The Payment Card Industry (PCI) has established compliance requirements to help merchants protect customer credit card data. As you might imagine, criminals want to harvest credit card data so they can steal the information and use the data to create fraudulent transactions. The banks have developed some sophisticated algorithms to help detect and prevent this type of fraud, but the bulk of prevention happens at the merchant level with controls to prevent thief of the card holder data (CHD).
I’ll discuss the highest level requirements, known as Level 1, because they are the most complex and difficult to implement. If the banks and credit card companies got their way they would want everyone to be at Level 1 so they would know security compliance would be the highest. You are assigned a level by your bank based on the number of credit card transactions performed in a 12-month period. If you have several million transactions, your CHD is at a higher risk than a smaller business with just a few transactions per week. The basic breakdown is based on VISA transaction counts:
- Level 1 – Merchant processes over 6 million VISA transactions per year (or is designated Level 1 because of a previous breach or identified security issues)
- Level 2 – Merchant processes between 1 and 6 million VISA transactions annually.
- Level 3 – Merchant processes between 20,000 and 1 million VISA transactions per year.
- Level 4 – Merchant processes fewer than 20,000 VISA payments per year.
The PCI DSS contain 12 pillars for data security. You are expected to address all 12 areas, and have an external auditor validate, at least once per year, that you are performing all the prescribed actions and that you have all required controls in place. Once the auditor verifies this compliance with an annual audit, they will issue a Report of Compliance (ROC) that lists all the reasons why your business is compliant, and you must provide this document to your bank. Failure to remain compliant, and prove it with a ROC, will mean your bank could refuse to let you accept credit cards and they could fine you thousands of dollars for misleading them as to your level of compliance.
The summary of the 12 PCI DSS Requirements:
- Install and Maintain Firewalls – You must have a perimeter firewall between the systems that collect, process, and store CHD and the internet. You will need to properly configure you firewalls to prevent unauthorized access to the CHD systems, and have controls in place to manage who can make changes to that approved configuration.
- Eliminate Vendor Supplied Default Passwords – Nearly every piece of equipment used in IT comes with a standard password that you are allowed to change once you have installed the equipment on your network. This issue is a lot of people never change those default passwords, and almost anyone who is in IT knows what the default passwords are on which piece of equipment. Always change the default passwords and make sure only a select few people know what they are at any time.
- Protect the CHD – Make sure you know where your credit card data is collected, processed, and stored so that you can identify the systems that require protection.
- Encrypt Transmission of CHD – Never send credit card data across the internet without the proper level of industry approved encryption.
- Protect against Malware and Viruses – Make sure your systems are protected against malware and viruses. Maybe anti-virus software doesn’t always work as well as you like, but this basic protection is better than nothing at all.
- Maintain Secure Systems – You should configure your in-scope systems to be as secure as possible, and have documentation to show how you did that when the system was installed and after any maintenance.
- Restrict Access – Only approved people should have access to in-scope systems. Make sure the systems are secure and you have limited who has physical and remote access to those systems as much as possible.
- Authenticate Access – Ever user that accesses those systems should have their own unique login. You don’t share accounts, and the system knows your unique identity so if something gets compromised they can link the crime to a specific person.
- Restrict Physical Access – Put your corporate servers behind a locked door. Limit access to corporate switches so that only approved personnel have physical access. These basic controls improve security and limit unauthorized changes to configuration and system settings.
- Track Network Access – You need to know who has access to the systems and make sure terminated employees lose access immediately. You also want to log system activity to identify abnormal activity and unauthorized system changes.
- Regularly Test Security – Make sure you have a Incident Recovery Plan and that you test procedures for a system failure or security breach at least once per year.
- Maintain a Security Policy – Write a security policy and publish it to the entire company. Make sure everyone knows their part in protecting customer data, including credit card transaction data. Make sure they acknowledge they have been briefed on the contents each year with sign-off sheets and evidence of training.
What actions must you take to complete this compliance action?
- Talk to your bank – Make sure they understand your concerns and answer your questions about your level based on your transactions, as well as the timeline and expectations for when they expect you to complete the compliance process and submit your ROC. The bank drives this process, you you must work directly with them to make sure you are meeting their expectations.
- Understand Penalties – Make sure you understand the cost of non-compliance. It should be much cheaper to demonstrate compliance than pay the expected penalties and fines that will be imposed by your bank if you do nothing. Use this information to help understand your budget as well as sell the project to your management team. Remember: Businesses may also be subject to lawsuits and governmental prosecution for failing to protect customer data through non-compliance, so you may need to seek legal advice if you choose not to take the compliance route.
- Read the PCI DSS – The PCI Council creates the compliance requirements and provides you will the written requirements in the format of a document called the Payment Card Industry Data Security Standard (PCI DSS). The documentation is free and you should download everything you can fin and start reading.
- Engage a QSA – You will need a Qualified Security Assessor (QSA) to review your infrastructure and verify you are meeting the PCI DSS requirements. This is going to cost some money, but it is required. A level 1 merchant is required to have an external QSA sign-off that they have verified you are meeting all the requirements and issue a Report of Compliance (ROC) each year. Your QSA should also help you create the evidence required, make sure you are performing all the tests correctly, and help you document all the new policies and procedures they will need for the audit.
- Start Network Scans – You will also need to engage an Approved Scanning Vender (ASV) to start performing external network scans and penetration tests. These services are important to provide evidence that your network is secure from external attacks, properly configured, and patched with the latest vendor security updates. You will also need to either do internal scans yourself, or hire someone with the relevant skills, to scan your internal network. These internal scans are looking for security vulnerabilities and incorrectly configured systemsthat have access to CHD.
- Passwords – Start reviewing all systems looking for default passwords. Change vendor provided passwords immediately, and implement a password program for all your employees. Passwords should be changed regularly in compliance with vendor instructions, generally meaning every 90 days.
- Protect In-Scope Systems – Your systems should be protected with anti-virus and malware detection software. You will also need to develop policies and procedures that prohibits users from adding unapproved software (games, internet applications, etc.), that could compromise the in-scope systems. No user should access those systems with shared accounts. Each user needs their own account, and the permission on their account should provide the least permissions required for that person to perform their job. You will also need to monitor all in-scope systems for file changes and collect event logs to track all activity on those same systems.
- Information Security Policy – You will need to create, among other policies, a formal Information Security Policy. This document will be the key evidence of what steps you and your employees are doing to make your systems compliant and how you are keeping them compliant all year long.
- Incident Recovery Plan – If you don’t already have one, you will have to create one for the QSA. You will also need to conduct a test of the plan at least once per year. The QSA will help you create a plan that matches your environment while also including the sections required for the compliance effort. They can also help you understand how to schedule, conduct, measure, and document a test and help make sure you are ready for future issues while demonstrating compliance today.
- Conduct an Audit – Once you have everything in place, the QSA will conduct an audit to verify you are performing the correct actions and have ample evidence to prove you are compliance. They will then issue you a ROC as well as the other required documents.
- Submit the ROC – Your bank will have given you a deadline to submit your ROC. If you provide the ROC before the deadline, the bank will inform the payment card companies you are compliant and you will continue to allow you to accept credit cards without any penalties or fines.
- Lather, Rinse, Repeat – Keep doing what your QSA told you to do on the schedule they tell you to do each action. They will continue to complete the same steps on a fairly regular quarterly schedule, with an annual assessment timed to issue a new annual ROC right before the bank generated deadline. Work directly with your QSA and your bank to maintain compliance.