12 PCI DSS Compliance Requirements – Checklist
As mobile and touchless payment methods become a norm in today’s technology-driven landscape, vendors working in this industry become a prime target of cybercriminals. Data breaches can be costly and cause a business financial loss as well as a loss of reputation. According to Statista, e-commerce losses to online payment fraud were estimated at $41 billion globally.
To defend against such attacks, five major credit card giants came up with a standard known as PCI DSS, which outlines the security guidelines and requirements to protect the card-processing ecosystem against cyber-attacks. This article explores the requirements for PCI DSS compliance and how organizations can benefit from achieving compliance.
PCI DSS Compliance Overview
The Payment Card Industry Data Security Standard (PCI DSS) was established in 2004 by major credit card companies, including MasterCard, Visa, Discover Financial Services, American Express, and JCB International. It is overseen by the PCI SSC and is designed to protect debit and credit card transactions from fraud. The PCI Security Standards Council (PCI SSC) is a global forum that brings together stakeholders from the payments industry to develop and push the implementation of data security standards and resources for safe payments worldwide. Businesses processing transactions are required to comply with PCI DSS to secure sensitive information and foster trust with customers.
What are the Compliance Requirements of PCI DSS?
PCI certification provides security for credit card data in a business by following the requirements set by the PCI SSC. Also, businesses are required to control access to cardholder data and monitor access to network resources.
Let’s discuss the 12 PCI DSS compliance requirements:
- Install and maintain a firewall configuration
The first requirement of PCI DSS is to maintain a secure network using proper firewall and router configuration. Firewalls act as the first line of defense and protect the card data landscape by controlling network traffic based on rules set by the organization. Regular review of firewall configuration rules (every 6 months) is necessary to ensure no access rules exist that may be insecure and can compromise the card data landscape. This helps to standardize the process of allowing or denying network access.
- System passwords must be original (not vendor-supplied)
Requirement 2 focuses on strengthening the security of an organization’s systems, including network devices, servers, applications, firewalls, etc., by eliminating default usernames, passwords, or any other insecure configurations that come with factory settings.
These default credentials are easy to guess and often published online, making them a security risk. Maintaining an inventory of all systems and following proper configuration procedures each time you introduce a new system to the IT architecture is required to comply with this requirement.
- Protect stored cardholder data
Requirement 3 is considered the most crucial of the PCI standards. It requires identifying all stored cardholder data, including its retention period and location, and encrypting it using algorithms, such as AES-256, RSA 2048, truncating, tokenizing, or hashing.
A secure encryption management process is also mandated. Card data is commonly found in log databases, files, spreadsheets, etc. Moreover, this requirement dictates rules for displaying account numbers, such as showing only the account’s last four or first six digits.
- Encrypt transmission of cardholder data across open and public networks
Requirement 4 protects cardholder data when transmitted over public or open networks such as the Internet, CDMA, Bluetooth, GSM, etc. It requires knowing where the card data is being sent and received, often to payment gateways, processors, etc., for transaction processing. To prevent cybercriminals from accessing the data, the requirement calls for encrypting the data of the cardholder before transmission using secure protocols, such as SSH or TLS.
- Use and regularly update antivirus software or programs
Requirement 5 focuses on defending against malware by requiring antivirus or anti-malware software to be installed on all systems, including laptops, workstations, and mobile devices that access the system. Regular updates are needed to detect malware and prevent infections. It’s important to keep the antivirus software active, up-to-date with the latest updates, and generate logs for auditing purposes.
- Develop and maintain secure systems and applications
Requirement 6 calls for a systematic approach to managing security vulnerabilities. Organizations must stay updated with the latest security patches and promptly fix vulnerabilities. All systems that process, store, or transmit cardholder data must be updated, including operating systems, network devices, and application software. Additionally, security must be integrated into the development process, ensuring that all new systems and applications meet security requirements from the start.
- Restrict access to cardholder data
Requirement 7 ensures that access to systems with cardholder data is restricted to only those who need it. This is achieved through access controls that allow access to users who need it to perform tasks.
The access control system must be able to assess requests to defend against sensitive data exposure to unauthorized individuals. There should be a list of all users requiring access to the system having card data, including each role’s definition, current and expected privilege level, and the data resources they require to perform tasks.
- Assign a unique ID to each person with computer access
Requirement 8 mandates using unique IDs and strong passwords for all authorized users to access cardholder data. Shared or group IDs and passwords are not allowed. This helps maintain accountability by linking all access to card data to a known user. Additionally, two-factor authentication is required for remote administrative access, providing an added layer of security.
- Restrict physical access to cardholder data
Requirement 9 is focused on protecting the systems having cardholder data and restricting access to these systems. It ensures that unauthorized individuals are prevented from accessing these systems, which could lead to theft, disruption, or destruction of critical systems and cardholder data.
- Track and monitor all access to network resources and cardholder data
Requirement 10 emphasizes the importance of logging and monitoring network and system activities to identify potential security incidents. Regular reviews of audit logs from all systems must be conducted daily to detect any anomalies or suspicious activities.
Utilizing tools, such as SIEM, can assist in logging activities, monitoring logs, and alerting for any suspicious activity. The audit records must meet the required standard and include accurate timestamps, which require time synchronization. Also, securely store audit data and keep it for a minimum of one year.
- Regularly test security systems and processes
Requirement 11 focuses on identifying and mitigating potential security risks by regularly conducting vulnerability scans and penetration tests. Organizations must perform these tests regularly to prevent unknown vulnerabilities and keep the systems updated. The scans and tests aim to identify any weaknesses in the system and implement the necessary security patches and upgrades to prevent potential attacks.
- Maintain a policy that addresses information security for all personnel
Requirement 12 focuses on IT governance, emphasizing the importance of employee training and implementing a robust security policy consistently followed throughout the organization. It should be documented, regularly reviewed, and distributed to relevant personnel.
Regular risk assessments should also be conducted to keep the policy updated. PCI DSS mandates organizations to reduce employee misuse and establish internal controls, including background checks for new hires, usage policies for technologies handling cardholder data, and security awareness training for all employees.
Automate PCI DSS Compliance with CyberArrow
PCI DSS compliance requirements can be complex, but you don’t need to worry about staying compliant, as compliance automation can do the work for you. CyberArrow is a user-friendly platform that automates the requirements of PCI DSS compliance for your organization, simplifying the process of achieving and maintaining compliance while reducing manual effort and the risk of human errors.
Get in touch to get a free demo today!
- What is requirement 3 of PCI DSS?
Requirement 3 of the PCI DSS is focused on securing stored cardholder data, which is a crucial aspect of protecting customer information and ensuring that merchants and financial institutions can safeguard against theft and unauthorized usage.
- What are the 6 principles of PCI DSS?
The six principles of PCI DSS compliance are:
- Build a secure network and systems and maintain them.
- Protect the data of the cardholder
- Maintain a program for vulnerability management
- Implement access controls measures
- Monitor and test networks regularly
- Maintain an InfoSec policy.
- To whom does PCI DSS apply?
PCI DSS applies to all organizations that handle cardholder data, including those involved in storing, processing, and transmitting the information. This standard covers technical and operational aspects of cardholder data systems and all connected components.
- What are the PCI compliance levels?
The four PCI compliance levels are determined based on card transaction volume processed annually.
Level 1: Organizations processing over 6 million card annual transactions.
Level 2: Organizations processing 1 to 6 million annual transactions.
Level 3: Organizations processing 20,000 to 1 million annual transactions.
Level 4: Organizations processing fewer than 20,000 annual transactions.