How to Implement the PCI DSS Compliance Framework

If your business processes payment information - you've probably heard of the PCI DSS (Payment Card Industry Data Security Standard). The PCI DSS encompasses 12 requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. Why? Because sensitive cardholder information is everywhere - stored in file servers, databases, access logs, and myriad other (un)structured data repositories. As such, PCI DSS requires diligent administration and close cooperation between businesses and their IT teams.

Learn How to Meet All 12 PCI DSS Compliance Requirements:

What Is PCI DSS?

The PCI DSS has been headed up by the PCI Security Standards Council since 2006. The framework was designed to help merchants and financial institutions understand and implement standards for security policies and processes to protect their payment systems and cardholder data. PCI DSS also provides standards to vendors who are looking to implement or create secure payment solutions. As such, PCI DSS applies to all entities that store, process, and/or transmit cardholder data. This widespread application is vital to protecting cardholder data such as the PAN (primary account number printed on a payment card), magnetic strip, chip, and pin.

How to Meet PCI DSS Compliance Standards

Like most compliance undertakings, the best approach is a phased one. During the first half, prioritize organizational controls, planning, leadership commitment, and basic infrastructure tools such as firewalls, anti-virus, password management, data storage and encryption, identity management, etc. Once these controls and solutions have been implemented, you will need to work closely with your IT team to monitor them. This may include vulnerability scanning, monitoring for configuration changes, intrusion detection, etc. Learn more about each of these steps:

1. Implement a Firewall

   • Install and maintain a firewall configuration to protect cardholder data. Setup firewall and zoning, and monitor the configuration for unauthorized changes.

2. Avoid Vendor Defaults

   • Don't use vendor defaults for system passwords and other security parameters. Change default passwords and monitor the configuration for critical infrastructure.

3. Properly Store Your Data

   • Use a secure data storage repository, with around-the-clock monitoring for attacks and leaks.

4. Leverage Encryption

   • Encrypt transmission of cardholder data across open, public networks. Encrypt and monitor systems that contain PAN.

5. Implement Anti-Virus

   • Use and regularly update anti-virus software or programs through automated patch deployment.

6. Secure Your Applications

   • Develop and maintain secure systems and applications, and use a 24x7 logging tool to track external and internal vulnerabilities. 

7. Restrict Access

   • Operate on a "need to know" basis. This means limiting who has access to critical data and leveraging identity management solutions, such as Azure Active Directory, to manage users.

8. Use Employee Identifiers

   • Assign a unique ID to each person with computer access that can track behavior anomalies and risks. 

9. Lock It Up

   • If applicable, restrict physical access to cardholder data.

10. Use a SIEM

    • Track and monitor all access to network resources and cardholder data through log management software. You will need a solution that incorporates auditing and forensics, external vulnerability scans, and intrusion detection.

11. Test Your Systems

    • Regularly test security systems and processes. Collect logs from intrusion detection and prevention systems to validate compliance.

12. Put It in Writing

    • Maintain a policy that addresses information security for all personnel. Create an IR team and host routine managed security training for users.
      
      

For more information about complying with PCI DSS or other industry compliance frameworks, reach out to iCorps for a free IT consultation.