As we recently announced, Strike Graph now supports PCI DSS. But a lot of people may still be wondering, what exactly does PCI DSS entail, and what are the requirements?
Therefore, we thought we’d use this post to go a bit more in-depth and explore the 12 PCI DSS requirements, as well as how they apply to your business.
Let’s dive in.
All companies that accept or process debit or credit card transactions must meet these 12 requirements for maintaining a secure network and handling cardholder data in order to comply with PCI DSS. These requirements correspond with the six goals of the standard.
This ensures merchants and service providers maintain a secure network by properly configuring a firewall (and routers if applicable) to protect your card data environment.
How does this work? Firewalls provide the first line of protection for your network by restricting incoming and outgoing network traffic through rules and criteria configured by your company. You can achieve this by establishing firewalls and router standards, thereby creating a standardized process for rules that allow or deny access to the network.
This ensures your company’s systems—including applications, servers, firewalls, wireless access points, network devices, etc.—are not using the factory default setting for usernames, passwords, and other configuration parameters.
Per this requirement, you must also maintain an inventory of all systems, including their updated configuration procedures, which will need to be followed every time a new system is introduced into the IT infrastructure.
The most important requirement, this states that you must first know all the data you are going to store along with its location and retention period before you collect it. From there, all cardholder data must be either encrypted using industry-accepted algorithms, truncated, tokenized, or hashed.
This requirement also ensures you know how to create a strong PCI DSS encryption key management process, and includes rules for how primary account numbers should be displayed.
This states your organization must 1. Secure card data when it is transmitted over an open or public network, and 2. Know where you are going to send/receive the card data to/from.
This requirement exists because encrypting cardholder data prior to transmitting it, using a secure version of transmission protocols, can limit the likelihood of data becoming compromised.
This ensures your company is protected against all types of malware that can affect systems by having antivirus or anti-malware solutions on laptops, workstations, mobile devices, etc.
Ensure these solutions are always active, using the latest signatures, generating auditable logs, and are updated on a regular basis to detect known malware.
This requirement states that organizations must define and implement a process that allows them to identify and classify the risk of security vulnerabilities through reliable, external sources.
This includes deploying critical patches in the card data environment, including databases, operating systems, POS terminals, application software, firewalls, routers, switches, and more. Additionally, your business will need to define and implement a development process that includes security requirements in all phases of development.
Merchants and service providers must implement strong access control measures, allowing or denying access to cardholder data systems via role-based access control (RBAC).
Your organization must grant access to card data and systems on a need-to-know basis, documenting all users who will need access to the card data environment, as well as their:
Instead of using shared or group usernames and passwords, ensure every authorized user has a unique identifier and password.
Additionally, for remote access, two-factor authorization is required. Both measures ensure all activity can be traced to a known user and accountability can be maintained.
This ensures the protection of physical access to locations (e.g. data centers), systems, and all removable or portable media with cardholder data. This requires the use of:
This states that: 1. All of your systems must have the correct audit policy set, 2. You must send the logs to a centralized syslog server, and 3. These logs must be reviewed for anomalies and suspicious activities at least daily.
Additionally, audit trail records must include time synchronization, audit data must be secured, and data must be maintained for a period no shorter than a year.
This requirement ensures that all systems and processes are tested on a frequent basis in order to ensure security is maintained. In addition to weekly file monitoring, you must:
Your organization’s information security policy must be reviewed and disseminated to all the employees, vendors, and/or contractors at least yearly. In addition, you must perform:
While achieving PCI DSS compliance can be complex, we’re here to help with our streamlined certification process. Strike Graph will: