data, they should not have access to it. There should be policies in place defining who has access to what data and what data specifically they have access to.
For example, an office temp might need to process payments but has no need to access old credit card data or files for their job, so they shouldn’t be able to access those.
8. Identify and authenticate access to system components
Every person in the company needs a unique login ID, so that there’s a record of who accessed what information when. This section also encompasses security measures like accounts locking out after several failed attempts, locking inactive sessions after a predefined time, complex password requirements, and terminating access immediately after employment is terminated.
9. Restrict physical access to cardholder data
This refers to physical access to the servers on which data resides, and the computers that can access it (in addition to physical access to paper files containing cardholder data). Access to your servers and entire facility should be protected, monitored, and logged. Make a list of all devices that transmit or read cardholder data on your network. Keep this list up to date to ensure all devices are always accounted for.
Section 5 – Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
Audit logs are key to compliance and accountability. These logs need to be monitored, so that any breach of policy will be immediately evident. The actions of network administrators also need to be logged, and they should not be exempt from any restrictions.
Audit histories need to be verified for accuracy. Once reviewed, any breaches should be well documented, along with any changes to security policy, and the history retained for at least one year.
11. Regularly test security systems and procedures
Vulnerability testing means using scanning software to test all ports on all possible points of access, to find open or weak points. This needs to be done at least quarterly, and after any major change on the network, with corrective action taken whenever any vulnerability is found. Procedures and access rules need to be reviewed regularly.
Section 6 – Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
Everybody in the business organization needs to be aware of the information security policy and understand their role in it. The information security policy will include things like setting rules about who can access what data, and the procedure for changing those rules. It should also include where data can and cannot be stored, where it can or cannot be transferred to, who is responsible for auditing security logs, and more.
Make it Easier, Choose an IT Partner
This is all a lot to take in. Addressing these 12 security areas as a small business owner can definitely feel overwhelming, especially when you’re not an IT expert and you’re still trying to manage the day-to-day operations of a growing company.
Working with an IT partner can move some (in many cases, almost all) of the responsibilities of compliance off your shoulders. Just how much of the responsibility and work you can outsource depends on many factors: whether or not your partner specializes in PCI DSS compliance, how much of your IT environment they control (for example, do you have your own IT team?), the nature of their services, and so on.
Ready to learn more? Read about achieving PCI DSS compliance (and other compliance regulations) using hosted cloud services in our free guide, “Compliance and Data Security in the Cloud with C3 Solutions.”