By Xano | December 12, 2021
Security breaches have dominated the news cycle in the past few years, with millions of consumers facing fraudulent charges due to hackers accessing credit card information. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements that strives to protect payment information by stipulating rigorous security standards for companies that handle card holder information.
If your website or application handles cardholder information, you must be PCI compliant. Non-compliance can result in hefty fines, legal penalties, and a major blow to your company's reputation. It is high recommended you consult a cybersecurity expert to review your website or application to ensure compliance
To be PCI compliant, you must meet 12 requirements, all of which we will go over below in detail.
Getting your firewall up and running is the first step toward PCI compliance. Firewalls keep user information safe by restricting both incoming and outgoing network traffic and are considered the first line of defense against hackers.
In addition to proper configuration of a firewall (as well as routers, if applicable), you must also create standardized processes and rules for allowing or denying network access.
Default settings on everything from servers to software applications to network devices are never adequate when it comes to PCI compliance. Never rely on vendor-supported defaults for sensitive information like passwords, usernames, and so on.
Upgrade your settings to maximize security on all third-party devices and vendors. Keep proper documentation of all configuration security hardening procedures for reference (and, if necessary, to provide proof of compliance).
While this step is something of a no-brainer when it comes to any type of security compliance, it's nevertheless vital and something you should be sure not to overlook. Anti-virus programs provide protection against all types of malware that could potentially affect your systems and compromise user data.
Every system that your employees use to access information – both locally and remotely – need to have anti-virus software installed. You also need protocol in place to ensure security updates are installed regularly.
This is arguably the most critical step, so pay close attention here. Know every single detail about where, how, and for how long cardholder data is stored. All cardholder data must be either encrypted with industry-accepted algorithms and security key, tokenized, hashed, or truncated.
Make sure Primary Account Numbers (PAN) are encrypted as well (they often aren't). A tool like Card Data Discovery can help you with this step by finding potential weak points and ensuring you check every box of PCI compliance.
Somewhat similar to the above step, encrypting payment transmission focuses on eliminating vulnerabilities in the traffic and transmission of payment data. Again, the first step is learning all the details about where data is going to and coming from. Cardholder data should be encrypted and secured as it passes through public networks.
Using a secure version of transmission protocols (i.e., SSH, TLS) encrypts data prior to transmission. This massively reduces the risk of data being compromised and accessed by cybercriminals.
You must have company policies in place to identify and classify risks. A complete risk assessment allows you to determine protocol for technology deployment that will keep sensitive information safe and secure.
The risk assessment should help you determine what kind of equipment and software would meet your specific security needs. You should patch all systems in your environment including operating systems, firewalls, routers, switches, POS terminals, application software, and databases.
The less people have access to cardholder data, the better. As few entities as possible should be able to handle cardholder data and PCI requirements stipulate this data should be administered on a need-to-know basis only. Who can and cannot access the data will be based on factors like level of seniority, job responsibilities, and so on.
Document all requirements for access to cardholder data and make sure to have safeguards in place – both physical and digital – to prevent unauthorized access.
Every single user with access to cardholder data needs their own unique, individual username and password, all of which should be complex. Group or shared usernames are not permitted under any circumstances.
While this measure does prevent hackers from stealing passwords, it goes beyond that in terms of securing data. In the event of a security breach, unique user access identification allows you to trace activity back to a specific user.
In addition to cybersecurity measures like antivirus software, you need to restrict physical access to cardholder data. You need to have safeguards in place to prevent unauthorized personnel from accessing servers, paper files, workstations, etc. Any portable media (i.e., flash drives) must be destroyed once you are done using it for business purposes.
Security cameras and electronic monitoring of entry and exit points are mandatory. All recordings must be kept for at least 90 days. However, it is recommended that you store your recordings longer as it can take well over 90 days to detect a security breach.
One of the biggest ways cybercriminals compromise cardholder data is through physical and wireless networks. Use a Security Information and Event Monitoring (SIEM) tool to keep track of all system activity so you can address any suspicious activity right away.
You should also keep rigorous network activity logs that are sent to a centralized server for review daily. PCI compliance stipulates you must keep audit trail records of network activity maintained and time-synchronized for at least a year. As with security footage, however, it is recommended that you maintain your records longer than the bare minimum.
Cybercriminals are constantly on the lookout for vulnerabilities in your system. Once all your systems are in place, continuous testing is vital to prevent data breaches. Penetration and vulnerability testing should be conducted regularly.
You should also conduct wireless analyzer scanning on a quarterly basis and use PCI approved screening vendors to scan external domains and IPs.
The final requirement involves keeping every single employee with access to cardholder information on the same page in regards to security protocol. You must create a thorough policy addressing expectations, rules, and regulations that is distributed to all employees.
PCI compliance requires an annual formal risk assessment, user awareness training, employee background checks, and incident management.
PCI compliance standards are rigorous as protecting cardholder information is important to reducing the risk of credit card fraud or identity theft. You must follow the above steps carefully and completely in order to achieve PCI compliance. You should also have a third-party expert evaluate your company to make sure you didn't miss anything.
Looking for solutions for your company? Xano is the fastest No Code Backend development platform on the market. We give you a scalable server, a flexible database, and a No code API builder that can transform, filter, and integrate with data from anywhere. Sign up here to get started.