An Overview of PCI Compliance Checklist
The PCI compliance checklist includes 12 important requirements, each containing further sub-sections that are extensively defined in the context of approach, objective, and testing procedures. Let’s take a quick look at the key requirements in the PCI DSS compliance checklist.
Install And Maintain Network Security Controls (NSCs)
The first line of defense against cyber threats listed in the PCI DSS requirements is the Network Security Controls (NSCs). The NSCs are a set of tools and mechanisms that help IT security teams protect sensitive data when it moves from one device to another on a corporate network and sometimes on a separate, untrusted network, such as the Internet. These security controls can both be physical, such as a firewall in a physical setting, or virtual, such as software-defined network technology or a cloud access control.
Think of NSCs as a bouncer outside a club that keeps monitoring all the traffic that goes in and out of the club, ensuring that no untrusted or unwanted individual passes through. Similarly, NSCs monitor the incoming and outgoing traffic on a trusted network to ensure sensitive information, such as credit card details, is transmitted to an untrusted network. It also ensures that no untrusted traffic, such as malicious traffic, enters a corporate network.
PCI DSS requires businesses to set up appropriate firewall settings or other security controls to allow only trusted traffic on a cardholder data environment (CDE). The PCI SSC defines CDE as “the people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data.”
Apply Secure Configurations to All System Components
Almost every corporate network is vulnerable to malicious individuals who could be from inside or outside the organization. They often take advantage of the most easily accessible information that is often even publicly available, such as default passwords or settings that could give malicious actors entry to the network or system.
In the context of multi-cloud settings, security misconfigurations are pretty dominant. After all, every cloud service provider has distinct security settings, and many services come with default settings, which means publicly accessible storage buckets, default passwords, unrestricted inbound/outbound ports, etc. To put things into perspective, 65% to 70% of the security challenges that cloud services experience are associated with misconfigurations.
PCI DSS requires organizations to optimize their security configurations, patch software, remove unnecessary applications, and replace default passwords with more complex ones. This way, organizations can reduce the attack surface significantly.
Protect Stored Account Data
Storing sensitive data creates many opportunities for risk exposures, as it is the most sought-after data by cyber threat actors. PCI DSS’s third compliance requirement is geared towards protecting sensitive data and minimizing its associated risk exposures.
PCI DSS demands that organizations establish data protection controls like masking, truncation, or encryption. This way, even if a cyber threat actor bypasses any security protocol and obtains the data, they wouldn’t be able to decode it or use it for any purpose. Here, organizations can use different techniques like encryption, tokenization, truncation, masking, or hashing.
Anonymization techniques like masking or tokenization are useful, especially for internal or external data sharing. After all, businesses tend to share data with business partners or vendors for revenue or growth opportunities. By masking sensitive data like customers’ PINs or credit card numbers, teams can enable a secure data-sharing ecosystem that meets security standards and global privacy regulations that demand strict controls for international data transfers.
For this requirement, PCI DSS specifically explains that data encryption isn’t required when stored in RAM (Random Access Memory) as long as it is in a volatile or non-persistent state.
Encrypt Transmission of Cardholder Data Over Public Networks
Data transmissions over internal or external networks are protected via cryptographic tunneling protocols. However, PCI DSS signifies that organizations must strive for “strong cryptography”, specifically for transmitting sensitive data over open, public networks.
Cryptographic tunneling protocols are used for secure data transmissions. However, some versions of tunneling protocols like Secure Shell (SSH) and Secure Socket Layer (SSL) have an increased number of vulnerabilities, such as the SSH versions between 5.9 to 7.1 or the SSL version 3.0. Threat actors are well aware of the vulnerabilities in such tunneling protocols, and thus, they can easily breach a weak network to gain access to a cardholder data environment.
Hence, organizations must opt for a more robust security protocol, such as Transport Layer Security (TLS).
Protect All Systems and Networks from Malicious Software
Malicious software, also known as Malware, makes the news headlines occasionally. In fact, the frequency of malware attacks has increased over the past few years, along with its complexity. Malware has many variations, such as ransomware, trojan, keyloggers, rootkits, and spyware, to name a few. All such variations may have different functionalities, but the primary goal of these attacks remains the same: steal user data.
Over the years, threat actors have become more wary and shrewd concerning implementing malware in a target’s network or device and executing it. They can send malware via malicious websites or even mobile applications. In fact, malware can make its way into corporate networks via approved business activities, such as emails (phishing).
PCI compliance requirement demands that organizations establish processes and mechanisms to protect their systems, networks, and applications. This requires anti-malware, anti-virus, and anti-phishing applications to be installed and maintained. Organizations can detect and address these threats by frequently scanning the network or system against these malicious programs.
Develop And Maintain Secure Systems & Software
PCI DSS extends the requirements outlined in the aforementioned standard: Protect all systems and networks from malicious software. Security vulnerabilities are ever-present and tend to occur due to various factors, such as the complexity of the system or application, inherent bugs in the system, configuration errors, or malicious applications. It is critical for organizations to keep their networks, systems, and applications up to date with the latest security patches to fix those vulnerabilities before they could turn into chaos.
PCI DSS further elaborates that organizations must test and evaluate the security patches before installing them to ensure that they don’t conflict with the current configurations. Moreover, bespoke applications that are developed specifically for an organization’s specific functions must go through Software Lifecycle (SLC) processes to prevent vulnerabilities.
Restrict Access to System Components & Cardholder Data
Overprivileged access, administrative access, or excessive access to sensitive data is becoming a growing problem. As the business industry moves to multi-cloud settings, gaining insights into sensitive data access has become fairly challenging. Because of access issues, organizations tend to experience unauthorized access risks, unintentional data leaks, or other insider threats.
PCI DSS requires merchants and businesses to set up processes and mechanisms for protecting cardholder data access. Critical cardholder data must only be accessed by authorized individuals to the extent that they are able to perform their job. Access controls must be reviewed and provided on a need-to-know basis and relevant to the job function.
Access policies and controls must be implemented for not only cardholder data but also the systems where the data resides.
Identify Users and Authenticate Access to System Components
This is an extension of the above-outlined PCI DSS requirement. Organizations shouldn’t just limit the access process to only the aforementioned access controls. In fact, they must optimize it to protect the cardholder data environment better.
PCI DSS obligates merchants to implement processes and mechanisms for identifying users and authenticating them before they access cardholder data. User identification is associated with an identifier assigned to a user or process. This can be a unique identifier, username, or application ID. By assigning unique identities to users, businesses can better identify and track access to sensitive systems and data, and they are also better able to distinguish between multiple users.
Another important component of this requirement is authentication, i.e., proof or verification of the relevant user. Since it is apparent that even the strongest of passwords are sometimes bypassed, it is important to reinforce access with authentication, like multi-factor authentication controls.
Restrict Physical Access to Cardholder Data
Data protection shouldn’t be limited to cloud settings. In fact, it needs to be extended to physical settings as well. Therefore, requirement number 9 emphasizes the need for physical security controls around physical data centers, servers, and resources. It includes gate passes, badge readers, and monitoring devices like cameras. PCI DSS outlines three areas where the compliance requirement applies: sensitive areas, CDE, and facility.
Log and Monitor All Access to System and Cardholder Data
Logging mechanisms can play a significant role in detecting, preventing, or mitigating potential data breaches. Hence, PCI DSS requires merchants to maintain logging and tracking mechanisms on all system components and on the cardholder data environment (CDE). These controls can help merchants monitor and track user activities and alert security teams of any suspicious activity that could lead to data compromise.
For instance, one day, a log shows that a user has accessed the account from an untrusted network or any outside environment. The user then accesses or downloads a large volume of customers' credit card information. This alert is enough for security teams to realize foul play and immediately act accordingly.
Therefore, all logs must be kept on any users’ access to CDE and tracked and monitored to investigate security breaches.
Regularly Test Security Systems And Networks
PCI DSS emphasizes the fact that securing systems, processes, and data isn’t a one-off activity. Malicious individuals continuously develop more complex cyber-attacks and leverage newly discovered vulnerabilities. To keep them at bay, it is crucial for organizations to maintain a continuous process of monitoring and testing the security of their data systems or data environment. This includes testing, monitoring, and addressing internal or external vulnerabilities, wireless access points (WAPs), unauthorized changes to payment pages, and network intrusions.
Support Infosec with Organizational Policies and Programs
The final requirement of PCI DSS addresses the people involved in managing cardholder data. PCI DSS requires that the policies must be provided in writing, and every person involved with managing cardholder data must be given training and made aware of the responsibilities of data protection of customers.
How Securiti Data Command Center Can Help
It is crucial for organizations to comply with the PCI DSS requirements and protect their cardholders’ data against fraud, breaches, and other cyber threats. To ensure compliance, organizations must assess their security policies and controls, find gaps in them, and implement necessary changes accordingly. However, it is easier said than done, especially for managing petabyte-scale data in a multi-cloud setting.
Securiti Data Command Center is built to help hyperscale organizations meet global standards and data privacy laws while ensuring the protection of customers’ data and trust.
Organizations can leverage Securiti Data Command Center to gain insights into credit card details spread across their on-premise, public, private, hybrid, or multi-cloud environments. By leveraging those insights and integrated regulatory intelligence, organizations can strategize and implement effective security, privacy, governance, and compliance controls around their data.
Request a demo to see the Data Command Center in action.