The Payment Card Industry Security Standards Council (PCI SSC) requires all organizations that process card payments to secure sensitive payment account data. These organizations can minimize breach risks to cardholder data (CHD) and sensitive authentication data by complying with PCI frameworks, the most important of which is the PCI Data Security Standards (DSS). Implementing a PCI information security policy can help DSS-subject organizations secure sensitive payment account data.
Critical Focus Areas for a PCI Information Security Policy
A PCI information security policy ensures that existing organizational systems for processing sensitive CHD align with the protection requirements stipulated under the PCI DSS compliance framework. An organization can implement a PCI information security policy by optimizing, to industry-level standards, PCI DSS compliance in key cybersecurity areas.
The most critical applications of a PCI information security policy in these focus areas include:
- Risk assessment
- Personnel access
- Third-party vendors
A PCI information security policy takes the guesswork out of PCI DSS compliance, creating processes to minimize exploitable vulnerabilities associated with processing CHD and sensitive authentication data.
Risk Assessment Methodology for PCI Information Security
A risk assessment of the digital environments and assets storing or interacting with CHD can help identify potentially compromising vulnerabilities, specifically within networks and applications. A PCI information security policy can guide an organization’s risk assessment methodology, informing and ensuring systematic and ongoing analysis of factors that may affect the integrity of CHD environments.
Ongoing Risk Assessment of CHD Environments
Besides conducting a risk assessment of CHD environments, at least annually, organizations should pay special attention to significant organizational changes, such as mergers, acquisitions, or relocations. Such events may change critical components of your organization’s IT infrastructure and ultimately compromise PCI DSS policy regarding:
- Payment channels and associated technologies
- Protocols for user access to CHD environments
- Existing compliance obligations and PCI DSS controls
- Existing contracts with defined scopes for PCI information security
Significant changes to CHD environments call for due diligence to identify any oversights in PCI DSS security controls. A PCI organization should ensure that any changes to a PCI information security policy—such as cost reduction, budget reallocations, or changes in overall IT security policies—consider the underlying threat risks to sensitive CHD.
Additionally, organizations looking to acquire another entity should conduct due diligence on their existing PCI information security controls, assessing CHD environments for any compromising risks and vulnerabilities. Obtaining a current Report on Compliance (ROC) and Attestation of Compliance (AOC) can provide insight into existing CHD protections under a PCI information security policy.
Organizations processing card payments can also refer to NIST SP 800-30, OCTAVE, and ISO 27005 publications for extensive guidance on risk assessment methodologies.
Request a Free Consultation
Risk Assessment of Critical PCI Infrastructure
Besides assessing risks to CHD environments, organizations can use a PCI information security policy to guide risk assessment. Specifically, a risk assessment methodology should account for exploitable application and network vulnerabilities, the most common of which include:
- Limited vulnerability scanning and threat remediation – Any unscanned but exploitable vulnerabilities can compromise the CHD environment if not timely remediated. A PCI DSS policy can guide processes for vulnerability scanning, both internal and external (with the help of an approved scanning vendor). Additionally, dynamic cloud environments call for managed scanning efforts through:
- Updating the inventory of digital assets at risk
- Managing any identified false positives and improving scanning algorithms thereof
- Tracking all vulnerabilities, both current and remediated
- Proper documentation of vulnerability scans
- Access control gaps – Changes in access control to CHD environments can be problematic, specifically for larger organizations with higher personnel turnover. A PCI security policy should define the scopes of protections for CHD environments regarding user passwords and privileged accounts (see below).
- Patch management issues – Delayed patch deployment results in unsecured versions of networks and applications, which could compromise CHD environments. A PCI information security policy can improve patch management efforts by ensuring:
- Identification of digital assets (both hardware and software) requiring patches
- Frequent patch deployment for manual system updates and robust patch deployment for the automated systems
- Timely installation or replacement of assets at end-of-life (EOL), preventing any breaks in PCI compliance protocols
A PCI information security policy can help your organization identify any risks and vulnerabilities to CHD and sensitive authentication data early on, preventing impending breach risks from materializing.
PCI Security Policy for Personnel Access Control
It is also critical for an organization’s PCI information security policy to define protocols for employee access to CHD environments. A PCI security policy can address some of the most common personnel access control vulnerabilities, including:
- Weak password practices – Organizations whose personnel use vendor-supplied passwords or weak easy-to-guess passwords are at high risk for access control vulnerabilities. Defining a strict PCI compliance password policy for personnel to use strong passwords such as passphrases or change their passwords often minimizes the chances of hackers breaching CHD environments.
- Mismanaged account privileges – It is critical for organizations processing CHD to monitor privileged account usage and log events to identify any unusual account activity. A PCI DSS password policy can help define changes in security protocols when employees whose accounts have privileged access change roles within an organization or leave altogether.
- Gaps in personnel awareness of security policies – A lack of personnel training on processing card payments aligning with a PCI information security policy increases the chances of vulnerabilities to CHD and sensitive authentication data. A credit card compliance policy can point employees to secure practices such as:
- Minimizing exposure of CHD environments to external network traffic
- Encrypting transmission across networks.
A crucial component of PCI DSS compliance is securing access to CHD environments; a well-defined PCI information security policy can help your organization better control access to sensitive CHD environments. Consider who should be authorized and when access should be restricted (e.g., outside normal work hours).
PCI DSS Policy for Third-Party Vendors
A PCI information security policy can also guide PCI compliance for organizations that outsource card payment collection, processing, storage, or transmission to third-party service providers. Ultimately, the burden of PCI DSS compliance falls on your organization, so any third-party vendors must be evaluated strictly.
All partnerships should include proper documentation of the roles and responsibilities expected of third-party service providers regarding PCI compliance. The security of CHD is of the utmost importance; third-party service providers should exercise due diligence in securing networks, applications, and any PCI security protocols.
PCI Compliance Enforcement and Upcoming Version 4.0
A PCI information security policy helps protect your organization from the legal, financial, and reputational consequences of PCI non-compliance. Enforcement penalties for PCI non-compliance can be significant and are assessed by SSC stakeholders—not the SSC itself.
The SSC’s Founding Members are Visa, Mastercard, American Express, JCB International, and Discover.
Scheduled for release in March 2022, PCI DSS framework v4.0 will supersede the current version, v.3.2.1. Organizations will be allowed an 18-month transition to update their security protocols and remediate any gaps to match the updated Requirements in v4.0 following the final release.
Working with an SSC-approved Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA) can help your organization identify any implementation gaps, update your PCI information security policy, and achieve compliance.
Optimize Your PCI Information Security Protocols
Implementing and periodically optimizing a PCI information security policy can help your organization create sustainable cybersecurity protocols for CHD environments.
As an SSC-approved QSA and ASV, RSI Security’s PCI DSS compliance advisory services will help you achieve and report on compliance. Our managed security services will help you maintain it in the interim.
Contact RSI Security today to learn more!