If your business handles online sales and transactions made with credit and debit cards, ensuring that you comply with the legal requirements of eCommerce are essential. You learn to respect, understand, and satisfy the demands of PCI-DSS.
We thought we’d put together a little summary of what you need to know about PCI-DSS… and what it means for your business.
What is PCI-DSS?
PCI-DSS stands for Payment Card Industry Data Security Standard. It’s a set of regulations relating to online commercial transactions and, specifically, the protection of a consumer’s card details and personal information.
It is a global standard that enables businesses to process card payments securely. This covers the storage, transmission and processing of cardholder data.
While PCI-DSS is not a legal requirement in of itself, most of the data related to it does fall under the umbrella of the Data Protection Act. So if you’re a business that handles card payments online, you’ll need to utilize the standards.
The Payment Card Industry Security Standards Council, who developed and maintain PCI-DSS, states that the regulations should cover “all system components included in or connected to the cardholder data environment”. Failure to satisfy the requirements, at least in terms of the Data Protection Act, can lead to serious repercussions, including fines and revoked credit card processing capabilities.
The 12 Requirements of PCI-DSS
The PCI-DSS standard is organized into 12 requirements split across six categories.
Category 1: Build and Maintain a Secure Network
There are two requirements that fall under Category 1:
Requirement 1 – install and maintain a firewall configuration that protects cardholder data.
This ultimately incorporates the use of advanced firewalls to prevent unauthorised access. Firewalls are responsible for the communication across the company’s trusted internal networks and untrusted external networks.
Requirement 2 – avoid the use of vendor-supplied defaults when handling system passwords and security parameters.
The defaults are often commonly known and easy to exploit, but changing those defaults instantly makes it harder for hackers and criminals to attack and compromise the data systems.
Category 2: Protect Cardholder Data
Two requirements fall under Category 2:
Requirement 3 – protect the data you’ve stored from the cardholder.
Only the necessary minimal data should be stored, and it should be protected by encryption, truncation, masking and hashing. Meanwhile, details from the chip or magnetic strip, as well as CVN and PIN data should never be stored by the company.
Requirement 4 – the transmissions of cardholder information across open and public networks must be encrypted.
Security protocols like TLS, IPSec, and SSH are needed to protect sensitive data while the security policies related to the transmission of data in public networks should be clearly published and documented.
Category 3: Maintain a Vulnerability Management Program
Category 3 covers two requirements:
Requirement 5 – ensure all systems are suitably protected against malware and updated with antivirus software.
This means using the cybersecurity tools to detect and remove all malware… on a 24/7 basis. Disabling them should only occur when authorized for a certain process.
Requirement 6 – develop and maintain secure applications and systems.
Vulnerabilities need to be identified and ranked by their risk factor, while any software updates and patches from the specific vendors should be installed within 30 days of release. The maintenance aspects relate to internally and externally developed applications.
Category 4: Implement Strong Access Control Measures
Three requirements fall under category 4:
Requirement 7 – restrict access to cardholder data.
The abuse of user privileges is one of the most common forms of online attack and can be very difficult to identify too. Limiting the access rights to sensitive data should involve setting the access control defaults to deny access. The access can then be given on a need-to-know basis.
Requirement 8 – identify and authenticate access to the system.
Documented policies and procedures should be used across all system components with a special focus on non-consumer users and administrators. All users should have user Ids while two-factor authentication should be implemented for access via remote networks.
Requirement 9 – limit access to cardholder data on a physical level.
This means restricting the access to server rooms, data centers, and other locations that house sensitive data. Media should be secured while storage, access and distribution must be handled in a controlled environment. Once media is no longer needed, it should be disposed of.
Category 5: Regularly Monitor and Test Networks
Category 5 has two requirements:
Requirement 10 – track and monitor access to the network and cardholder data.
Data logging prevents, detects, and minimizes the damage, which is why audit trials need to be implemented in a secure manner. A 3-month real-time analysis should be made available to the security team when requested, while all data should be held for one year minimum.
Requirement 11 – test security elements on a regular basis.
This should cover systems and processes. Most issues relating to unauthorized wireless access points or Internal and external network vulnerability scans can be used on a quarterly basis. Also, weekly critical file comparisons can quickly alert staff to unauthorized system modifications.
Category 6: Maintain an Information Security Policy
Category 6 contains just a single requirement:
Requirement 12 – maintain a policy that addresses data protection and information security.
The security policy should be established, published, maintained and disseminated for the best results. Risk assessments, usage policies, and incident response plans must also be established so that any attacks or breaches can be dealt with efficiently.
Are You PCI-DSS Compliant?
PCI-DSS is a collection of requirements that ultimately create the globally accepted standards regarding the handling of sensitive cardholder data, including personal details and payment information.
If you’re concerned about whether your e-commerce platform is compliant or secure, we’d love to have a short conversation. At BitLyft, we specialize in securing the data of both organizations and the customers who trust them. Reach out today and we can determine what steps, if any, are needed to keep you PCI-DSS compliant.