The Payment Card Industry Data Security Standard (PCI-DSS) aims to enhance security for consumers by setting guidelines for any company that accepts, stores, processes, or transmits credit card information — regardless of the number of transactions or the size of those transactions. Because of that, there are thousands of organizations spanning practically every industry that must comply with these standards.

Maintaining compliance is a top priority. To learn more about what companies need to know and do to ensure compliance with PCI-DSS, we reached out to a panel of infosec pros and asked them to answer this question:

"What are the best practices for meeting PCI-DSS compliance?"

Meet Our Panel of Security Professionals and PCI-DSS experts:

Mike Baker

@Mosaic451

Mike Baker is Founder and Managing Partner at Mosaic451, a managed cyber security service provider (MSSP) with expertise in building, operating and defending some of the most highly-secure networks in North America. Baker has decades of security monitoring and operations experience within the US government, utilities, and critical infrastructure.

"PCI compliance is not a guarantee that a retailer’s infrastructure is immune to breaches..."

It merely means minimum standards have been achieved. As cybercriminals become more sophisticated, staying ahead of threats is a daily challenge. The card number is only a small part of what a hacker wants. The more data a hacker gets, the more complete a profile of an individual they obtain, making the data they steal that much more valuable.

Merchants need to take several measures to be compliant and prevent their POS systems from being compromised.

1. Have Store Personnel Monitor Self-Checkout Terminals/Kiosks

There are two methods by which POS data is stolen: by compromising the POS system itself using stolen credentials or by physically installing “card skimmers,” usually on self-checkout terminals that are not monitored. These devices, which take only seconds to install, steal payment card data and PIN information directly off the card’s magnetic stripe. While the introduction of new chip cards will eliminate the threat of card skimmers, 42% of retailers has yet to update their payment terminals to accept chip cards – and even some retailers who have EMV-enabled terminals cannot accept chip cards because the POS software cannot yet handle them. It is imperative that such terminals not be left completely unattended. Every store should have on-site personnel who are trained to spot card skimmers and assigned to monitor self-checkout terminals for their presence.

2. Ensure that Both POS and OS Software Is Up-to-Date

Because cybersecurity is a constant “Spy vs. Spy” battle where experts find ways to patch vulnerabilities while hackers find new ways to access systems, POS software systems release frequent updates to address the most recent security threats. For maximum protection, these updates must be downloaded and installed as soon as they are released, not on a monthly or quarterly schedule. The same concept applies to operating system software; retailers and restaurants that are running Microsoft Windows should ensure that patches are installed as soon as they are available.

3. Always Change Default Manufacturers’ Passwords

Retailers and restaurants should always change the default password provided by the manufacturer as soon as a new piece of hardware is hooked up to their POS system. Default passwords are publicly available, and thus widely known to hackers; in fact, the first thing an attacker will attempt to do is access the device using the default password. Changing default passwords is required as part of an organization’s compliance with PCI-DSS standards. Likewise, software system passwords should also be changed upon installation, and then on a regular basis afterwards.

4. Isolate the POS System from Other Networks

Many retailers, restaurants, and hotels offer free Wi-Fi to their customers. The POS system should never be hooked up to this network, as a hacker can use it to access the system. Likewise, if an organization’s POS system is not separated from its corporate network, a hacker who compromises the organization’s main network will be able to access its POS system. There are two ways to achieve this: by actually segmenting the two networks or by using multifactor authentication for communication between the organization’s main network and its POS system. The correct solution for a particular organization depends on its size and resources, so it’s best for organizations to consult a managed security services provider (MSSP) to determine which solution would best fit their needs.

5. Always Purchase POS Systems from Reputable Dealers

Retailers and restaurants have extremely thin profit margins, and the individually franchised restaurants that are popular in the fast-food industry tend to operate on particularly tight budgets. As the industry automates for the first time, it may be tempting for these small operators to seek out the best “deal” on self-checkout systems – but a POS system purchased from a manufacturer who turns out to be fraudulent is no “deal” at all, and it could result in financial ruin for that location. POS systems should be purchased only from known, reputable dealers, and if a “deal” on a system seems too good to be true, it probably is.

Cedric Savarese

@cedsav

Cedric Savarese is the Founder and Chief Executive Officer at FormAssembly, a leading provider of enterprise form solutions. Cedric has been at the helm of FormAssembly, responsible for the company’s strategic direction and growth, since its inception in 2006.

"Best practices for meeting PCI-DSS compliance include..."

Identify and maintain goals and perspective

Goal - The ongoing security of cardholder data should be the primary objective behind all PCI compliance activities – not simply attaining compliance reports.

Perspective - Organizations get wrapped up in the compliance process and fail to establish long-term processes and governance for maintaining the security of cardholder information. Cardholder data is one of the easiest types of data to convert to cash. It represents almost 75 percent of all security attacks. An entity collecting cardholder data needs to consider why, where, when and what for collecting such data.

Risk and security precede compliance

It’s not about compliance. Any company can attain PCI compliance by achieving the minimum security requirements set by PCI Security Standards Council. Identifying risk associated with any data collection activity is the primary step towards security. Security in turn mitigates risks and helps organization achieve and maintain compliance. Compliance should not be the goal – it’s a guideline – risk mitigation and security should be.

Frequency of audits and scans.

It is an ongoing process, which never stops. Scan, monitor, and mitigate – there is no shortcut to this process.

Ownership

Define ownership - PCI compliance and coordinating security activities should be the primary role for the owner. The compliance manager should have adequate responsibility, budget, and authority.

Balance business priorities versus security cost and procedures

One of the biggest pain points for small businesses is balance. Businesses emphasize growth, constricting information security budget. Information security and compliance should not be seen as an added cost center. Instead, they should be considered as long-term investment.

Ian McClarty

@phoenixnap

Ian McClarty has over 20 years executive management experience in the cybersecurity and data center industry. Currently, he is the CEO and President of PhoenixNAP Global IT Services.

"When dealing with PCI compliance..."

Your number one priority is protecting your cardholder data (CHD). PCI has a very comprehensive set of rules to accomplish protection, but your company can keep the following best practices in mind when striving for PCI compliance.

• Segment your data – It is imperative to keep your CHD segmented from your standard company data. This entails creating a cardholder environment (CHE) that only deals with CHD. This not only protects your data but it also reduces the scope of your PCI audit.
• Encrypt your data – All CHD should be encrypted, or tokenized, from the moment you interact with your customer’s card number. This also includes ensuring this data is encrypted while at rest.
• Control access to your data – Role-based access controls (RBAC) will make your PCI compliance much easier. RBAC will ensure your HR department has no access to CHD and your system administrators have the access they need.
• Monitor your data – Set up alerts for security incidents involving CHD or anything that could compromise your CHE. Attackers usually do not compromise your data by coming through your front door, but rather do it in a methodical, hidden manner as to not alert you. Monitor even the assets that you feel are trivial but support your CHE.

Ben Zilberman

@radware

Ben Zilberman is a product marketing manager, security on Radware’s security team. In this role, Ben specializes in application security and threat intelligence and works closely with Radware’s Emergency Response and research teams to raise awareness of high profile and impending attacks. Ben has diverse experience in network security, including firewalls, threat prevention, web security, and DDoS technologies.

"There are several practices to ensure you meet the Payment Card Industry Data Security Standard (PCI-DSS)..."

To start, you need to make sure to use encryption protocols beyond SSL/TLS, which is no longer sufficient for PCI-DSS. By June 30th, 2018, you need to have disabled SSL and early TLS protocols and upgraded to a more secure alternative. Another requirement for meeting PCI-DSS compliance is to use strong access controls to prevent unauthorized access. This includes pairing multi-factor authentication with strong passwords. These passwords should be very long, comprised of different types of characters, and avoid dictionary words. You also need to implement secure remote communication to prevent eavesdropping, keep data that flows via APIs safe, and encrypt and secure the certifications and keys. It’s also important to follow security alerts and advisories and ensure timely patching to substantially reduce the attack surface and risk level. Periodically audit your security posture as well, especially after making changes. This includes any redesign, replacement or integration of new solutions. A security audit goes hand in hand with performing code reviews to prevent exploitation of common vulnerabilities. You can do this manually or with automated scanning and vulnerability assessment tools. Finally, make sure to implement web application firewalls (WAFs) as a security policy enforcement point. If you follow these important steps and requirements for the PCI-DSS, you’ll be well on your way to ensuring compliance.

Steve Dickson

@Netwrix

Steve Dickson is an accomplished expert in information security and CEO of Netwrix, provider of a visibility platform for data security and risk mitigation in hybrid environments. Netwrix is based in Irvine, CA.

"The Payment Card Industry Data Security Standard (PCI-DSS) aims to..."

Enhance cardholder data security and facilitate the adoption of consistent data security measures globally. This standard applies to all entities involved in payment card processing, which includes merchants, processors, acquirers, issuers, and service providers that store, process, or transmit cardholder data or sensitive authentication data.

Here are three measures for organizations to ensure compliance with PCI-DSS:

Conduct regular risk assessments. PCI-DSS highlights the importance of conducting risk assessments in order to understand the likelihood and magnitude of harm from various threats and determine whether additional controls are necessary to protect data. You need to regularly evaluate your security posture to quickly find areas that need attention, prioritize them, and mitigate risks to an acceptable level. If a risk assessment process is not already established, define risk assessment methodology, assign roles and responsibilities, and allocate resources.

Analyze user behavior. As outlined in Requirement 10, you need to track access to network resources and cardholder data to identify anomalies or suspicious activities before they lead to security incidents. User behavior analytics can help you gain visibility into what users are doing in the IT environment and spot unusual behavior that might be a sign of insider misuse or hackers trying to gain access to IT infrastructure.

Use data discovery and classification. Requirement 3 of PCI-DSS says that companies should store data “only in specific, known locations with limited access” to protect cardholder data. Data discovery and classification can help you fulfill this requirement and identify your sensitive data, where it resides, who can access it, and who uses it in order to set appropriate levels of controls and ensure that critical information is not overexposed.

Tim Critchley

@Semafone

Tim is an experienced director of technology start-ups in both product- and service-focused sectors. He has been the CEO of Semafone since 2009 and has led the company from a UK startup to an international business that spans five continents. He has helped secure Series A and Series B rounds of funding from various investor groups, including the BGF and Octopus.

"Complying with the complex PCI-DSS can be quite simple through a tactic called descoping..."

The PCI-DSS considers any person, system, or piece of technology that touches cardholder data (CHD) as in scope. To simplify compliance, companies should look for opportunities to remove these entities from PCI-DSS scope (descoping) by ensuring that they are never exposed to CHD.

For example, if your organization operates a contact center that regularly accepts customer payments over the phone, you can descope your IT network infrastructure, agents/customer service representatives, call recording systems, and other telephony from compliance by using dual-tone multi-frequency (DTMF) masking technologies. These technologies allow customers to directly enter their payment card data into their phone's keypad, replacing DTMF tones with flat ones so they are indecipherable. By sending the CHD directly to the payment processor, such solutions keep the data out of the contact center environment completely. As a result, there are far fewer controls required for PCI-DSS compliance, while sensitive data is out of reach from fraudsters and hackers. As I like to say, no one can hack the data you don't hold.

Jennifer Glass

@creditcardsnj

Jennifer Glass is CEO of Credit Cards, NJ (CCNJ) a growing ISO in the payment processing industry. Ms. Glass has been recognized as an expert in the payment processing space by the Small Business Development Center, SCORE, many banks, several top 50 global accounting firms and more than 1,000 organizations for more than 15 years.

"First is the obvious..."

Make sure that all people in the organization are following common sense practices and not leaving credit card data lying around and only certain people that have an absolute need have access to the secure data. Second, and this one is perhaps even more important in certain situations like what we saw in the Saks Fifth Avenue/Lord & Taylor hack – if a payment processing system is connected to the same server(s) as email and other non-payment related activities, get that payment system off the shared resource(s) and put it on its own dedicated resource with separate logins, etc. to prevent malware from attacking the same system and leaving payment details open to hackers. It's similar to the way large (cruise) boats are made these days – there are bulkheads to hold water in the event of a strike/accident so that the whole boat doesn't flood. If a hacker is limited to one area, they won't get a second win just by getting into the network on the email side with social engineered phishing attempts, etc. These are just some of the ways that businesses can be safer beyond simply completing the self-assessment questionnaires or having scans done by a security vendor because those options won't always uncover the problem areas as we have seen time and time again with these major hacks.