The PCI compliance checklist comes with specific prescriptive measures that seem overwhelmingly filled with jargon. Breaking down these strict requirements can help make compliance easier.
What Is the PCI Compliance Checklist?
PCI lists 6 goals with 12 specific requirements to protect cardholder data. The good thing about the standard is that its prescriptive nature leaves you following strict steps to compliance. The bad thing about the standard is that its prescriptive nature has a lot of strict steps to compliance after you’ve done your scoping.
What Is Your PCI Compliance Level?
PCI compliance comes in four different flavors based on the number of credit card transactions you have per year.
PCI Compliance Level 1
You process over 6 million Visa and/or Mastercard transactions per year.
PCI Compliance Level 2
You process between 1 million and 6 million Visa and/or Mastercard transactions per year.
PCI Compliance Level 3
You process between 20,000 and 1 million Visa and/or Mastercard transactions per year.
PCI Compliance Level 4
You process less than 20,000 Visa and/or Mastercard transactions per year.
Determining your PCI compliance level is the first step to managing your compliance. If you’re a Level 2, 3, or 4, you need to complete the PCI DSS Self Assessment Questionnaire annually and review your network security quarterly.
Level 1, however, requires an annual on-site internal auditor and network scan from an approved vendor.
Most importantly, if you are a Level 2, 3, or 4 and don’t meet your requirements, then Visa may hold you accountable to Level 1 compliance regardless of the number of annual transactions.
Build and Maintain a Secure Network
Good fences make good information protective protocols. When it comes to customer information, you don’t even want neighbors bordering your property. You just want to keep everyone far away.
Install and Maintain a Firewall
This is otherwise known as put up a big ol’ wall around things so no one can climb into your information castle.
- Firewalls control access into and out of your internal network. To meet the PCI requirement, make sure that you establish configurations that formalize testing around changes and identify all connections that could impact cardholder data. You need to scope your environment appropriately so that you can create appropriate settings. In addition, you need to review these configurations at least every six months.
- Your firewall needs to deny all traffic from “untrusted” networks and hosts.
- Moreover, your firewall must be able to block public access between the internet and the cardholder data environment.
- As mobile devices become more integrated into the workplace, you need to install personal firewall software on any mobile and/or employee-owned computers that connect to your network.
Do Not Use Vendor-Supplied Defaults
In layman’s terms, don’t use “12345” or “password” as your password. This is the easiest DIY aspect of information security.
- When integrating a new system into your landscape, change the defaults prior to installation. This includes defaults on wireless devices.
- Make sure that all your software settings address known vulnerabilities and meet industry requirements.
- Encrypt all the things.
- Make sure that any hosting providers are protecting your information and your cardholder data information.
Protect Cardholder Data
Cardholder data includes any information printed, processed, transmitted, or stored in any form on a payment card. Consider this the One Ring; no one gets this away from you. Ever.
Protect Stored Cardholder Data
The first rule of the cardholder data club is that no one talks about cardholder data. Make sure to retain the minimum amount possible.
- Even if authentication information is encrypted, don’t store it.
- Don’t display the Primary Account Number (PAN) and ensure that the information is masked.
- Make sure that the PAN is unreadable everywhere you store it. At the same time, don’t store it in a lot of places.
- Protect cryptographic keys for information.
- Document all of the ways you encrypt and protect cryptographic keys. Write everything up.
Encrypt Transmission of Cardholder Data
Just like Washington did with lemon juice ink, you need to hide information so that only those with the key can unlock it.
- Don’t get information on public networks. Encrypt all the things. Make sure to use SSL/TLS during transmissions. Use industry best practices and don’t use a WEP when implementing a new wireless system.
- Always encrypt PANs when using messaging technology. Really. Always.
Maintain a Vulnerability Management Program
This portion of the show is about continuous monitoring. The PCI compliance checklist offers mostly single point in time views of your landscape. However, hackers don’t stop just because you checked off a bunch of boxes.
Use and Regularly Update Anti-Virus Software or Programs
Make sure to take your IT vitamins daily so that you don’t get a virus.
- Although this seems like a no-brainer, continually updating software can be time consuming, so many people don’t engage in the proper security protocols.
- Put anti-virus software on all systems, particularly personal ones, that could be impacted by a malicious software.
- Make sure that all anti-virus software and programs are up-to-date, actively used, and currently producing logs for your auditors.
Develop and Maintain Secure Systems and Applications
Patch patch, patchity patch. In a nutshell, you need to make sure that you’re installing all vendor-supplied security updates within a month.
- You also need a method, such as an alert system, to identify new vulnerabilities.
- If you’re planning to develop a new system, you’d better be sure to use PCI DSS best practices from start to finish.
- Whenever you make a control change, follow your procedures.
- When developing a web-based application, make sure that you’re meeting all the coding guidelines so that you can identify all vulnerabilities.
- If you have a public, web-facing application, protect against known attacks by reviewing the code and installing the needed firewall.
Strong Access Control Measure
This is your James Bond PCI compliance checklist; everything is on a need to know basis. Lock access to paper records and require passwords and pin numbers for the electronic stuff.
Restrict Access by Need-to-Know
Think of yourself as the CIA/FBI/MI5 of customer information. You are complying with need-to-know best practices when you provide access to the minimum information needed to do a job.
- This means that you need to limit system components to only those who need each component.
- When there’s a systems component with multiple users, make sure that each person can get only what they need to perform their job and that you can control the access.
Assign Each Person Unique ID
Assigning unique IDs not only keeps intruders out but also lets you track any double agents within your organization.
- Limit access to systems and data based on the minimum information necessary for the job.
- Use at least one type of authentication, but the more the merrier and safer.
- Make sure that the farther away people are physically, the greater amount of authentication they need. In other words, remote workers should have two-factor at a minimum.
- Encrypt password information.
- Make sure that every non-consumer has the right authentication and password management.
Restrict Physical Access
Lock it up. Lock it in.
- Make sure to put the appropriate controls and monitoring on access to physical information.
- Create procedures that clearly state who is allowed in each physical area. This includes employees and visitors.
- Make sure that visitors are authorized with a physical token that expires upon leaving the facility or on a certain date.
- Keep a visitor log.
- Make sure all media backups are off-site and protected.
- Lock up all paper and electronic media with cardholder data.
- Control all use of any media that contains the data.
- Make sure that management knows and approves the location and movement of information.
- Strictly control storage and access to media. No. Really.
- Destroy it all. If it’s not needed, you should have controls for disposing of it.
Regularly Monitor and Test Networks
The wheel of compliance keeps on turning. You don’t know where it will be tomorrow, so you need to review your landscape continuously.
Track and Monitor All Access
Think of your information environment as your home. If you wouldn’t let strangers enter your house at random, then you need to treat your information environment the same way.
- Create a way to link access to individual users, especially the ones with administrative privileges.
- Develop automated audit trails so that you can track any entrance into your information environment in case there’s a breach. If someone breaks into your home, you want to have the forensics to track them down.
- Hold onto the audit documentation to support all your protective activities.
- Make sure to synchronize all clocks.
- Lockdown audit trails to prevent tampering.
- Incorporate a daily review of logs to check for any funny business.
- Retain audit documentation for at least one year and immediate history for at least three months.
Regularly Test Security Systems and Processes
Hackers don’t sleep on the job so neither can you.
- At least quarterly, use a wireless IDS/IPS to identify all wireless devices so you know all the wireless access points.
- Either quarterly or after a significant network change, scan for internal and external vulnerabilities.
- At least annually, or after significant infrastructure or application upgrades, do external and internal penetration testing.
- Set up a “home alarm” for your cardholder data environment to monitor traffic in and out. Keep IDS/IPS engines up to date.
- Deploy the “silent alarm” to alert your IT department about unauthorized modification of your system files, configuration files, or content files.
Maintain an Information Security Policy
Lead the leaders by setting a culture of compliance with a strong policy.
Maintain a Policy That Addresses Information Security for Employees and Contractors
- Write a policy and make sure that everyone reads it. Annually review the policy to make sure that it’s still aligned with the cardholder data environment.
- Assign daily security duties that meet PCI requirements.
- Write up and share the policies that you created for employee and contractor access to company technology and information.
- Within these policies, clearly define the rights and responsibilities of employees and contractors.