PCI Data Security Standard Requirements

Safeguard Your Business and Protect Your Customers’ Data

The Payment Card Industry’s Data Security Standards (PCI DSS) detail the security requirements businesses must follow to protect cardholder data. PCI DSS security guidelines are mandated by the major credit card associations (Visa, Mastercard, American Express, Discover, and JCB) to secure the safe handling of credit card data in order to reduce credit card fraud and security breaches.

All merchants who accept payments need to fill out the PCI Compliance form and validate PCI compliance at least annually. Failing to comply with PCI standards can result in significant consequences including fines, loss of business, and ongoing audits to prove compliance.

The 12 PCI DSS Requirements

There are twelve overarching requirements to achieve PCI compliance. This guide represents a summary of each requirement; however, additional details and specifics for each of the PCI requirements can be found on the PCI website.

We’ve also compiled a list of frequently asked questions to address common PCI concerns and misconceptions. If you need any help throughout the compliance process, please call our PCI specialists at 718-782- 2823 x110.

1. Install and maintain a firewall configuration to protect cardholder data.

Having a physical card is no longer required to steal customer card details. Criminals utilize technology to breach your network and steal sensitive digital data. By using a firewall, you establish a barrier between a trusted network, such as your business network, and an untrusted network, like the internet. This virtual fence surrounds your network and monitors incoming and outgoing traffic based on predetermined security rules. Any device that accesses your organization’s network should be equipped with firewall software — including any employee computers and mobile devices.

Organizations should establish firewall and router standards, which allow for standardized testing of that equipment whenever hardware or software changes are made. Configuration rules should be reviewed biannually and should restrict all untrusted traffic except in cases where that communication protocol is required to process cardholder data.

Network hardware and software, such as routers and firewalls, often come preset with standard user names and passwords, such as “admin” or “password.” Don’t make the criminal’s job easier by neglecting to change these passwords! This is often the first tactic cyberattackers will attempt to bypass your security and access your network.

It is imperative to change passwords on any hardware and software you install and use on your network — and update the passwords regularly. Passwords should be complex and consist of a string of random characters, preferably including a mix of capital and lowercase letters, numbers, and special characters.

Cardholder data is the data on the front of the card, including the primary account number, cardholder name, and expiration date. This data differs from sensitive authentication data, such as the CVV code, track data contained in the magnetic stripe, PIN/PIN Block, and EMV chip data. Sensitive authentication data cannot be stored after authentication.

Any cardholder data that you store is limited to only what is required by law, regulatory standards, or business needs. This requirement also sets forth rules that limit how many digits of the primary account number can be displayed, such as revealing only the first six and the last four digits.

If you must store cardholder data, organizations should only store the bare minimum that is required. You must know the retention time and location of any data that you plan to store and perform a purge at least once per quarter.

All cardholder data must be encrypted or tokenized using industry-accepted standards. For online processing, Cardknox offers and prefers its tokenization technology. Tokenization is the process of replacing sensitive payment data with a non-sensitive algorithm-generated string called a token. Each time a card or bank account number is sent with a transaction, the Cardknox response will include a token. Cardknox will then reference the payment information on our servers associated with that token and processes the transaction. Each time a transaction is processed, a new token will be returned. Since the tokenized data is stored on Cardknox’s server rather than the merchants, merchants are subject to less risk.

To secure cardholder data for for transactions made on payment terminals, it’s important to use those that have PCI-validated point-to-point encryption.

In some cases, service providers or merchants do not realize they are in fact storing cardholder data. Common locations where cardholder data is found are log files, databases, and spreadsheets. You should routinely check these locations to ensure you are not inadvertently storing cardholder data.

Even if you don’t store cardholder data, it is possible for thieves to intercept this data during the transmission process. As a result, PCI DSS requires merchants to encrypt the data using an industry-standard encryption protocol before it is transmitted over an open, public network — such as the Internet, wireless local area networks, Bluetooth, and mobile networks. Encryption makes any data transmitted unreadable, even if it is intercepted.

PCI DSS requires merchants to proactively monitor their network for vulnerabilities using antimalware and antivirus software across all devices — not just primary network hardware. These devices could include laptops, servers, mobile devices, workstations, or any devices that employees may use to access the network locally or remotely. Make sure that anti-virus mechanisms are always active, using the latest signatures, and generating auditable logs.

Organizations that accept payments must develop a clear process to identify security vulnerabilities, and then rank those vulnerabilities according to risk level. Many of these vulnerabilities are eliminated by installing vendor-provided security patches, which perform a quick-repair job for a specific piece of programming code. All critical systems must have the most recently released software patches to prevent exploitation. Organizations should apply patches to less-critical systems as soon as possible, based on a risk-based vulnerability management program. And in the case of an independent software provider (ISV), this means ensuring any merchants that use your software are aware of the patches they may need to deploy.

All code created by an ISV or developer must adhere to PCI DSS, and all new and updated code must be examined for all known vulnerabilities and also assessed for unknown weaknesses. The Cardknox Customer Service team is glad to assist in this process.

It is required to patch all systems in the card data environment, including:

  • Operating systems
  • Firewalls, Routers, Switches
  • Application software
  • Databases
  • POS terminals

Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job. The need to know requirement within the PCI DSS requires merchants to establish both role-based access control and situational-based access control in regards to card data. Put another way, access to card data is either authorized or denied to users based on their role and the circumstance or reason for accessing the data.

Obviously, an unauthorized user, such as a criminal, would be denied access to card data. However, in some cases, an authorized user may request access to card data, but the situation may warrant denying the request since it is unnecessary to complete the task at hand. That request would be unauthorized and thus denied.

Merchants and service providers must maintain a documented list of all the users who need to access the card data environment along with their corresponding roles. In addition, this list must contain the definition of the role, current privilege level, expected privilege level, and data resources for each user to perform operations on card data. For your convenience, the Cardknox Merchant Portal has the ability to set user roles with varying permissions.

Shared user names or passwords that are easy to guess will leave your business open to vulnerabilities. Every user with access to the cardholder data environment must have a unique ID. This allows a business to trace every action to a specific individual. Every user should also have a strong password for authentication.

Remote access to your network requires multi-factor authentication using a combination of two of the following authentication methods: biometrics, passwords, or a token device. Again, use strong authentication methods and render all passwords/passphrases unreadable during transmission and storage using strong cryptography.

Any physical access to data or systems that house cardholder data should be appropriately restricted using keys, badges, biometrics, or other access control systems. Any individual who has regular or short-term access to server rooms or other areas where cardholder data can be accessed should first be authorized. This includes individuals such as employees (full or part-time), contractors, consultants, vendors, and guests.

Access should not only be restricted but also monitored and logged. Security rules should be enforced by dedicated security personnel, and there should also be systems in place to quickly identify anyone who does not belong.

Any media such as video footage or access logs should be stored in a secure, offsite location and only kept on an as-needed basis. Destroy any media that is no longer needed for business or legal reasons.

Vulnerabilities in physical and wireless network devices and systems present opportunities for criminals to gain unauthorized access to payment card applications and cardholder data. To prevent exploitation, organizations must regularly monitor and test networks to find and fix vulnerabilities.

This requires real-time monitoring and logging of all user activities on the network. The presence of logs in all environments allows thorough tracking and analysis and can alert organizations to suspicious activity. Determining the cause of a compromise is very difficult without system activity logs.

Audit trails must be implemented to connect specific users to their network activity using time synchronization. PCI DSS also requires that audit trail records meet a certain standard in terms of the information contained. Audit data must be secured and maintained for a period no shorter than a year.

Vulnerabilities are continually being discovered by malicious individuals. To keep up with the pace of fraudulent activity, organizations should test system components, processes, and custom software frequently to ensure security is maintained over time. Testing of security controls is also especially important for any environmental changes such as deploying new software or code, or changing system configurations.

This requirement also details that organizations should identify and document all authorized and unauthorized wireless access points on a quarterly basis. Internal and external network vulnerability scans should be run at least quarterly or after any significant change to the network. Other ongoing requirements include penetration testing as well as the use of intrusion detection and prevention systems.

Changes to files should also be monitored using a change detection solution. This solution alerts personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files. Critical file comparisons should be performed at least weekly and a process to respond to any file changes should be in place.

A strong security policy sets the tone for security affecting an organization’s entire company, and it informs employees of their expected duties related to security. All employees should be aware of the sensitivity of cardholder data and their responsibilities for protecting it. The security policy should be reviewed and updated annually, in addition to an annual formal risk assessment.

This requirement further details that a team or individual should be appointed to maintain these responsibilities and develop an awareness program for all employees regarding information security. This role is also responsible for screening potential employees to minimize the risk of internal data breaches. Finally, this appointed individual or team should implement an incident response plan so that the organization is prepared to respond immediately in the event of a breach.

Support When You Need It

PCI compliance can be a detailed and challenging process, but it’s a necessary step to protect your business and safeguard your customer’s data. If you need any help throughout the compliance process, call our PCI specialists at 718-782- 2823 x110.