As you begin the journey to PCI compliance, you might feel a little overwhelmed with all of the steps and requirements involved. That’s why I’ve written this guide to break the PCI DSS into small, digestible chunks. If you understand the 12 basic requirements as an overview, and understand how they protect your customers, the rest of the pieces fall easily into place.
Obligatory disclaimer: You should always consult a QSA for how PCI requirements apply to your environment and what is required for you to become PCI compliant.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
This requires you to not only properly segment your network to control who and what has access to cardholder data, but also to maintain this segment via regular audits and testing. Remember that your data is only as secure as the people who have access to it.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
This requirement is pretty straightforward: Change all default passwords. Even if you go out and buy very expensive equipment to secure your network, if you don’t change the default passwords, then someone can easily get in and undo all your security.
Requirement 3: Protect stored cardholder data.
This requirement boils down to one word: ENCRYPTION. Specifically, it spells out the different encryption requirements for storing the cardholder data, and also what information you can and cannot store.
Requirement 4: Encrypt transmission of cardholder data across public networks.
This is a best practice with any important data. When transmitting cardholder data, it needs to be encrypted. This can be a VPN, SSL connection, etc. Also, don’t forget wireless connections. These need to be protected as well. WEP is no longer accepted, so going to WPA or WPA2 is your best bet.
Requirement 5: Use and regularly update anti-virus software.
Any machine in scope needs to have anti-virus software installed. It doesn’t matter what operating system you run, they all need anti-virus. This is a best practice anyway, and should be done if you are following your due diligence.
Requirement 6: Develop and maintain secure systems and applications.
Test, test, test and then retest your application for bugs and security holes. Have outside vendors audit your code, or implement a web application firewall to help prevent unauthorized access to you data.
Requirement 7: Restrict access to cardholder data by business need-to-know.
Anyone who can access your critical data should have a business need-to-know. This access should also always be logged and audited. By encrypting your data, you can have other administrators log into your machines and manage them without giving them access to secure information.
Requirement 8: Assign a unique ID to each person with computer access.
Each person who accesses cardholder data must have a unique ID. They must also access the data via a dual factor authentication scheme if accessing remotely, or via VPN. Also, you must have a strong password policy and user creation policy.
Requirement 9: Restrict physical access to cardholder data.
This requirement deals with physical controls, such as monitoring your facility with cameras at datacenter exit and entrance doors, as well as keeping tapes for 90 days. Personnel must be able to easily distinguish between employees and visitors. Also, you must maintain strict control over media that contains cardholder data, and properly destroy it when discarded.
Requirement 10: Track and monitor all access to network resources and cardholder data.
One word: AUDIT. Make sure you implement audit trails on system components, in a way that they can’t be modified. Logs must be reviewed at least daily, and retained for 3 months online, 1 year total.
Requirement 11: Regularly test security systems and processes.
Test security controls to make sure they are in place. You need to check for rogue wireless AP’s quarterly, and run quarterly scans/pen tests (possibly even more frequently) of your in-scope environment. Scanning must be done by an ASV. Use of IDS/IPS is also required, with signatures kept up to date. Also, file integrity monitoring must run at least weekly.
Requirement 12: Maintain a policy that addresses information security for employees and contractors.
Policies, policies, policies. This section is all about policies you are required to implement. Examples are a security policy, operational security procedure, usage policies, incident response plan, etc. This also includes company directives such as the establishment of a security team, security education for all employees, and pre-employement screening.
The bottom line is that your customers depend on you to keep them safe from credit card fraud and identity theft. The Payment Card Industry requires you to take certain steps to prevent consumer fraud. Even though it seems like a daunting task, meeting the PCI requirements is not only right by policy compliance, it’s also right by your customers.
Hopefully, this guide has given you some understanding of the 12 PCI requirements.
![[img]](/imagesb/yellow_star.jpg)
Share this article:
