PCI DSS Compliance Requirements Checklist
Any business that stores, processes or transfers credit card data must comply with Payment Card Industry Data Security Standards (PCI DSS) because of increased security challenges and escalating credit card fraud. PCI DSS are comprehensive standards that include requirements for security measures, policies, procedures, network architecture and software designed to help organizations proactively protect customer credit card data.
Failure to comply can result in significant fines for companies, and considerable damage to revenues, corporate reputation and customer confidence. Achieving and maintaining PCI DSS compliance is a complex, ongoing process that requires adopting a proactive security approach through the continuous identification of risks and remedial outcomes
A Step by Step Guide to PCI DSS Compliance
Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel
Detailed PCI DSS Requirements and Security Assessment Procedures
Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
A firewall examines all network traffic and blocks those transmissions that don't meet the predefined security criteria. You need to keep your firewall up-to-date and protect all environment from unauthorized access and untrusted networks. Make sure your firewall is properly configured.
Requirement 2: Do not keep vendor-supplied defaults for system passwords and other security settings
Change easy-to-find default passwords and set a strong password policy, also review and update the default setting to increase security controls. This policy must be followed through by your security team as well as all of your employees.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Protection strategies such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. Only necessary information should be stored to minimize the risk of exposure.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Critical data must be encrypted amid transmission over networks that are easily accessed by hackers. Wireless networks and vulnerabilities can be exploited to gain privileged access to cardholder information.
Maintain a robust Vulnerability Management Program
Most of the companies are already using anti-virus and anti-malware solutions. They must be kept up-to-date at all times. Use an automated tool to monitor your networks and compliance status and notify the security team when new vulnerabilities are discovered.
Requirement 6: Develop and maintain secure systems and applications
Cybercriminals are becoming more sophisticated than ever. To prevent them from disrupting your business, you must understand your weak points across your technology stack. Use vulnerability management solution that enables you to diagnose internal and external network vulnerabilities and secure sensitive data, and combine that with automated application scanning tools and regular penetration test to prevent hackers from gaining unauthorized access via insecure apps.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need to know
Limiting privilege access of sensitive information to legitimate employees only and establishing a user rights management policy to ensure nobody has access to any data that’s strictly needed for them to do their jobs.
Requirement 8: Identify and authenticate access to system components
Assigning a unique identification per employee who has privileged access to this data. You will then be able to monitor what actions were done by which user.
Requirement 9: Restrict physical access to cardholder data
Restricting all physical access to legitimate employees only with multi-factor authentication such as physical access control, badge systems and door controls.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Security tools such as SIEM (security information and event management) are very useful in preventing, detecting, and minimizing the impact of potential data breach. You will be able to monitor, track, alert and analyze when something does go wrong.
Requirement 11: Regularly test security systems and processes
With more than 50 vulnerabilities being discovered every day, these security weaknesses can be exploited by hackers and disrupt systems and business as well as expose sensitive or personal information. Anomalies often related to programming errors or configuration issues
A continuous network and application security assessment program can help in these situations. These tools discover your assets, detect vulnerabilities that can be potentially exploitable by hackers, notify security teams, detail solutions to implement or automatically fix vulnerabilities. By combining automated Vulnerability scanners with regular penetration testing, security teams will have better visibility and be able to prioritize the most critical threats and act with confidence.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel
Educating your employees upon hire and regularly afterward. All employees must be aware of the sensitivity of data and their responsibilities for protecting it.
How to achieve and maintain PCI compliance?
Outpost24 has prebuilt compliance checks that are fast to set up and run in your infrastructure while being customizable to fit your needs. And whether you’re working with CIS, NESA or PCI – Outpost24 is thorough in making sure you get the greatest confidence in knowing that you can be protected.
- Solutions are pre-built to be fast and easy to launch, yet customizable to adapt to your infrastructure.
- Work directly with real people, not computers, to know when you are and aren’t compliant
- Whether you work with CIS, NESA or PCI, ensure you’re compliant all around the world
- Receive audit reports that show you when you are and aren’t compliant
- Our PCI/ASV are built to adapt to your infrastructure rather than you having to adjust to fit a solution
About Outpost24:
Outpost24 is a certified Approved Scanning Vendor (ASV) by the PCI Security Standards Council and offers OUTSCAN PCI, an extension of our OUTSCAN vulnerability management tool designed specifically to verify and prove PCI DSS compliance. OUTSCAN PCI examines network perimeters, identifies vulnerabilities and sorts actionable remedies, and can repeatedly scan until all criteria are met to effectively protect the integrity of cardholder data and verify compliance.
Source:
Payment Card Industry (PCI) Data Security Standard - Requirements and Security Assessment Procedures