Cardholder and payment data are prime targets of digital attacks. Establishing and maintaining a secure network is essential to handling, storing, and processing this data safely. PCI Security Standards exist to guide the entities that handle this data on how to protect it thoroughly. This guide will introduce the standards and their goals and cover best practices for meeting PCI compliance network security requirements.
What Are the PCI Security Standards?
Developed, maintained, and enforced by the Payment Card Industry (PCI) Security Standards Council (SSC), the PCI Security Standards include 15 standards created to protect account information at all points of the payment process and to discourage attempted theft of this information.
The standards cover both technical and operational requirements for merchants, service providers, and financial institutions handling transactions, along with developers and vendors providing payment solutions. The PCI Data Security Standard, which is applicable throughout the entire payment process, is the primary resource for PCI compliance network security guidance.
The PCI Data Security Standard
The PCI Data Security Standard (PCI DSS) is a globally-recognized set of requirements for protecting payment-related data. The most current version, PCI DSS v4.0, was released on March 31, 2022. PCI DSS v3.2.1, which v4.0 replaces, will remain active for two years following the release of v4.0.
Who Do the PCI DSS Standards Apply to?
PCI standards apply to any party that handles cardholder data and hardware and software that come into contact with it, which are collectively referred to as the cardholder data environment (CDE). This means that those who are required to comply with the standards include:
- Systems, processes, and individuals that store, transmit, or process cardholder or related authentication data
- Systems with unrestricted access to those that store, transmit, or process cardholder or related authentication data
- Systems, processes, and individuals that could have an impact on the cardholder data environment
Most organizations to whom PCI rules apply fall into one of two categories—Merchants and Service Providers. The reporting protocols for each differ slightly, but the controls are the same.
What Are the objectives of PCI DSS v4.0?
- To meet the security needs of the payment industry – Security threats are always changing, and security practices have to evolve to stay ahead and keep cardholder data secure. PCI DSS v4.0 introduces updated requirements regarding multi-factor authentication, passwords, e-commerce, and phishing.
- To promote managing security as an ongoing process – Security breaches can happen at any time, so protecting cardholder data must be a continuous process. The updated standard clarifies roles and responsibilities and includes new guidance and options for reporting to support improved security implementation, maintenance, and transparency.
- To allow for more flexibility in approaches to security – Every organization is uniquely structured and makes use of different combinations of technology. The new standard takes this into account and provides more options for unique approaches to meeting requirements.
- To improve upon existing methods of validation – Validation and reporting on compliance with requirements must be clear for the sake of accountability, transparency, and ensuring that the necessary security measures are upheld. PCI DSS v4.0 improves upon the consistency between reporting and assessment documents to help ensure clarity and accuracy.
Overall, these changes are intended to make compliance more streamlined and straightforward while also maintaining the rigorousness of security—the assurance that compliance delivers.
PCI Network Requirements and Best Practices
The PCI Data Security Standard comprises 12 requirements, each of which is associated with one of six specific goals:
- To build and maintain a secure network and systems
- To protect cardholder data
- To maintain a vulnerability management program
- To implement strong access control measures
- To regularly test and monitor all networks
- To maintain an information security policy
Build and Maintain a Secure Network and Systems
There are two requirements for meeting this goal:
- Implement and maintain network security controls – Establish a clear process for installing security controls and properly implement and maintain said controls. Moderate network access and connections and mitigate the potential risks associated with said connections.
- Use secure configurations throughout all systems – Define clear processes and methods for implementing secure configurations and apply said configurations properly. Ensure that appropriate security configurations are also applied to wireless environments.
Network security controls are essential to preventing unauthorized access from outside networks and protecting data during authorized network connections. This protection may be implemented through several methods, including firewalls, virtualization, and other technology.
Reconfiguring default settings will help protect against attackers who take advantage of default passwords and other settings. Establishing and implementing a process for updating these settings and removing or disabling any necessary components will help harden networks against attackers.
Protect Cardholder Data
There are two requirements for protecting cardholder data:
- Thoroughly protect any stored account data – Establish and implement clear processes and methodologies for protecting stored account data and only store data as necessary. Do not store sensitive authentication data after authorization has been completed. Securely store and restrict full access to primary account numbers. Use cryptographic keys to protect sensitive data, and define processes for managing said keys.
- Use encryption to protect data being transmitted over public networks – Define and document clear methods for protecting the transmission of primary account numbers and other sensitive data over open networks. These methods should be built upon strong cryptographic techniques.
In the case of a breach, data that isn’t stored cannot be stolen by attackers, so it’s considered best practice not to store account data unnecessarily. Data that must be stored can be protected using several methods, including truncation, hashing, and encryption.
Sensitive data such as primary account numbers being transmitted over public networks must be encrypted using strong cryptography. PCI DSS defines strong cryptography as being based on industry-tested and approved algorithms, including those defined by:
- NIST Special Publication 800-57
- BSI TR-02102-1
- ECRYPT-CSA D5.4 Algorithms
- Key Size and Protocols Report (2018)
- ISO/IEC 18033 Encryption algorithms
- ISO/IEC 14888-3:2-81 IT Security techniques
This is not an exhaustive list, especially because of v4.0’s increased flexibility in reporting.
Maintain a Vulnerability Management Program
There are two requirements for maintaining a compliant vulnerability management program:
- Protect systems, system components, and networks from malicious software – Define clear processes and approaches to protecting systems, system components, and networks from malicious software. Use those processes to effectively detect, prevent and eliminate said threats. Employ continuous anti-malware and anti-phishing measures to protect users and data.
- Develop and maintain secure systems, components, and software – Any custom solutions should be developed, updated, and managed securely, and these secure development processes should be defined and documented. These solutions should be monitored for security vulnerabilities, and any identified vulnerabilities should be addressed. Solutions that are accessed by external users should also be protected against attacks.
There is a wide variety of malicious software attackers may use to compromise systems, including keyloggers, ransomware, and viruses. These can be introduced to networks through breaches or by taking advantage of the actions of internal users by way of phishing attacks and links to the malicious files.
Anti-malware solutions and education on how to avoid and prevent phishing attacks will help protect against these threats.
Keeping systems and software updated is also an essential aspect of maintaining PCI-compliant network security. When custom solutions are put in use, it’s necessary to regularly monitor and evaluate them for vulnerabilities to keep them fully secured.
Implement Strong Access Control Measures
There are three requirements for implementing PCI compliant access control measures:
- Follow the need-to-know principle – Restrict access to systems and cardholder data to a need-to-know basis. Define what constitutes appropriate, authorized access, then use access controls to enforce this policy.
- Identify and authenticate users – Define and implement user identification and authentication measures to manage access to systems and data. Establish and maintain processes to manage the entire user lifecycle. Implement multi-factor authentication to enhance security and prevent unauthorized actions.
- Restrict physical access to sensitive data – Define policies and procedures for restricting physical access to cardholder information and other sensitive data. This includes access to facilities, systems, media, and point of interaction devices.
The need-to-know principle is a widely-accepted security standard and an essential rule to follow to reduce the risk of unauthorized access to systems and data. Only allow users privileges and access to systems and data that are necessary for them to perform the tasks they are responsible for.
Implement a clearly-defined user lifecycle management process to manage account creation, deletion, and access to systems and data throughout the life of a user’s account. Use secure authentication methods, such as multi-factor authentication to ensure only authorized users can access and interact with systems and data.
Authorizing physical access to facilities, hardware, and other physical assets associated with systems and data is also essential to keeping networks secure. Implement policies and physical access controls to prevent unauthorized access that may compromise network security.
Comprehensive identity and access management practices will help support effective access control measures throughout your organization.
Regularly Monitor and Test Networks
There are two monitoring and testing requirements for maintaining a PCI compliant network:
- Monitor and document access to systems and data – Define and document system and network monitoring processes, and implement methods for time synchronization across systems. Make use of audit logs to detect abnormalities and suspicious activity and protect and preserve these logs. Report and respond to any abnormalities, threats, or failures immediately.
- Perform regular system and network tests – Clearly define security testing procedures for systems and networks. Identify and monitor wireless access points, internal vulnerabilities, and external vulnerabilities. Perform penetration testing, correct vulnerabilities, and promptly respond to any unauthorized access or changes.
Monitoring and logging user activities and network events are critical to helping identify unauthorized activities and mitigate the damage they could cause. Since logs are a key resource in tracking down and responding to issues and enforcing accountability, it’s essential to protect and preserve them.
Security teams should also perform a PCI compliance network scan and additional security testing at regular intervals to evaluate the efficacy of security measures and stay ahead of new threats.
Maintain an Information Security Policy
The final requirement of the PCI DSS is to provide support for information security within an organization through the use of policies and programs. This includes taking the following steps:
- Maintaining a current information security policy that provides clear direction throughout the organization
- Implementing reasonable policies for end-users
- Identifying and managing risks throughout the cardholder data environment
- Documenting and validating the PCI DSS scope and maintaining compliance
- Performing regular security awareness education and personnel screening to mitigate internal security risks
- Managing risks and compliance concerns connected with service providers
- Responding to security incidents immediately
The organization’s security policy defines processes for security professionals responsible for managing PCI network requirements. But it should also guide all personnel within an organization and help them understand their role in contributing to the security of cardholder data and the safety of the networks, systems, and data they interact with.
Additional PCI Compliance Network Considerations
Any organization subject to PCI compliance network security requirements needs to analyze the structure, systems, and networks of the organization and identify the best way to implement and manage a PCI compliance plan. This could mean assigning responsibility to an individual or team within the organization or getting help from a team of experts in PCI DSS Certification.
Thorough, well-written documentation is also critical to long-term PCI compliance.
Maintain PCI Compliance Long-Term
Attackers, new vulnerabilities, and unauthorized activity are persistent threats that can compromise systems, networks, and cardholder data. In a time when so many payments are processed digitally, organizations must implement and maintain robust processes to secure sensitive data and the systems and networks that handle that data.
PCI compliance network security standards are defined by the PCI Data Security Standard and enforced by the PCI Security Standards Council. The standards include 12 requirements, each of which is associated with one of six goals for maintaining the security of cardholder data and the systems and networks that handle that data.
If your organization handles payment data, PCI compliance is essential to keeping sensitive payment data secure, preventing security incidents, and upholding the reputation of the organization. PCI DSS v4 replaces v3.2.1, which will only remain in effect until 2024, so it’s essential to review existing organizational policy to ensure compliance with the most current standards.
Contact RSI Security today to optimize your PCI compliance network policy!