18 PCI-DSS experts and security professionals discuss best practices for meeting PCI-DSS compliance.
The Payment Card Industry Data Security Standard (PCI-DSS) aims to enhance security for consumers by setting guidelines for any company that accepts, stores, processes, or transmits credit card information — regardless of the number of transactions or the size of those transactions. Because of that, there are thousands of organizations spanning practically every industry that must comply with these standards.
Maintaining compliance is a top priority. To learn more about what companies need to know and do to ensure compliance with PCI-DSS, we reached out to a panel of infosec pros and asked them to answer this question:
"What are the best practices for meeting PCI-DSS compliance?"
Meet Our Panel of Security Professionals and PCI-DSS experts:
Mike Baker is Founder and Managing Partner at Mosaic451, a managed cyber security service provider (MSSP) with expertise in building, operating and defending some of the most highly-secure networks in North America. Baker has decades of security monitoring and operations experience within the US government, utilities, and critical infrastructure.
"PCI compliance is not a guarantee that a retailer’s infrastructure is immune to breaches..."
It merely means minimum standards have been achieved. As cybercriminals become more sophisticated, staying ahead of threats is a daily challenge. The card number is only a small part of what a hacker wants. The more data a hacker gets, the more complete a profile of an individual they obtain, making the data they steal that much more valuable.
Merchants need to take several measures to be compliant and prevent their POS systems from being compromised.
1. Have Store Personnel Monitor Self-Checkout Terminals/Kiosks
There are two methods by which POS data is stolen: by compromising the POS system itself using stolen credentials or by physically installing “card skimmers,” usually on self-checkout terminals that are not monitored. These devices, which take only seconds to install, steal payment card data and PIN information directly off the card’s magnetic stripe. While the introduction of new chip cards will eliminate the threat of card skimmers, 42% of retailers has yet to update their payment terminals to accept chip cards – and even some retailers who have EMV-enabled terminals cannot accept chip cards because the POS software cannot yet handle them. It is imperative that such terminals not be left completely unattended. Every store should have on-site personnel who are trained to spot card skimmers and assigned to monitor self-checkout terminals for their presence.
2. Ensure that Both POS and OS Software Is Up-to-Date
Because cybersecurity is a constant “Spy vs. Spy” battle where experts find ways to patch vulnerabilities while hackers find new ways to access systems, POS software systems release frequent updates to address the most recent security threats. For maximum protection, these updates must be downloaded and installed as soon as they are released, not on a monthly or quarterly schedule. The same concept applies to operating system software; retailers and restaurants that are running Microsoft Windows should ensure that patches are installed as soon as they are available.
3. Always Change Default Manufacturers’ Passwords
Retailers and restaurants should always change the default password provided by the manufacturer as soon as a new piece of hardware is hooked up to their POS system. Default passwords are publicly available, and thus widely known to hackers; in fact, the first thing an attacker will attempt to do is access the device using the default password. Changing default passwords is required as part of an organization’s compliance with PCI-DSS standards. Likewise, software system passwords should also be changed upon installation, and then on a regular basis afterwards.
4. Isolate the POS System from Other Networks
Many retailers, restaurants, and hotels offer free Wi-Fi to their customers. The POS system should never be hooked up to this network, as a hacker can use it to access the system. Likewise, if an organization’s POS system is not separated from its corporate network, a hacker who compromises the organization’s main network will be able to access its POS system. There are two ways to achieve this: by actually segmenting the two networks or by using multifactor authentication for communication between the organization’s main network and its POS system. The correct solution for a particular organization depends on its size and resources, so it’s best for organizations to consult a managed security services provider (MSSP) to determine which solution would best fit their needs.
5. Always Purchase POS Systems from Reputable Dealers
Retailers and restaurants have extremely thin profit margins, and the individually franchised restaurants that are popular in the fast-food industry tend to operate on particularly tight budgets. As the industry automates for the first time, it may be tempting for these small operators to seek out the best “deal” on self-checkout systems – but a POS system purchased from a manufacturer who turns out to be fraudulent is no “deal” at all, and it could result in financial ruin for that location. POS systems should be purchased only from known, reputable dealers, and if a “deal” on a system seems too good to be true, it probably is.
Cedric Savarese is the Founder and Chief Executive Officer at FormAssembly, a leading provider of enterprise form solutions. Cedric has been at the helm of FormAssembly, responsible for the company’s strategic direction and growth, since its inception in 2006.
"Best practices for meeting PCI-DSS compliance include..."
Identify and maintain goals and perspective
Goal - The ongoing security of cardholder data should be the primary objective behind all PCI compliance activities – not simply attaining compliance reports.
Perspective - Organizations get wrapped up in the compliance process and fail to establish long-term processes and governance for maintaining the security of cardholder information. Cardholder data is one of the easiest types of data to convert to cash. It represents almost 75 percent of all security attacks. An entity collecting cardholder data needs to consider why, where, when and what for collecting such data.
Risk and security precede compliance
It’s not about compliance. Any company can attain PCI compliance by achieving the minimum security requirements set by PCI Security Standards Council. Identifying risk associated with any data collection activity is the primary step towards security. Security in turn mitigates risks and helps organization achieve and maintain compliance. Compliance should not be the goal – it’s a guideline – risk mitigation and security should be.
Frequency of audits and scans.
It is an ongoing process, which never stops. Scan, monitor, and mitigate – there is no shortcut to this process.
Define ownership - PCI compliance and coordinating security activities should be the primary role for the owner. The compliance manager should have adequate responsibility, budget, and authority.
Balance business priorities versus security cost and procedures
One of the biggest pain points for small businesses is balance. Businesses emphasize growth, constricting information security budget. Information security and compliance should not be seen as an added cost center. Instead, they should be considered as long-term investment.
Ian McClarty has over 20 years executive management experience in the cybersecurity and data center industry. Currently, he is the CEO and President of PhoenixNAP Global IT Services.
"When dealing with PCI compliance..."
Your number one priority is protecting your cardholder data (CHD). PCI has a very comprehensive set of rules to accomplish protection, but your company can keep the following best practices in mind when striving for PCI compliance.
- Segment your data – It is imperative to keep your CHD segmented from your standard company data. This entails creating a cardholder environment (CHE) that only deals with CHD. This not only protects your data but it also reduces the scope of your PCI audit.
- Encrypt your data – All CHD should be encrypted, or tokenized, from the moment you interact with your customer’s card number. This also includes ensuring this data is encrypted while at rest.
- Control access to your data – Role-based access controls (RBAC) will make your PCI compliance much easier. RBAC will ensure your HR department has no access to CHD and your system administrators have the access they need.
- Monitor your data – Set up alerts for security incidents involving CHD or anything that could compromise your CHE. Attackers usually do not compromise your data by coming through your front door, but rather do it in a methodical, hidden manner as to not alert you. Monitor even the assets that you feel are trivial but support your CHE.
Ben Zilberman is a product marketing manager, security on Radware’s security team. In this role, Ben specializes in application security and threat intelligence and works closely with Radware’s Emergency Response and research teams to raise awareness of high profile and impending attacks. Ben has diverse experience in network security, including firewalls, threat prevention, web security, and DDoS technologies.
"There are several practices to ensure you meet the Payment Card Industry Data Security Standard (PCI-DSS)..."
To start, you need to make sure to use encryption protocols beyond SSL/TLS, which is no longer sufficient for PCI-DSS. By June 30th, 2018, you need to have disabled SSL and early TLS protocols and upgraded to a more secure alternative. Another requirement for meeting PCI-DSS compliance is to use strong access controls to prevent unauthorized access. This includes pairing multi-factor authentication with strong passwords. These passwords should be very long, comprised of different types of characters, and avoid dictionary words. You also need to implement secure remote communication to prevent eavesdropping, keep data that flows via APIs safe, and encrypt and secure the certifications and keys. It’s also important to follow security alerts and advisories and ensure timely patching to substantially reduce the attack surface and risk level. Periodically audit your security posture as well, especially after making changes. This includes any redesign, replacement or integration of new solutions. A security audit goes hand in hand with performing code reviews to prevent exploitation of common vulnerabilities. You can do this manually or with automated scanning and vulnerability assessment tools. Finally, make sure to implement web application firewalls (WAFs) as a security policy enforcement point. If you follow these important steps and requirements for the PCI-DSS, you’ll be well on your way to ensuring compliance.
Steve Dickson is an accomplished expert in information security and CEO of Netwrix, provider of a visibility platform for data security and risk mitigation in hybrid environments. Netwrix is based in Irvine, CA.
"The Payment Card Industry Data Security Standard (PCI-DSS) aims to..."
Enhance cardholder data security and facilitate the adoption of consistent data security measures globally. This standard applies to all entities involved in payment card processing, which includes merchants, processors, acquirers, issuers, and service providers that store, process, or transmit cardholder data or sensitive authentication data.
Here are three measures for organizations to ensure compliance with PCI-DSS:
Conduct regular risk assessments. PCI-DSS highlights the importance of conducting risk assessments in order to understand the likelihood and magnitude of harm from various threats and determine whether additional controls are necessary to protect data. You need to regularly evaluate your security posture to quickly find areas that need attention, prioritize them, and mitigate risks to an acceptable level. If a risk assessment process is not already established, define risk assessment methodology, assign roles and responsibilities, and allocate resources.
Analyze user behavior. As outlined in Requirement 10, you need to track access to network resources and cardholder data to identify anomalies or suspicious activities before they lead to security incidents. User behavior analytics can help you gain visibility into what users are doing in the IT environment and spot unusual behavior that might be a sign of insider misuse or hackers trying to gain access to IT infrastructure.
Use data discovery and classification. Requirement 3 of PCI-DSS says that companies should store data “only in specific, known locations with limited access” to protect cardholder data. Data discovery and classification can help you fulfill this requirement and identify your sensitive data, where it resides, who can access it, and who uses it in order to set appropriate levels of controls and ensure that critical information is not overexposed.
Tim is an experienced director of technology start-ups in both product- and service-focused sectors. He has been the CEO of Semafone since 2009 and has led the company from a UK startup to an international business that spans five continents. He has helped secure Series A and Series B rounds of funding from various investor groups, including the BGF and Octopus.
"Complying with the complex PCI-DSS can be quite simple through a tactic called descoping..."
The PCI-DSS considers any person, system, or piece of technology that touches cardholder data (CHD) as in scope. To simplify compliance, companies should look for opportunities to remove these entities from PCI-DSS scope (descoping) by ensuring that they are never exposed to CHD.
For example, if your organization operates a contact center that regularly accepts customer payments over the phone, you can descope your IT network infrastructure, agents/customer service representatives, call recording systems, and other telephony from compliance by using dual-tone multi-frequency (DTMF) masking technologies. These technologies allow customers to directly enter their payment card data into their phone's keypad, replacing DTMF tones with flat ones so they are indecipherable. By sending the CHD directly to the payment processor, such solutions keep the data out of the contact center environment completely. As a result, there are far fewer controls required for PCI-DSS compliance, while sensitive data is out of reach from fraudsters and hackers. As I like to say, no one can hack the data you don't hold.
Jennifer Glass is CEO of Credit Cards, NJ (CCNJ) a growing ISO in the payment processing industry. Ms. Glass has been recognized as an expert in the payment processing space by the Small Business Development Center, SCORE, many banks, several top 50 global accounting firms and more than 1,000 organizations for more than 15 years.
"First is the obvious..."
Make sure that all people in the organization are following common sense practices and not leaving credit card data lying around and only certain people that have an absolute need have access to the secure data. Second, and this one is perhaps even more important in certain situations like what we saw in the Saks Fifth Avenue/Lord & Taylor hack – if a payment processing system is connected to the same server(s) as email and other non-payment related activities, get that payment system off the shared resource(s) and put it on its own dedicated resource with separate logins, etc. to prevent malware from attacking the same system and leaving payment details open to hackers. It's similar to the way large (cruise) boats are made these days – there are bulkheads to hold water in the event of a strike/accident so that the whole boat doesn't flood. If a hacker is limited to one area, they won't get a second win just by getting into the network on the email side with social engineered phishing attempts, etc. These are just some of the ways that businesses can be safer beyond simply completing the self-assessment questionnaires or having scans done by a security vendor because those options won't always uncover the problem areas as we have seen time and time again with these major hacks.
The Definitive Guide to Data Loss Prevention
Ellen Cunningham is the Marketing Manager for CardFellow, a marketplace for comparing credit card processors. She enjoys the challenge of explaining complex topics – making her a perfect fit for credit card processing – and strongly believes in CardFellow's mission of empowering business owners through education.
"PCI compliance is roughly split into 6 'categories' with steps in each category..."
It’s a good idea to work with your credit card processor or a security company to ensure compliance, but here’s a high-level overview.
The six main areas of compliance are having a secure processing network, protecting cardholder data, protecting systems against malware, using strong access control measures, monitoring and testing networks, and creating an information security policy.
Having a secure processing network includes installing firewalls, changing default passwords to more secure options, and updating other default security settings.
Protecting cardholder data includes encrypting data during transmission, as well as following proper procedures for card storage. Most processors offer a secure vault for digital card storage to help you keep data off your servers and maintain compliance.
Protecting systems against malware includes installing and regularly updating antivirus software and patching any vulnerabilities.
Using strong access control measures means limiting employee access to cardholder information and tracking who has access to the data by a unique ID. It also includes limiting physical access to cardholder data.
Monitoring and testing networks includes tracking personnel that have access to cardholder data on your network and what they’re doing with that data, as well as testing your systems for security flaws or vulnerabilities.
Creating an information security policy involves clearly stating how your organization will deal with PCI-DSS and which employees or vendors are responsible for which components.
Jake Posey is the CEO of Prepaid Program Management LLC. His company teaches FinTechs and Entrepreneurs how to launch prepaid card programs. Jake is also the lead instructor for the Prepaid Academy that offers prepaid specific compliance, IT, and PCI training.
"There are three areas I recommend companies focus on…”
The first is mini-audits. I’ve seen too many prepaid program managers wait until their auditors are about to conduct their annual review before they scan their systems for compliance. Granted, these companies are in pretty good shape, but things can fall out of compliance when you have several releases happening throughout the year. The result, however, is needing to dedicate an entire release cycle to PCI compliance instead of launching new products that will increase revenues. Companies should conduct a mini audit after each release. Each of these areas can focus on different PCI compliance areas. This, in itself, will prevent an entire release from being monopolized by PCI items.
Secondly, companies should focus more on restricted access for its employees. Many Fintechs today are filled with rockstars that can do many jobs. However, each rockstar has a specific scope of duties. His or her access should be limited to the job they are assigned, not the jobs they could be doing. In one instance, I’ve seen a programmer expose a company to $900 million in potential losses because he was testing in production and not UAT. Additionally, companies need to develop solid audit procedures to remove access for employees and contractors after they leave the company.
Lastly is investing in industry specific training. PCI covers the payments industry, but that industry is multifaceted and complex. There are different scenarios that need to be addressed by a bank who is PCI compliant versus a FinTech company who needs to be PCI compliant. Yet, most training treats everyone the same. Companies need to make the investment in training that is specific to their niche and shows examples that are relevant. Otherwise, you risk an employee rushing through the training instead of thinking through the training.
Evaldas Alexander is the CTO at RankPay, a top-rated SEO service that helps thousands of small businesses earn higher rankings.
"PCI-DSS compliance has several different Self Assessment Questionnaires (SAQs) that must be followed to be compliant..."
Since the different SAQs vary in length, it's beneficial to minimize company exposure to payment method details, in order to be eligible for compliance under the shortest possible SAQ. For example, one SAQ has only 13 requirements, while another SAQ has over 200! When it comes to dealing with such requirements, you should have appropriate policies and procedures documented within your internal wiki. Perform regular audits to ensure that employees are functioning within the parameters specified by your chosen SAQ. For instance, no customer service rep can update the credit card on file on behalf of a customer if you are compliant under the specification of SAQ A.
Dmytro Lanovskyi is currently is a Chief Information Security Officer (CISSP) on one of Intellias' client projects.
"The best practices for meeting PCI-DSS compliance include..."
1. First of all, you need assigned ownership over the compliance process. Generally, it should be a security expert with relevant experience in coordinating security activities.
2. You need to start building your architecture with PCI-DSS requirements in mind.
3. Conduct an in-depth risk assessment to define security needs.
4. Provide custom and automated control over monitoring systems.
5. Detect and respond quickly to security control issues.
6. Develop performance metrics to measure success and failure.
7. Be ready to prepare a bunch of documentation for PCI-DSS certification from scratch and guarantee continuous compliance.
8. The list of documentation about your company and services you’ll need to prepare includes:
- Antivirus Policy
- Cardholder Data Policy
- Firewall and Router Policy
- Information Security Policy
- Password Policy
- Physical Security Policy
- System Configuration Policy
- System Monitoring and Logging Policy
- Testing Systems and Processes Procedure
- Information Security Incident Management Policy
- Inventory and Ownership of Assets Policy
- Application and System Development Software Policy
- Managing Service Providers Policy
- Access Control Policy
- Information Security Awareness Program
- Information Security Responsibilities Policy Statement
- Individual User Agreement Template
- Data Classification Policy
- Data Protection Policy
- Data Management Policy
9. You need to comply with PCI-DSS standards on a daily basis, even after the successful audit.
10. Consider the regular position of CISSP to control all security activities.
Geoffrey Scott is a payments consultant at PayMotile.com, where he collaborates daily with businesses to connect them with the payment processor most suited to handling their particular needs.
"PCI-DSS compliance is standard practice for payment processors..."
Businesses new to the world of card transactions may struggle to comply if they haven't prepared themselves. Here are a couple of best practices for businesses aiming to meet PCI-DSS standards:
1. Minimize (or eliminate) the data you're collecting from customers.
The more data you collect, the more scrutinized you'll be. For instance, e-commerce businesses who collect and store user data have to fill out a robust, 326-question form version of the PCI SAQ (self-assessment questionnaire). For companies that leave such data collection to a third party, compliance is more straightforward (and the SAQ is a lot more concise).
Not to mention, with the GDPR in effect, data collection is becoming more complicated than ever. It's a good idea to limit and closely monitor such practices, so you can reduce your company's liability in the event of a breach (or lawsuit).
2. Communicate with your payment processor.
Although how you comply to the PCI-DSS is governed by a standard set of rules, your payment processor may have additional compliance measures that you'll need to follow. When in doubt, contact them. Get explicit confirmation whenever you're uncertain about anything related to compliance. Discrepancies between you and your provider will only lead to headaches for both parties.
McCall Robison is a Content Specialist for BestCompany.com. She also manages the Merchant Accounts Blog.
"What some people don't realize about PCI-DSS compliance is that..."
It isn't a one and done deal; it is an ongoing process. In order to ensure your business is complying with the PCI-DSS standards, you must do three steps periodically: assess, remediate, and report.
You must continually assess and analyze the PCI-DSS standards to make sure you are complying. If you are not fully complying, you must remediate any shortcomings and eliminate those vulnerabilities. Following this, you must make a report of this remediation and provide a new compliance statement to your acquiring bank as well as your payment card brand.
Gregory is the VP of Operations at Single Point of Contact. He is an IT Security Specialist with over twenty years of network and security experience. He has worked with hundreds of firms on improving IT environments, consulting, and integrating technology for the enterprise network.
"The best practices for meeting PCI-DSS compliance are to..."
Build and maintain a secure network with systems that protect cardholder data; have a vulnerability management program and implement an access control system; monitor and test networks as well as have an information security policy in place. Have all these things available to show an auditor or for your own internal review.
Carmine Mastropierro is the owner of a digital agency, three affiliate marketing businesses, and is a self published author. He has written for GQ Magazine, Postmates, Marketo, and others.
"To meet PCI-DSS compliance..."
Business owners should first ensure that their website uses an SSL certificate. This provides an extra layer of security for customers and is required by major payment gateways. It also provides insurance for end users if any money is lost during payment. Secondly, having security policies and procedures in place will further keep customer data safe. Thirdly, a requirement for PCI compliance is updated systems. Databases, browsers, firewalls, and other crucial components will need to be modern and kept current.
Chad Reid is Director of Communications at JotForm, a PCI-DSS Service Provider Level One compliant form software.
"I think one of the most important aspects of meeting PCI-DSS compliance as a service provider is..."
Getting the very best 3rd-party security assessment available. When you explain to your customers that you're fully compliant, you need to show them tangible proof. Having a top-notch security assessment goes a long way. Getting a professional security assessment is valuable to your company anyway, but having a good one can show your customers you truly take security seriously.
Mike Mood is the Founder of Lamood Big Hats and WalletGear. Lamood Big Hats makes hats for big heads going beyond the one-size-fits-all hats. WalletGear has men's wallets, wallet inserts, credit card holders, money clips, and more.
"One of the best practices in meeting PCI-DSS compliance is to..."
Never store credit card info on your servers. Use a third-party payment processor that is already PCI compliant like Paypal, Authorize.net, etc. Not only does PCI compliance make sure credit cards are safe, they also check other possible vulnerabilities on your server. You will need to make sure your firewall is protecting your ports and that you are using the correct ports for such items like outgoing order confirmation emails.
You will also need to do a self assessment on your internal business policies such application security. You will need to make sure your e-commerce software is up-to-date with the latest patches. If you have a physical retail store, you will need to make sure your POS system is isolated from your WiFi and maintain a list of wireless access points. If you do store customer data, you will need to have physical security setup as well.
Ilmie Sham Ku
Ilmie Sham Ku is the Content Marketing Coordinator at Blue Link ERP.
"More and more retail businesses are beginning to..."
Accept credit card payments from their customers both online and offline. Businesses are responsible for adhering to PCI-DSS standards in order to keep their customer's card information safe. This includes implementing processes and software for properly managing cardholder data, keeping firewall and virus protection programs up-to-date, and properly training employees on compliance standards. Compliance is more than just adhering to industry regulations; it also helps you earn the trust of your customers and provide different payment options to remain competitive. If your company works with cardholder information, it is important to ensure you have a system in place to protect this data. However, it can be hard to overcome some of the challenges associated with this:
- Employee habit: staff members may put credit card information in unencrypted fields just out of habit, or because they don't have easy access to an encrypted database to save the information in
- Data migration: transferring all of the credit card information your company has been storing in unencrypted fields into a secure database can be a time-consuming and tedious data migration process
In order to avoid this type of situation, managers must implement proper processes for accepting credit card information, employees must be trained on meeting PCI Compliance and any accounting software or programs used for storing card data must provide encrypted databases. Some companies may practice compliance by maintaining a secure, paper-based locked file system of account numbers. However, employees often disregard these policies during their daily routine, as it can be a time-consuming process. A better solution is to implement proper accounting software that includes completely separate, encrypted databases for storing this type of sensitive cardholder information. Implementing a proper system will require the transfer of all credit card information that your company previously stored in unencrypted fields, into a secure database. Finding a system with consultants who are knowledgeable in this area will help make the set-up and data migration process go smoothly.
Protecting sensitive cardholder data is just one important aspect of achieving full compliance with PCI-DSS standards, and should be addressed and reviewed along with all other requirements on a regular basis. Being proactive in making sure your business meets the correct PCI-DSS standards each year will save your company time and money dealing with any compliance issues, keep your customers happy knowing their data is safe, and help your business remain competitive.