In a recent post, we discussed Payment Card Industry Data Security Standards (PCI DSS), what you need to be in level 1 compliance, and what the penalties for non compliance are. In this post, we’re sharing a PCI Compliance Checklist to help you check off the boxes required to maintain PCIcompliance.
Your business creates, processes, and stores sensitive digital information, so it is critical that you protect data from both your business and your customers. With that in mind, let’s dive in!
PCI DSS Compliance Checklist
The PCI Security Standards Council (SSC) established the 12 requirements to be compliant. Though we analyzed these standards in our PCI level 1 compliance post, we'll be covering comprehensive PCI requirements more extensively here.
Goal: Construct a secure network and systems that you maintain regularly
- Requirement 1: Install a firewall configuration that will protect cardholder data, and make sure it’s well maintained.
- Requirement 2: Change your passwords in lieu of using the default passwords supplied by vendors, and implement additional security standards for an added layer of protection (i.e. two factor authentication). Any default settings in software, plugins, apps, etc…, should also be changed.
The PCI SSC recommend that you “Build firewall and router configurations that restrict all traffic, inbound and outbound, from ‘untrusted’ networks (including wireless) and hosts, and specifically deny all other traffic except for protocols necessary for the cardholder data environment” It’s also a good idea to prohibit the direct public access between any system competent within the cardholder data environment and the internet.
Goal: Keep the data of all cardholders safe
- Requirement 3: Any cardholder data that is stored must be secured.
- Requirement 4: For open, public networks, all cardholder data that is transmitted across them must be encrypted.
According to the PCI SSC, “Cardholder data refers to any information printed, processed, transmitted or stored in any form on a payment card.” If your business accepts payment cards, you are “expected to protect cardholder data and to prevent its unauthorized use.”
Goal: You should have a vulnerability management program that you keep up with consistently
- Requirement 5: Secure your systems so that they won’t be subject to a malware attack, and habitually update your programs and antivirus software.
- Requirement 6: Create and maintain secure applications and systems.
The PCI SSC explains, “Vulnerability management is the process of systematically and continuously finding weaknesses in an entity’s payment card infrastructure system. This includes security procedures, system design, implementation, or internal controls that could be exploited to violate system security policy.”
Goal: Execute powerful measures to control access
- Requirement 7: Cardholder data access should be limited; Not every business, vendor, partner, etc... needs access to this information.
- Requirement 8: Access to all system components should require identification and authentication. The PCS SSC recommends assigning a unique identification or username before allowing access so that you can see what they are doing in your systems, and know who is doing what at all times.
- Requirement 9: Physical access to all cardholder data should be limited. “Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted.”
Goal: Monitor and test networks on a regular basis
- Requirement 10: Using system activity logs and/or other logging mechanisms, monitor and track all access to cardholder data and network resources to prevent exploitation, and to have the ability to determine the cause of a compromise in the event one occurs.
- Requirement 11: Habitually test processes and security systems to ensure that security is maintained overtime.
The PCI SSC says “Testing of security controls is especially important for any environmental changes such as deploying new software or changing system configurations.” They also stated, “Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software,” which is why constant testing for security is so critical.
Goal: Ensure that your information security policy is up to date
- Requirement 12: Establish, publish, maintain, and disseminate a strong security policy for all personnel. This should be reviewed, maintained, and updated “at least annually and updated when the environment changes.”
According to the PCI SSC, “All employees should be aware of the sensitivity of cardholder data and their responsibilities for protecting it.” They went on to say that you should have a response plan in place that all personnel are aware of so they know how to act/what to do in the event of a breach.
After reading this checklist, are you wondering if your business is acquiescent with PCI DSS Standards, but aren’t sure? This isn’t something to be taken lightly, so it’s better to reach out to specialists for guidance to make certain you’re not risking penalties, data breaches, or worse. Contact Rivial Security, the experts in Cybersecurity and Compliance services for Banks and Credit Unions. We can provide you with a PCI self assessment, or discuss supporting you with ongoing cybersecurity compliance. We look forward to working with you.