I have worked as a systems administrator in the payments industry for more than 15 years and have spent much of my career working with payment card industry compliance, which relates to security requirements of companies handling credit card data.
SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
PCI compliance is a very complex area with guidelines that organizations in this industry must adhere to in order to process payments.
What is PCI compliance?
PCI compliance is a structure based on Payment Card Industry Security Standards Council requirements to ensure that all companies that process, store or transmit credit card information maintain a secure operating environment to protect their business, their customers and sensitive data protection.
Known as the Payment Card Industry Data Security Standard, the guidelines went into effect on September 7, 2006 and directly involve all major credit card companies.
The PCI SSC was developed by Visa, MasterCard, American Express, Discover and Japan Credit Bureau to manage and administer the PCI DSS. Companies that adhere to the PCI DSS are verified as PCI compliant and are therefore trusted to do business with them.
All merchants that process over 1 million or 6 million payment card transactions each year and service providers that hold, transmit or process over 300,000 card transactions each year must be assessed for PCI DSS compliance. The scope of this article is for companies that are subject to this annual review.
It’s worth noting that PCI compliance is no guarantee against data breaches, any more than a fire compliant home is completely safe from a fire. It simply means that the company’s operations are certified to rigorous security standards, providing these organizations with the best possible protection from threats to instill the highest level of trust among their customer base as well as regulatory requirements.
Failure to comply with PCI requirements can result in hefty fines ranging from $5,000 to $100,000 per month. Companies that comply and are exposed to data breaches can expect significantly reduced fines as a result.
14 PCI best practices for your business
1. Understand your cardholder data environment and document everything you can
There can be no surprises when it comes to enacting PCI compliance; All systems, networks and resources must be thoroughly analyzed and documented. The last thing you want is an unknown server working somewhere or a bunch of mysterious accounts.
2. Be proactive and implement security policies across the board
It’s a big mistake to think of PCI compliance security as something to be “attached” or applied on an as-needed basis. The concepts should be burned into the entire environment by default. Elements such as requiring multi-factor authentication for production environments, using https instead of http and ssh instead of telnet, and requiring regular password changes should be applied upfront. The more security conscious your organization is, the less work needs to be done after the audit time is up.
3. Conduct background checks on employees who handle cardholder data
All prospective employees should be thoroughly screened, including background checks for those who work with cardholder data, whether directly or in an administrative or support role. Any applicant with a serious allegation on their file should be rejected for employment, especially if it involves financial crime or identity theft.
4. Implement a centralized cybersecurity authority
For the best PCI compliance, you need a central authority that acts as the decision-making authority for all implementation, management, and remediation efforts. These are typically the IT and/or cybersecurity departments and should be staffed with staff trained in the field and familiar with PCI requirements.
5. Implement strict security environment controls
In general, you should apply strict security controls to any element that handles cardholder data systems. Use firewalls, NAT, segmented subnets, anti-malware software, complex passwords (do not use standard system passwords), encryption and tokenization to protect cardholder data.
As an additional tip, use as limited a scope as possible for cardholder data systems, dedicated networks, and resources to minimize the overhead of securing the smallest possible set of resources.
For example, don’t allow development accounts access to production (or vice versa) as the development environment is now considered at scope and subject to increased security.
6. Implement least privilege access
Use dedicated user accounts when performing administrative work on cardholder systems, not root or domain administrator accounts. Ensure users are only granted the bare minimum of access, even those with admin roles. Whenever possible, have them rely on “user-level accounts” and separate “privileged accounts” that are only used to perform tasks with elevated privileges.
7. Implement logging, monitoring and alerting
All systems should rely on logging of operational and access data in a central location. This logging should be comprehensive but not overwhelming, and a monitoring and alerting process should be put in place to notify appropriate personnel of verified or potentially suspicious activity.
Examples of alerts include too many failed logins, locked accounts, someone logging into a host directly as root or administrator, root or administrator password changes, unusually high amounts of network traffic, and anything else that could represent a potential or incipient data breach.
8. Implement software update and patching mechanisms
Thanks to Step 1, you know which operating systems, applications and tools are running in your cardholder data. Make sure these are updated regularly, especially when critical vulnerabilities emerge. IT and Cyber Security should subscribe to Vendor Alerts to receive notifications of these vulnerabilities and details of patch applications.
9. Implement standard system and application configurations
Any system built in a cardholder environment and the applications running on it should be part of a standard design, e.g. B. from a live template. There should be as few inequalities and discrepancies between systems as possible, especially with redundant or clustered systems. This live template should be routinely patched and maintained to ensure new systems built from it are fully secure and ready for use.
10. Implement a checklist for terminated privileged employees
Too many organizations do not properly track employee departures, especially when there are different departments and environments. Human resources must be tasked with notifying all application and environment owners of employee departures so that their access can be thoroughly removed.
A general checklist of all systems and environments that process employee credit card data should be compiled and maintained by IT and/or cybersecurity departments, and all steps should be followed to ensure 100% removal of access.
do not delete accounts; Disable them instead, as PCI auditors often require proof of disabled accounts.
For more guidance on onboarding or offboarding employees, the experts at TechRepublic Premium have put together a handy checklist to get you started.
11. Implement secure data destruction methods
When cardholder data is removed, requirements require a secure method of data destruction to be in place. This may involve software or hardware based processes such as file deletion or disk/tape destruction. Often the destruction of physical media requires evidence to confirm it was properly performed and witnessed.
12. Conduct penetration testing
Have internal or external penetration tests performed to check your environment and make sure everything is sufficiently secure. You would much rather find all the issues that you can independently correct before a PCI auditor does.
13. Inform your user base
Extensive user training is essential to maintain safe operations. Train users how to securely access and/or handle cardholder data, how to recognize security threats like phishing scams or social engineering, how to secure their workstations and mobile devices, how to use multi-factor authentication, how to recognize anomalies and most importantly, who to contact to report suspected or confirmed security breaches.
14. Prepare to work with accountants
Now we come to audit time, where you meet with an individual or team whose goal is to analyze your organization’s PCI compliance. Don’t be nervous or worried; These people are here to help you, not to spy on you. Give them everything they ask for and only what they ask for – be honest but minimal. You hide nothing; They only provide the information and answers that adequately meet their needs.
Also, keep evidence such as screenshots of settings, system vulnerability reports, and user lists, as these might be useful in future verification efforts. Address any of their recommendations for fixes and changes as soon as possible, and be prepared to submit evidence that this work has been completed.
Thoroughly review all proposed changes to ensure they do not negatively impact your operating environment. For example, I’ve seen scenarios where the removal of TLS 1.0 was requested in favor of newer TLS versions, but applying this recommendation would have broken the connectivity of legacy systems and caused an outage. These systems first had to be upgraded to meet the requirements.