The 12 Requirements of PCI DSS Compliance

Globalization and automation have led to the evolution of paper to electronic payments. Cash wallets turned into Digital wallets, paper Money turned to plastic, and now virtual, RTGS & NEFT took over by UPI, and small amount transfers are made in seconds. Even the government has started promoting digital transactions by giving tax benefits to MSME for a major chunk of sales done digitally. However, as the money started moving digitally, things have become more complicated with payments data security, and as data security started being a priority and applicable to many, the amount of crime related to payment & card data has increased, and similarly, the data security standards started evolving to address those security issues.

In the year 2020, there was a hike of 24% in digital transactions year over year, due to the pandemic scenario lots of people ordered food, groceries, digital equipment & devices, etc digitally, and the use of cash for the same was ignored to some extent. There are high chances of increasing digital transactions again this year, as people are getting habituated to pay the money virtually.

The Payment Card Industry Data Security Standard (PCI DSS) is a framework drafted to safeguards the entire PCI data value chain. PCI DSS compliance supplies numberless areas, from how cardholder data is stored to how private payment data can be accessed.

Overview of PCI DSS:

PCI DSS compliance is a privacy act and enterprise requirement for any corporate that stores, processes or transmits cardholder data. 

Here is the overview of goals that the PCI Council are expecting henceforth for PCI v4.0:

1. Assurance of PCI framework last to fulfill the security requirements of the payments industry
2. Addition of elasticity and provision for acceptance of other methodologies that will intensify payments card data security
3. Prioritize security of cardholder data as an ongoing process, integration of data security with business processes.
4. Boosted methods of validation and guidelines to reorganize the compliance process.

Below are the technical zones that are being well-thought-out for amendment under PCI DSS 4.0:

1. Authentication and password guidance
2. Advanced system monitoring requirements
3. Additional guidance on multi-factor authentication

Basically, PCI DSS 4.0 is planned in such a way that it brings a more holistic approach for organizations to enhance the security of cardholder data. In addition, the new controls are drafted to address new threats posed by developments in technology.

12 PCI DSS Requirements Step-by-Step:

PCI DSS is the framework you need to implement within your organization to become PCI compliant. PCI DSS is a 12-step plan to protect customer’s card data — see them arranged out below step-by-step.

1. Install & Maintain Firewall

A firewall is a barrier between incoming & outgoing traffic, and it plays a vital role to protect the internal environment from outside threats. A fully configured firewall needs to be installed and maintained, that determines which type of traffic is to be permitted and which should be stopped.

2. Eliminate Vendor Default Setting

PCI DSS standard states that all default settings for Servers, Routers, Firewall, Software Applications, etc should be avoided. PCI states that vendor default settings are not sufficient enough to protect the internal environment and those settings could be compromised so all default settings should be changed.

3. Protect Stored Cardholder Data

Protecting cardholder data is of utmost importance, for which this whole standard is drafted. Be vigilant where cardholders’ data is transmitted, stored, processed and for how long it is going to stay there. In addition, all cardholder data must be encrypted using industry-accepted algorithms and security keys.

4. Encrypt Payment Data Transmission

All payment data transferred outside of the internal environment is more vulnerable as it travels in an unsecured environment, so encrypting data in motion is very crucial may that be over open, closed, private, or public network. Encrypting cardholder data before transmitting via secure version and algorithm reduce the risk of moving data being compromised.

5. Update Antivirus Software Regularly

Installing an antivirus is not enough to protect data, you should patch and update the antivirus regularly as and when its signatures updates are available, as it helps to protect card data from malware and virus that can cause damage to the same.

6. Deploy Secure Systems & Applications

Before deployment of systems and applications, we need to perform a thorough risk assessment to identify and classify risk which helps to select technology that will be in compliance with the PCI standards.

 7. Restrict Cardholder Data as Necessary

Full Access Control policy must be implemented, Need to Know, Access review and authorization, Timely deletion, and change of access roles. Along with the above controls, organizations must also meet PCI DSS physical security requirements.

8. Assign User Access Identification

All users should be provided with individual user IDs and passwords, use of generic ids should be avoided as it creates issues with regard to accountability. Sharing of user id and passwords should be avoided and it should be restricted as per policy.

9. Restrict Physical Access to Data

Companies should consider PCI DSS physical security also. PCI states a requirement that covers physical access to instruments like servers, paper files racks, or workstations that store or transmit cardholder data. PCI also mandates the use of CCTV surveillance over Entry & Exit paths of physical location and should review the logs and recordings should be maintained for 90 days. Employee access and visitors access should be distinguished. Additionally, all portable media with cardholder data such as flash drives must be physically guarded and destroyed when it’s no longer necessary for business.

10. Track & Monitor Network Access

Malicious/ Bad actors constantly aim at both physical and WiFi networks to gain access to cardholder data. PCI standards mandate to protecting all network systems and supervised at all times, with a clear history of activity for future incident investigation if any. Network activity logs should be kept and sent back to a centralized server to be reviewed daily. A SIEM (Security Information and Event Monitoring) tool should be put in use to log system activity, while simultaneously monitoring for suspicious activity. As per PCI DSS compliance standards, audit trail records of network activity must be kept, time-synchronized, and maintained for at least a year.

11. Ongoing Systems and Process Testing

Continuous Vulnerability scans and annual penetration testing suffice this requirement, performing regular wireless analyzer scanning for rogue devices on a quarterly basis to identify unauthorized access points is also a mandate for PCI requirements. External IPs and domains need to be scanned by a PCI Approved Scanning Vendor (ASV) Internal vulnerability scan should be conducted quarterly as well. And a thorough application and network penetration test should take place annually.

12. Create and Maintain Infosec Policy

Your infosec policy should be drafted and reviewed annually, it should be disseminated to internal and third parties with all employees acknowledging and reading said policy. You’re also required to perform user awareness training and employee background checks to prevent the wrong people from accessing cardholder data.

Being PCI compliant means meeting 6 goals and 12 requirements of PCI DSS, getting audited and working towards mitigating the identified observations and gaps, and reviewing the organization controls regularly and in being in line with requirements stated in PCI DSS. WeSecureApp can help you get all the controls in place with regards to PCI DSS compliance, and that gives assurance to customers to trust your brand.