Payment Card Industry (PCI) compliance is a set of standards developed to ensure that the credit card industry is securing customer data uniformly throughout the industry.
Therefore, all businesses that process, store, or transmit credit card data are mandated to be PCI compliant. Without implementing these security protocols, the cardholder information you handle will likely be exposed to more malicious attacks and security breaches.
The following video can help explain what exactly PCI compliance is.
Luckily, your business can meet all PCI requirements and secure its cardholder data by following this 12-step PCI compliance checklist:
- Set up firewalls to protect cardholder data
- Avoid using default passwords and security measures
- Securely store sensitive cardholder data
- Encrypt cardholder data transmitted on public networks
- Install and update antivirus software
- Deploy and maintain secure systems and applications
- Limit access to cardholder data
- Assign unique identifiers for users with data access
- Restrict physical cardholder data access
- Monitor and track access to networks and cardholder data
- Regularly test security systems
- Create and enforce an information security policy
Now that you have a general idea of these requirements, you can read on to see what each step entails and how to successfully implement them in your security infrastructure.
Set up firewalls to protect cardholder data
Firewalls typically serve as the first line of defense against threats to your business. They accomplish this by monitoring and restricting incoming and outcoming network traffic, especially in areas that handle sensitive information like credit card data.
Businesses can protect their cardholder data by installing and configuring firewalls (and routers) to restrict public access and block traffic from untrusted networks, addresses, and devices. To ensure maximum protection, you need to review and update your firewalls on a quarterly basis.
Avoid using default passwords and security measures
When you first set up security systems in your infrastructure, vendors supply default passwords and settings. Since these default passwords and settings are widely known, any business that fails to update its security settings and create unique passwords is opening the door for hackers to easily enter and tamper with sensitive data.
Your passwords should have at least seven characters, with a combination of numbers, letters (lower and upper case), and symbols, and should not be recycled. Additional security measures should also be added and default settings should be disabled to provide more overall protection for your business.
Businesses need to update their passwords every 90 days to maintain PCI compliance.
Securely store sensitive cardholder data
Cardholder data should always be protected, whether it’s in transit, being processed, or digitally or physically stored.
To secure sensitive cardholder data, your business can apply security protocols like encryption, authentication, masking, hashing, and other additional measures to its infrastructure.
PCI standards advise against storing credit card data unless it’s absolutely necessary.
Check out this podcast episode to learn about why storing cardholder data safely is essential.
Encrypt cardholder data transmitted on public networks
Encrypting sensitive payment information will be very useful for businesses that want to securely transmit data across open and public networks, as well as closed and private networks.
Encryption can prevent unauthorized users from viewing transmitted data by making it unreadable by applying security protocols like Transport Layer Security (TLS), Wi-Fi Protected Access 2 (WPA2), Secure Sockets Layer (SSL), Secure Shell (SSH), etc.
Install and update antivirus software
By installing and regularly updating antivirus software, your business can detect and protect itself against malware attacks.
To secure all your local and remote systems against these threats, you should run active antivirus or antimalware programs that monitor any suspicious activity, perform routine scans, use the latest signatures, and generate auditable logs.
Deploy and maintain secure systems and applications
It’s important to deploy and maintain secure systems and applications in your infrastructure to uphold PCI compliance and manage sensitive cardholder data better.
By not addressing security vulnerabilities in your business, you risk intruders gaining access to classified payment information. To reduce and eliminate these risks, you can apply and actively update vendor-supplied security patches to internal systems, firewalls, routers, application software, databases, payment terminals, and more.
Your business should also ensure that all its security protocols and procedures are up-to-date to meet PCI requirements and maintain maximum payment security.
Limit access to cardholder data
It’s imperative that businesses limit the number of employees and departments that have access to sensitive cardholder data unless it’s relevant to their role, as this can lead to greater threats.
You can reduce exposure of private cardholder data by limiting access to a need-to-know basis using access control systems, documenting job policies and access privileges, and thoroughly training employees on handling and access procedures.
Your business can also update access controls to revoke or grant access when necessary.
Assign unique identifiers for users with data access
In addition to limiting access to cardholder data, your business can manage the handling of cardholder data and access permissions by assigning unique identifiers for each user.
Unique user IDs and passwords will help you review activity and hold employees accountable for any unauthorized use of data. This level of visibility makes it easier to detect unusual activity and also strengthens payment security and PCI compliance by preventing data breaches.
For remote employees and third-party users, your business must require two-factor authentication (2FA).
Restrict physical cardholder data access
Like digital access, PCI standards require businesses to restrict physical access to cardholder data to maintain compliance.
Allowing any employee or third party to have access to physical payment records can compromise this data and the systems and devices that house it. Therefore, it’s important to implement access control systems to limit the number of people who handle cardholder information and reduce threat exposure. Businesses should restrict physical access with ID badges, electronic access cards, keys, video surveillance, etc.
Each authorized user should be identified as on-site personnel, visitors (guests or third-party vendors), or media to determine access levels and permissions. All data should be backed up to off-site storage facilities. Any devices or media must be logged and physical protective measures must be added so they are not tampered with, stolen, or destroyed.
Lastly, physical access should be revoked once a task is complete, an employee is terminated, or as needed for other precautionary measures. All video recordings and access records must be kept for a minimum of 90 days. Any data that’s no longer necessary needs to be destroyed.
Monitor and track access to networks and cardholder data
PCI compliance requires businesses to monitor and track all access to cardholder data and their associated networks.
Following the implementation of unique user IDs and access restrictions, you also need to oversee and track who is accessing cardholder data, where it’s being accessed, and what it’s being used for. These actions can be managed with monitoring tools and logging systems.
Using log files, tracing applications, and monitoring software to track network and cardholder data access can enhance your payment security by helping prevent breaches, detect suspicious activity, and address and mitigate threats in real-time.
PCI DSS standards advise all businesses to store audit log records that include activity reports and time stamps for a minimum of one year.
Regularly test security systems
In compliance with PCI guidelines, routine security tests and vulnerability scans are expected to be conducted on a quarterly basis to protect data and detect any vulnerabilities, threats, or gaps in payment security.
Businesses can enlist the help of an Approved Scanning Vendor (ASV) to regularly scan external IPs and domains exposed in the cardholder data environment (CDE). These IPs and domains must also go through annual application and network penetration tests. Internal scans must also be completed quarterly.
Finally, weekly comparisons of critical access files and detection mechanisms should be implemented to alert your business of any unauthorized activity or data modifications made.
Create and enforce an information security policy
Creating and enforcing an information security policy that clearly outlines your protocols and procedures will help your business secure its cardholder data and ensure PCI compliance.
Information security policies can clarify expectations and responsibilities for positions and third parties that handle sensitive payment information. These policies must include requirements pertaining to critical technology and devices, risk assessment processes, user training, incident response plans, background checks, and more.
Businesses are expected to review and revise their information security policies annually to meet updated PCI requirements and address new security assets, threats, or vulnerabilities in their infrastructure.
Once finalized, security policies should be distributed to employees, management, third-party vendors, and all other parties that have access to cardholder data.
Complete this PCI Checklist to enhance payment security and stay PCI compliant
Since cardholder data continues to be a big target of threats and breaches, your business needs to consistently strengthen its payment security to maintain PCI compliance.
Completing this PCI checklist to maintain compliance will not only help your business ensure its security operations, software, and procedures are up to date, but will also prepare you to address and mitigate any malicious activity that comes your way.