12 Step PCI DSS Requirements Checklist

Goal: Build and Maintain a Secure Network and Systems

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Goal: Protect Cardholder Data

  1. Protect stored cardholder data.
  2. Encrypt transmission of cardholder data across open, public networks.

Goal: Maintain a Vulnerability Management Program

  1. Protect all systems against malware and regularly update anti-virus software or programs.
  2. Develop and maintain secure systems and applications.

Goal:  Implement Strong Access Control Measures

  1. Restrict access to cardholder data by business justification (i.e., “need to know”).
  2. Identify and authenticate access to system components.
  3. Restrict physical access to cardholder data.

Goal: Regularly Monitor and Test Networks

  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security systems and processes.

Goal: Maintain an Information Security Policy

  1. Maintain a policy that addresses information security for all personnel.

Additional PCI DSS Requirements for Shared Hosting Providers: Shared hosting providers must protect the cardholder data environment.

Achieving PCI DSS Compliance

To be in compliance with current PCI DSS requirements, businesses must implement controls that are focused on attaining six functional high-level goals. The goals are separated into 12 actionable steps. Once these controls are implemented, a process must be put in place to monitor, test, report and remediate results of your client’s PCI DSS compliance efforts.

Build and Maintain a Secure Network and Systems

The first two requirements detail how a firewall should be implemented, maintained, and managed.

  1. Install and maintain a firewall configuration to protect cardholder data.

Firewalls are a vital component of any computer network and are the first line of defence for Internet traffic.

A firewall identifies all network traffic and blocks any transmissions that don’t meet the business’s specified security criteria. All systems must be protected from unauthorised access from untrusted networks—regardless of the method of entry (e.g., Internet e-commerce, employee Internet access, employee e-mail access, business-to-business connections or wireless networks).

  1. Do not use vendor-supplied defaults for system passwords and other security parameters.

Criminals and data thieves use vendor default passwords and default settings to compromise systems.

It is critically important to change vendor-supplied default passwords/settings and remove/disable unnecessary default accounts before introducing new systems into your environment.

Protect Cardholder Data

The third and fourth requirements detail how to protect cardholder data, during processing, transmittal and storage.

  1. Protect stored cardholder data.

There are many methods of protecting your client’s sensitive data: encryption, truncation, masking, and hashing can each become a critical component of your business’s cardholder data protection plan. Additionally, don’t store cardholder data unless necessary, and don’t send unprotected information via e-mail.

Protecting cardholder data is critical for numerous direct and indirect financial reasons. Target stores had a massive data breach in 2013 – 2014, while the direct financial cost was extensive—145 million over both years—the indirect toll is staggering: 110 million customers had their sensitive data accessed.

  1. Encrypt transmission of cardholder data across open, public networks.

Cardholder’s sensitive data and authentication information must be encrypted during transmission over open, public networks. These networks are targeted by individuals who exploit the open, visible nature of the network to gain unauthorized system access.

Maintain a Vulnerability Management Program

The fifth and sixth requirements involve developing, maintaining and protecting all in-scope payment systems with a vulnerability management plan to ensure any existing vulnerabilities are addressed and remediated.

  1. Protect all systems against malware and regularly update anti-virus software or programs.

Malware is malicious software that can be introduced into your network during any typical business activity, such as employee e-mail, Internet usage, using personal employee computers, cell phones or by utilizing an infected storage device such as a USB drive.

Antivirus software must be installed and operating on all business systems to protect your client’s environments. The security software must be correctly configured and maintained as there are constantly evolving malicious software threats found every day.

  1. Develop and maintain secure systems and applications.

Intruders use security vulnerabilities in your systems and applications to gain privileged access to cardholder sensitive data. These security vulnerabilities are typically remediated through the application of security patches (typically provided by the vendor), and must be installed by whoever manages those systems.

It is required for all applications and systems to have appropriate, current software patches to protect against the exploitation and compromise of cardholder data.

Implement Strong Access Control Measures

The seventh and eighth requirements require access and access points to impacted systems, data to be secure, and that access to be commensurate with the role of the resource.

All access must be restricted to only authorized resources, and includes system access and access to physical areas.

  1. Restrict access to cardholder data by business need to know.

Access to data should be granted on a need to know basis, so systems and processes must be in place to ensure limited access. Need to know dictates that access is granted only at the minimum level and only if needed in order to perform a job responsibility.

Employee error is the leading cause of data breaches as of 2015. The best way to reduce this problem is by having strong access controls in place for all impacted systems.

  1. Identify and authenticate access to system components.

It is imperative to assign a unique identification set of credentials to each person with access to sensitive information. This ensures that each individual is solely accountable for his or her actions and that a level of traceability is available.

  1. Restrict physical access to cardholder data.

Physical access to all data and systems should be restricted.

Regularly Monitor and Test Networks

The ninth and tenth requirements include tracking and monitoring all access to network resources and cardholder data, including the regular testing of controls, systems and processes.

  1. Track and monitor all access to network resources and cardholder data.

Log files, system traces or any tool enabling the tracking of access to sensitive data is critical in preventing, detecting or minimizing a data breach. The availability of logs enables tracking, alerting and analysis when an intrusion occurs. It is almost impossible to identify and diagnose a breach without system logs.

  1. Regularly test security systems and processes.

System vulnerabilities are constantly being discovered, and as such, all systems, processes and software should be tested.

Maintain an Information Security Policy

Your client must implement and maintain a policy that addresses information security for all personnel.

  1. Maintain a policy that addresses information security for all personnel.

A strong, PCI DSS compliant security policy secures your PCI DSS-scoped infrastructure and sets a standard for what is expected of your employees.

It is critical to ensure every employee understands what is expected of him or her regarding the security of your client’s sensitive data. All personnel should be aware of the data’s sensitivity and the individual and group responsibilities for protecting it.

The security policy is critical for good reason: cyber-attacks are vicious and lightning-quick. Once a new malware is released, it only takes an average of 82 seconds for someone to unknowingly become a victim.

Best Practices for Implementing PCI DSS

PCI DSS should be integrated into everyday business activities, as it is an essential part of overall security and allows a company to ensure compliance.

Examples of how to implement PCI DSS into your regular activities include:

  1. Constant monitoring of all security controls to ensure they are operating effectively and as intended.
  2. Make sure to identify and respond to all security control failures in a timely manner. The process around these failures should include:
  • Restoring the security control
  • Identifying the cause of failure
  • Identifying and remediating any security issues occurring during the control failure
  • Implementing mitigation to prevent the failure from recurring
  • Resuming to monitor the security control to verify the control is operating effectively
  1. Determine if any changes have been made prior to completing the change. Ensure you perform the following tasks:
  • Identify any impact to PCI DSS scope that occurs as a result of a new or modified system introduced into your PCI DSS environment.
  • Identify PCI DSS requirements that are in scope for systems and networks that are affected by the change.
  • Update your PCI DSS scope and implement necessary security controls.
  1. Review changes to the organizational structure resulting in a formal review of the impacttoPCI DSS scope and requirements.

This can be done at the individual and group role levels to ensure that current access is commensurate with the employee’s responsibilities and his or her job role.

  1. Performing regular reviews and report findings to confirm that PCI DSS requirements are implemented and secure processes are in place as necessary.

These reviews should cover all company locations and include reviewing system components to verify that PCI DSS requirements have been adhered to and are implemented. The frequency of these reviews is determined by the business as appropriate for the size and complexity of their environment.

These reviews can be used to verify that appropriate evidence is being maintained for PCI DSS compliance efforts.

  1. Document and review hardware and software technologies regularly.

You must verify that all equipment is supported by the vendor and can meet your client’s PCI DSS security requirements. Take action if the equipment is not supported or compliance requirements are not met.

The cost of neglecting software currency is alarming. In 2015, 44% of breaches were the direct result of having two- to four-year-old unpatched software. Imagine how many of these situations could have been avoided by simply observing software currency.

It is important to assess. monitor, remediate and report on your PCI DSS security controls on a regular basis!

 

Scoping a PCI DSS Environment

PCI Data Security Standard implementation and compliance begins with accurately scoping your PCI DSS environment. This scoping process includes identifying all system components that are located within, or connected to, the environment containing cardholder data.

The PCI SSC has provided basic guidance for compliance, including a three-step process to assess, remediate, and report PCI DSS in-scope data.

SolarWinds MSP (formerly LOGICnow) facilitates PCI DSS compliance at multiple levels by providing your clients’ with a superior product designed to meet and exceed compliance thresholds for all PCI DSS requirements.

 

12 Step PCI DSS Requirements Checklist

Post navigation


Leave a Reply

Your email address will not be published. Required fields are marked *

Pin It on Pinterest