Any organization that handles cardholder data (CHD) is required to follow the Data Security Standards (DSS) established by the Payment Card Industry (PCI). These rules and regulations play a critical role in protecting networks and CHD environments (CDE) from internal and external threats alike. However, their effectiveness can depend on your staff following a few PCI DSS best practices.
Using Best Practices to Maintain Compliance
The processing, storing, and sharing of consumer data is highly regulated worldwide. While different laws bind certain industries and organizations, any organization that comes into contact with consumer credit card numbers and related information is bound by the PCI DSS. In this guide, you’ll learn about:
- The PCI DSS, including its origin and general purpose
- How these standards are implemented and applied to CHD
- Some PCI DSS best practices you can utilize to help maintain compliance
- How advanced techniques like PCI multi-factor authentication help strengthen organizational IT security
- How to maintain PCI DSS compliance on a long-term basis
What is PCI DSS?
Officially launched in September 2006, the PCI’s Security Standards Council, or SSC, oversees the PCI DSS. It’s an independent body that includes all the major credit card brands and additional key stakeholders—and it’s the credit card brands themselves responsible for enforcing compliance with the PCI DSS.
Although the PCI SSC provides guidance to help organizations maintain compliance with PCI DSS, best practices are left to individual business entities. This offers some amount of freedom when developing your policies and procedures, but there are some general guidelines and key considerations to keep in mind.
Implementing PCI DSS
All organizations that process CHD are responsible for maintaining compliance with the PCI DSS. To make it easier for individual organizations, the PCI publishes a list of their Goals, Requirements, and guidelines for public use.
Download Our PCI DSS Checklist
General DSS Goals and Requirements
The first step in complying with the PCI DSS involves meeting their established Goals and Requirements. Utilize these Goals when creating your PCI DSS best practices, as they should inform all compliance efforts.
- Build and maintain a secure network – The first Goal involves the creation of a highly secure network—specifically, a firewall and avoidance of default system passwords.
- Safeguard and protect all CHD – Secondly, IT administrators need to take a proactive approach toward safeguarding and securing all CHD. This includes end-to-end encryption when transmitting sensitive data across public networks.
- Manage system vulnerabilities efficiently and effectively – Whereas the first Goal pertains specifically to your firewalls, the third requires you to install, update, and maintain antivirus and anti-malware software.
- Establish secure identity and access management – The fourth Goal involves restricting access to the databases and devices that store CHD. Additionally, this rule restricts access to CHD based on the employees’ need to know. It also requires proper authentication of system components.
- Monitor and test networks on a regular basis – It’s critical to track and monitor network activity in CHD environments and test your security protocols regularly for vulnerabilities. It’s the fifth Goal of the PCI DSS.
- Maintain an evolving information security policy – Finally, IT administrators need to establish and maintain an effective information security policy. According to the PCI DSS Goals and Requirements, the policy must address information security for all staff members in your workforce.
PCI DSS Compliance Reporting
It’s not enough to just meet the goals and requirements established in the PCI DSS. Once compliance is achieved, your organization still needs to provide compliance reports annually. There are currently three different types of compliance reports used by the PCI DSS.
- Self-Assessment Questionnaire (SAQ) – The SAQ consists of two parts: a series of yes or no questions and an Attestation of Compliance (AoC). In some cases, these two documents (or just the SAQ) are enough to fulfill your compliance reporting responsibilities.
- Attestation of Compliance (AoC) – This is a legal document that serves as your official agreement or verification that you’ve met all the compliance requirements, filled out or verified by a certified third-party assessor.
- Report on Compliance (RoC) – In certain cases, a RoC might be necessary to further demonstrate your IT infrastructure and security. When required, the RoC also must be completed by a Qualified Security Assessor, or QSA.
Your organization might be required to submit one or two reports, depending on your compliance requirements. Compliance documentation is dependent on annual transaction volume.
PCI DSS Compliance Scans
Quarterly scanning of your CHD security must also be conducted by an Approved Scanning Vendor (ASV) to demonstrate compliance. Therefore. one PCI DSS best practice is to schedule your scans well in advance to avoid any end-of-quarter rushes.
PCI DSS Compliance Levels
The reports required for your organization are determined according to the overall number of credit card transactions you process within one year.
- Level 1 – Organizations with more than six million annual transactions must submit a RoC and an AoC. This includes all sales channels.
- Level 2 – Those with one to six million annual transactions must submit a SAQ and an AoC. This includes all sales channels.
- Level 3 – Organizations with 20,000 to one million annual e-commerce transactions must submit a SAQ and an AoC. Note that these figures apply specifically to Visa-specific e-commerce transactions.
- Level 4 – Merchants and organizations with less than 20,000 annual e-commerce transactions through Visa, or those with up to one million Visa-specific transactions across all channels, must submit a SAQ.
There are also multiple SAQ variants that apply to different merchants and organizations. SAQ A, for example, applies to merchants who outsource the entirety of their CHD functionality. Other variations apply to merchants who don’t store electronic CHD, those who use third-party websites for processing payments, merchants with web-based terminals, and more.
While the figures mentioned above are specific to Visa transactions, the other credit card brands maintain similar levels. Additionally, meeting the criteria for one brand typically qualifies you on the same level for other brands.
Common PCI DSS Best Practices
Now that you have a strong familiarity with the goals, guidelines, and reporting requirements of PCI DSS, it’s time to simplify these into widely applicable PCI DSS best practices:
Basic Network Protection (Firewall / Antivirus / Antimalware)
The first practice goes hand-in-hand with the six goals of PCI DSS in general, and it’s a great first start when developing your PCI DSS best practices. It’s impossible to protect CHD with an exposed or vulnerable system, so it’s crucial to make network protection your first priority.
Make sure to update firewall, antivirus, and anti-malware software regularly. On devices provided to employees, updates should be set to occur automatically with the configuration locked. Hackers are always on the lookout for the latest security flaws and vulnerabilities, so ensure your network defenses are equipped with the latest threat signature detection.
This best practice also extends to deploying patches soon after their release or vulnerabilities are found.
Data Security and Encryption
Essential data security is covered in the second and fourth Goals of the PCI DSS. The second goal highlights the need for end-to-end encryption when transmitting CHD across open or public networks.
AES-256 is the current standard for data encryption. Although other standards do exist, AES-256 provides the strongest level of encryption. It’s considered impenetrable by traditional attempts and the data within is accessible only with the appropriate decryption key.
Locate All Instances of Personally Identifiable Information and CHD
However, before securing and encrypting data, you need to ensure that all information subject to PCI compliance has been identified and documented.
An essential component of PCI DSS compliance efforts is knowing where all personally identifiable information (PII), primary account numbers (PAN), and other CHD reside within your organization’s network and storage locations. Utilizing a PII scanner can significantly assist with determining and then limiting compliance scope.
These scanners look for common data signatures, such as the 16-digit format to which PAN numbers generally adhere.
Multi-factor Authentication (MFA)
Multi-factor authentication (MFA), sometimes referred to as two-factor authentication, requires an additional identity verification step following the traditional entry of username and password credentials. The primary benefit of MFA is that, even if your normal account credentials become compromised, a second layer of protection prevents unauthorized access.
For general authentication purposes and under PCI DSS Requirement 8.2, passwords comprise one of the following factors:
- Something you know – This includes basic passwords and passphrases.
- Something you have – This includes personal electronic devices, such as an employee ID card or a physical token (e.g., USB).
- Something you are – This covers biometric forms of identification. Common forms include fingerprint scanning, facial or voice recognition, and retina scanning.
For true multi-factor authentication, the second identity verification step must comprise a different factor.
Multi-factor Authentication and the PCI DSS
The only PCI multi-factor authentication requirement pertains to 8.3: non-console administrative and remote access to CHD environments must be secured with multi-factor authentication. However, despite the lack of other PCI DSS two-factor authentication requirements, MFA remains one of the most effective and simple best practices for any organization regardless of their compliance requirements.
Many of your systems and applications likely provide native MFA capabilities that merely require basic configuration to activate.
One of the most common MFA methods utilizes “one-time passwords” (OTPs) provided via dedicated apps, SMS, or email. SMS and email delivery is straightforward, as the user receives a PIN code to enter when prompted.
OTPs are a little more complex. Generally, an OTP only remains valid for a set duration (e.g., 30 seconds). An app on a user’s smartphone and linked to the authentication process displays a randomly generated code for the valid window. So long as the code is entered before the window expires, the user will be authenticated. Once the window closes, a new randomly generated code must be used.
Establish Rapid Offboarding Processes
Most organizations concert themselves with optimizing their onboarding processes to ensure new hires are quickly up-to-speed and productive. However, how strict are your organization’s offboarding processes?
One of the most overlooked compliance risks is allowing departed employees to retain access rights to your environment. Specifically for PCI DSS, all access to CHD environments must be revoked swiftly and comprehensively. Allowing any former employee to retain access represents a significant PCI compliance violation.
Offboarding access revocation must also include any cryptographic key storage.
PCI DSS Compliance and Cloud Computing
Efficiency has many organizations turning to the cloud when processing, storing, and managing CHD. However, maintaining any sensitive data within the cloud always requires some extra considerations.
For best results, a five-step process is recommended for both quarterly and yearly cycles:
- Preparation – This is where you’ll first determine the scope of your PCI assets, perform initial vulnerability scanning, and correct any immediate violations related to PCI DSS.
- Initial testing and evaluation – Next, the merchant or organization undergoes a comprehensive assessment to determine their overall PCI level. This helps compile a list of current IT needs and security vulnerabilities with respect to PCI DSS Goals and Requirements, which is used to develop a remediation action plan.
- Submitting the required forms – Once the PCI level has been established, submit the required forms and documentation for validation. Depending on your PCI level, a QSA might be required to validate your assessment.
- Remediating vulnerabilities and violations – During this step, the merchant or organization follows their action plan to remediate the identified compliance and cybersecurity issues. For a deadline, these efforts must target the expected completion date provided within reporting documentation for each vulnerability or violation.
- Ongoing maintenance and management – PCI compliance is a perpetual cycle. In the fifth and final stage, merchants and organizations must maintain compliance with PCI DSS—including any future revisions, modifications, or updates to their standards.
Following this five-step process according to quarterly and yearly cycles will ensure that you’re always on the cutting edge of any PCI DSS changes.
Achieving Compliance Today
When specifically designed to comply with PCI DSS, best practices eliminate much of the headache and hassle that is typically involved in regulatory compliance. Meant to protect consumers and your staff members alike, failure to abide by these standards can result in significant fines.
For more information on and help with your PCI DSS compliance efforts, contact RSI Security today.