I’ve worked in the payments industry as a system administrator for more than 15 years and spent much of my career working with Payment Card Industry compliance, which pertains to security requirements involving companies which handle credit card data.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
PCI compliance is a very complex field with guidelines under which organizations in this industry are required to adhere in order to be permitted to handle payments processing.
What is PCI compliance?
PCI compliance is a structure based on requirements mandated by the Payment Card Industry Security Standards Council to ensure that all companies that process, store or transmit credit card information maintain a secure operating environment to protect their business, customers and confidential data.
The guidelines, known as the Payment Card Industry Data Security Standard, came about on Sept. 7, 2006 and directly involve all the major credit card companies.
The PCI SSC was created by Visa, MasterCard, American Express, Discover and Japan Credit Bureau to administer and manage the PCI DSS. Companies which adhere to the PCI DSS are confirmed PCI compliance and thus trustworthy to conduct business with.
All merchants that process over 1 million or 6 million payment card transactions every year, and service providers retaining, transmitting or processing over 300,000 card transactions every year, must be audited for PCI DSS compliance. The scope of this article is intended for companies subject to this annual auditing.
It’s worth noting that PCI compliance doesn’t guarantee against data breaches any more than a home compliant with fire regulations is fully safe against a fire. It simply means that company operations are certified compliant with strict security standards giving these organizations the best possible protection against threats to produce the highest level of confidence amongst their customer base as well as regulatory requirements.
Failure to comply with PCI requirements can result in hefty financial penalties from $5K to $100K per month. Businesses that are in compliance which do face data breaches can face significantly reduced fines in the aftermath.
14 best PCI practices for your business
1. Know your cardholder data environment and document everything you can
There can be no surprises when it comes to enacting PCI compliance; all systems, networks and resources must be thoroughly analyzed and documented. The last thing you want is an unknown server operating somewhere or a series of mysterious accounts.
2. Be proactive in your approach and implement security policies across the board
It’s a huge mistake to approach PCI compliance security as something to be “tacked on” or applied as needed where requested. The concepts should be baked into the entire environment by default. Elements such as requiring multi-factor authentication to production environments, utilizing https instead of http and ssh instead of telnet, and mandating periodic password changes should be applied in advance. The more security-minded your organization is, the less work will need to be done after audit time has completed.
3. Conduct employee background checks on employees handling cardholder data
All potential employees should be thoroughly vetted including background checks for those who will work with cardholder data, whether directly or in an administrative or support position. Any applicant with a serious charge on their record should be rejected for employment, particularly if it involves financial crimes or identity theft.
4. Implement a centralized cybersecurity authority
For best PCI compliance, you need a centralized body to serve as the decision-making authority for all implementation, management and remediation efforts. This is typically the IT and/or cybersecurity departments, which should be staffed by employees trained in this field and knowledgeable of PCI requirements.
5. Implement strong security environmental controls
Across the board, you should use strong security controls in every element possible which handles cardholder data systems. Use firewalls, NAT, segmented subnets, anti-malware software, complex passwords (do not use default system passwords), encryption and tokenization to protect cardholder data.
As an added tip, use as limited a scope as possible for cardholder data systems, dedicated networks and resources so you minimize the amount of effort involved with securing as minimal a set of resources as possible.
For instance, do not let development accounts have access into production (or vice versa), as now the development environment is considered in scope and subject to heightened security.
6. Implement least privilege needed access
Use dedicated user accounts when performing administrative work on cardholder systems, not root or domain administrator accounts. Make sure only the bare minimum of access is granted to users, even those in administrator roles. Where possible, have them rely on “user level accounts” and separate “privileged accounts” which are only used to perform elevated privilege level tasks.
7. Implement logging, monitoring and alerting
All systems should rely on logging operational and access data to a centralized location. This logging should be comprehensive yet not overwhelming, and a monitoring and alerting process should be put in place to notify appropriate personnel of verified or potentially suspicious activity.
Alert examples include too many failed logins, locked accounts, a person logging into a host directly as root or administrator, root or administrator password changes, unusually high amounts of network traffic and anything else which might constitute a potential or incipient data breach.
8. Implement software update and patching mechanisms
Thanks to Step 1, you know which operating systems, applications and tools are running in your cardholder data. Make sure these are routinely updated, especially when critical vulnerabilities appear. IT and cybersecurity should be subscribed to vendor alerts in order to receive notifications of these vulnerabilities and obtain details on patch applications.
9. Implement standard system and application configurations
Every system built in a cardholder environment, as well as the applications running on it, should be part of a standard build, such as from a live template. There should be as few disparities and discrepancies between systems as possible, especially redundant or clustered systems. That live template should be routinely patched and maintained in order to ensure new systems produced from it are fully secure and ready for deployment.
10. Implement a terminated privileged employee checklist
Too many organizations don’t keep proper track of employee departures, especially when there are disparate departments and environments. The HR department must be tasked with notifying all application and environment owners of employee departures so their access can be thoroughly removed.
An across-the-board checklist of all systems and environments employees handling credit card data should be compiled and maintained by the IT and/or cybersecurity departments, and all steps should be followed to ensure 100% access removal.
Do not delete accounts; disable them instead, as proof of disabled accounts is often required by PCI auditors.
For more guidance on how to onboard or offboard employees, the experts at TechRepublic Premium have put together a convenient checklist to get you started.
11. Implement secure data destruction methodologies
When cardholder data is removed, per requirements, there must be a secure data destruction method involved. It may entail software or hardware based processes such as file deletion or disk/tape destruction. Often, the destruction of physical media will require evidence to confirm this has been done properly and witnessed.
12. Conduct penetration testing
Arrange for in-house or external penetration tests in order to check your environment and confirm everything is sufficiently secure. You would much rather find any issues which you can correct independently before a PCI auditor does so.
13. Educate your user base
Comprehensive user training is essential in order to maintain secure operations. Train users on how to securely access and/or handle cardholder data, how to recognize security threats such as phishing scams or social engineering, how to secure their workstations and mobile devices, how to use multi-factor authentication, how to detect anomalies, and most of all, whom to contact to report any suspected or confirmed security breaches.
14. Be prepared to work with auditors
Now we come to audit time, where you will meet with an individual or team whose goal it is to analyze your organization’s PCI compliance. Don’t be nervous or apprehensive; these folks are here to help, not spy on you. Give them everything they ask for and only what they ask — be honest but minimal. You’re not hiding anything; you’re only delivering the information and responses that sufficiently meet their needs.
Additionally, hold onto evidence such as screenshots of settings, system vulnerability reports and user lists, as those might come in handy to submit in future auditing endeavors. Address all of their recommendations for remediations and changes as quickly as possible, and prepare to submit evidence that this work has been completed.
Thoroughly vet out any proposed changes to ensure these will not negatively impact your operational environment. For instance, I have seen scenarios where TLS 1.0 was requested to be removed in favor of newer TLS versions, but applying this recommendation would have broken connectivity from legacy systems and caused an outage. Those systems had to be updated first in order to comply with requirements.