Skip to main content

PCI DSS Compliance Requirements Checklist

18.Sep.2018
Outpost24 France
The PCI Security Standards Council touches the lives of hundreds of millions of people worldwide. A global organization, it maintains, evolves and promotes Payment Card Industry standards for the safety of cardholder data across the globe.

 

PCI DSS Compliance Requirements Checklist

Any business that stores, processes or transfers credit card data must comply with Payment Card Industry Data Security Standards (PCI DSS) because of increased security challenges and escalating credit card fraud. PCI DSS are comprehensive standards that include requirements for security measures, policies, procedures, network architecture and software designed to help organizations proactively protect customer credit card data.

Failure to comply can result in significant fines for companies, and considerable damage to revenues, corporate reputation and customer confidence. Achieving and maintaining PCI DSS compliance is a complex, ongoing process that requires adopting a proactive security approach through the continuous identification of risks and remedial outcomes

 

A Step by Step Guide to PCI DSS Compliance

 

Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need to know

Requirement 8: Identify and authenticate access to system components

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel

 

Detailed PCI DSS Requirements and Security Assessment Procedures

 

Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

A firewall examines all network traffic and blocks those transmissions that don't meet the predefined security criteria. You need to keep your firewall up-to-date and protect all environment from unauthorized access and untrusted networks. Make sure your firewall is properly configured.

Requirement 2: Do not keep vendor-supplied defaults for system passwords and other security settings

Change easy-to-find default passwords and set a strong password policy, also review and update the default setting to increase security controls. This policy must be followed through by your security team as well as all of your employees.

 

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Protection strategies such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. Only necessary information should be stored to minimize the risk of exposure.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Critical data must be encrypted amid transmission over networks that are easily accessed by hackers. Wireless networks and vulnerabilities can be exploited to gain privileged access to cardholder information.

 

Maintain a robust Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

Most of the companies are already using anti-virus and anti-malware solutions. They must be kept up-to-date at all times. Use an automated tool to monitor your networks and compliance status and notify the security team when new vulnerabilities are discovered.

Requirement 6: Develop and maintain secure systems and applications

Cybercriminals are becoming more sophisticated than ever. To prevent them from disrupting your business, you must understand your weak points across your technology stack. Use vulnerability management solution that enables you to diagnose internal and external network vulnerabilities and secure sensitive data, and combine that with automated application scanning tools and regular penetration test to prevent hackers from gaining unauthorized access via insecure apps.

 

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need to know

Limiting privilege access of sensitive information to legitimate employees only and establishing a user rights management policy to ensure nobody has access to any data that’s strictly needed for them to do their jobs.

Requirement 8: Identify and authenticate access to system components

Assigning a unique identification per employee who has privileged access to this data. You will then be able to monitor what actions were done by which user.

Requirement 9: Restrict physical access to cardholder data

Restricting all physical access to legitimate employees only with multi-factor authentication such as physical access control, badge systems and door controls.

 

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Security tools such as SIEM (security information and event management) are very useful in preventing, detecting, and minimizing the impact of potential data breach. You will be able to monitor, track, alert and analyze when something does go wrong.

Requirement 11: Regularly test security systems and processes

With more than 50 vulnerabilities being discovered every day, these security weaknesses can be exploited by hackers and disrupt systems and business as well as expose sensitive or personal information. Anomalies often related to programming errors or configuration issues

A continuous network and application security assessment program can help in these situations. These tools discover your assets, detect vulnerabilities that can be potentially exploitable by hackers, notify security teams, detail solutions to implement or automatically fix vulnerabilities. By combining automated Vulnerability scanners with regular penetration testing, security teams will have better visibility and be able to prioritize the most critical threats and act with confidence.

 

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel

Educating your employees upon hire and regularly afterward. All employees must be aware of the sensitivity of data and their responsibilities for protecting it.

 

How to achieve and maintain PCI compliance?

Outpost24 has prebuilt compliance checks that are fast to set up and run in your infrastructure while being customizable to fit your needs. And whether you’re working with CIS, NESA or PCI – Outpost24 is thorough in making sure you get the greatest confidence in knowing that you can be protected.

  • Solutions are pre-built to be fast and easy to launch, yet customizable to adapt to your infrastructure.
  • Work directly with real people, not computers, to know when you are and aren’t compliant
  • Whether you work with CIS, NESA or PCI, ensure you’re compliant all around the world
  • Receive audit reports that show you when you are and aren’t compliant
  • Our PCI/ASV are built to adapt to your infrastructure rather than you having to adjust to fit a solution

 

Check my Compliance

 

About Outpost24:

Outpost24 is a certified Approved Scanning Vendor (ASV) by the PCI Security Standards Council and offers OUTSCAN PCI, an extension of our OUTSCAN vulnerability management tool designed specifically to verify and prove PCI DSS compliance. OUTSCAN PCI examines network perimeters, identifies vulnerabilities and sorts actionable remedies, and can repeatedly scan until all criteria are met to effectively protect the integrity of cardholder data and verify compliance.

 

Source:

Payment Card Industry (PCI) Data Security Standard - Requirements and Security Assessment Procedures

PCI DSS Quick Reference Guide

Looking for anything in particular?

Type your search word here