PCI DSS Requirements
PCI DSS applies to all companies which accept, process, and transmit payment cards. PCI SSC has a total of 12 requirements to manage cardholder data and provide a secure infrastructure securely. For the organization to be PCI compliant, more than 400 testing procedures must be carried out following 12 PCI requirements.
Below are general descriptions of the PCI DSS requirements:
PCI DSS Objective 1: Build and protect a secure network
PCI DSS Requirement 1: Install and maintain a firewall to protect your cardholder data.
The first requirement of PCI DSS is to use firewalls to protect your card data environment. Correctly built firewalls preserve the environment around your card data. Firewalls limit incoming and outgoing network traffic according to the rules and requirements created by your company.
PCI DSS Requirement 2: Do not use the manufacturer’s default values for device passwords and other security parameters.
Devices such as routers, firewalls, or POS systems have standard factory settings, such as usernames and passwords. Default settings and values make it easy to set up and support your device, but this also means that each model or version has the same username and password. Default passwords are easy to guess, and most of them are available on the Internet.
PCI DSS Objective 2: Protect Cardholder Data
PCI DSS Requirement 3: Protect stored cardholder data.
The data stored on the card must be encrypted using algorithms accepted by the industry. Also, the encryption of card data is not sufficient. It is also necessary to securely protect the encryption keys.
PCI DSS Requirement 4: Encrypt the cardholder data transmission over public networks.
If you transfer cardholder data over open, public networks, you must use encryption and enforce security policies accordingly. Encryption and authentication standards must be strong enough, and wireless networks must be correctly set up because unauthorized users can easily exploit vulnerabilities to access the Cardholder Data Environment (CDE).
PCI DSS Objective 3: Create a Vulnerability Management Program
PCI DSS Requirement 5: Use and update anti-virus software regularly.
It is essential to install anti-virus software on all systems that are often affected by malware. It is necessary to ensure that anti-virus or anti-malware programs are updated regularly to detect known malware.
PCI DSS Requirement 6: Build and maintain secure applications and systems
Quickly applying software updates is the key to application and system security. Applications are never flawless, and developers often release a variety of patches to fix security vulnerabilities. Once attackers understand that they can exploit vulnerabilities, they will forward this information to different hacker communities and misuse it until this vulnerability has been addressed.
PCI DSS Objective 4: Apply Strong Access Control Measures
PCI DSS Requirement 7: Limit access to cardholder data according to specified requirements.
Robust access controls are designed to implement strict firm-defined measures to control access to the card data environment. The Role-based Access Control (RBAC) system should be used for accessing card data and systems, and access should be defined according to the “need to know” principle. Only authorized persons and systems are thus intended to access the data medium of the card.
PCI DSS Requirement 8: Assign a unique identity to anyone with computer access
User IDs and passwords must also be unique and complex enough. Do not use group or shared passwords. A unique username and password must be created for each user, and this information should not be shared between users. No matter how strong a password is, it should not be considered unbreakable. A multi-factor authentication (MFA) mechanism should be installed in all non-console administrative access to systems.
PCI DSS Requirement 9: Restrict physical access to cardholder data.
You must restrict physical access to the cardholder data environment, such as the data center, and record who has access to it. You also need to implement automatic server locking and timeout systems and check all devices annually. Most importantly, you should regularly train your staff on policies, procedures, and social engineering attacks related to physical security.
PCI DSS Objective 5: Regularly monitor and test networks
PCI DSS Requirement 10: Monitor and track all access to network and cardholder data.
System event logs are information generated by systems such as firewalls, computers, or applications. You should keep and review the event logs produced by all PCI in-scope devices, servers, and applications.
However, these event logs will only be useful when reviewed. So you need to check the event logs daily to find or notice errors, abnormalities, and suspicious activity that deviate from the standards.
Daily monitoring systems, such as Security Information and Event Management Tools (SIEMs), help you monitor network activity, review device events, warn against suspicious activity, and keep user actions up-to-date.
PCI DSS Requirement 11: Test security systems and processes regularly.
Vulnerabilities in web servers, web browsers, e-mail clients, POS applications, operating systems, and application interfaces can make your data vulnerable. You should find vulnerabilities by testing your systems regularly. To do this, you should perform vulnerability scanning and penetration tests on your PCI in-scope systems regularly.
PCI DSS Objective 6: Create a policy regarding information security
PCI DSS Requirement 12: Establish an information security policy for employees and contractors.
Your company should establish documents, policies, and procedures relating to security practices and information security. You should also conduct a systematic risk analysis and assessment that identifies your critical assets and identifies their risks and weaknesses.