PCI DSS Compliance 12 Requirements
Payment Card Industry and Security Standards Council (PCI SSC) established the Payment Card Industry Data Security Standards (PCI DSS) and has been maintaining that.
They are the standards that were established by the major credit issuers — Visa, MasterCard, Discover, American Express and JCB. The business, financial institutes, website, etc that process, store or transmit the sensitive and confidential card information related to the digital payments have to comply with the PCI DSS Security Standards.
The cardholder data and the sensitive information includes Primary Account Number (PAN), Cardholder Name, Expiry Date, Service Code, Magnetic-Stripe Data, any other equivalent chip data, CAV2, CVV, PINs, etc.
Consequences of not being a PCI DSS
- Huge amount of penalty is levied if there is any fraud committed and the customer loses his money
- Loss of consumer confidence and a bad reputation created
- Loss of Sales
- There may be lawsuits and resultant law charges, waste of time, etc
- Go out of business eventually or take a lot of time to develop the lost image
12 Requirements of PCI DSS Compliance
The 12 Requirements are the set of security controls that businesses are required to implement to protect credit card data and comply with the Payment Card Industry Data Security Standard (PCI DSS).
1. Install and maintain a firewall configuration to protect cardholder data
Install a firewall on all the hardware and software and every computer that passes the cardholder data. Auditors will inspect for this and so the documented evidence needs to be present and to be updated periodically.
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Before you install a new system or software connected with the cardholder data, change to a unique and strong password; before a system is installed in a computer, related to the card data, remove the vendor-supplied defaults; System components configuration standards and rules need to be developed and shared with all affected individuals; etc
3. Protect stored cardholder data
To put up strong policies with employees and colleagues by enforcing proper security practices.
Never store payment card data on personal hard drives, USBs, or other external or mobile media (smartphones too); taking orders over the phone, faxing, or emailing card data is not recommended; never transmit cardholder data without encryption; etc.
4. Encrypt transmission of cardholder data across open, public networks
Secure Socket Layer is the security standard followed which establishes an encrypted link between the web server of the PayKun website and the browser.
SSL protocol determines variables of the encryption for both the link and the data being transmitted. The browser and the server need an SSL Certificate to establish a secure connection.
5. Use and regularly update anti-virus software or programs
Put up antivirus software on all systems, and make sure the maintenance of it and also that they are actively running and cannot be disabled or altered by the users.
6. Develop and maintain secure systems and applications
Keep your software and security applications updated to protect your website and environments, moderating the risk of automated attacks
If you have an unsafe CMS, extension, plugin, or theme on your website you will likely be identified by an ill-intentioned bot at some point in the future.
7. Restrict access to cardholder data by business need-to-know
Install limited access as per the job requirement of the particular individual and also implement the written policy for this control and state its importance. To make sure, security policies and operational procedures for restricting access to cardholder data are documented, in use, and all individuals affected are informed about it.
8. Assign a unique ID to each person with computer access
Monitor and implement access controls for each individual, assigning unique and secure IDs to individuals; Two-factor authentication for employees prevents unauthorized access; etc
9. Restrict physical access to cardholder data
Devices, data, systems of payment card data, hardcopies of payment card data and others, can be included here under physical access.
Security controls to make sure only the authorized persons have access to the cardholder data;
Destroy media containing cardholder data when it is no longer needed for business or legal reasons and use a non-recoverable electronic media; Dispose of hard copies via paper shredding; etc
10. Track and monitor all access to network resources and cardholder data
Implement monitoring solutions to make sure your files and web pages have not been interfered by any individual; to see that your data processing resources and website environments have not been interfered too; implement audit trails and review logs to monitor your web environment and see if there is any breach; have cameras set up and have all terminals within clear view; etc.
11. Regularly test security systems and processes
Scanning for weak points every few months or/and after any big changes for prevention from hackers; monitor any changes to the system, configuration, or content files; etc
12. Maintain a policy that addresses information security for employees and contractors
It must be reviewed approx annually and include a risk assessment process, incident response plan (means they need to be prepared to respond immediately to a system breach), and usage policies.
Clearly state the expectations and the responsibilities of the employees. Also, let them know the importance of protecting customers data.
The PCI Qualified Security Assessor (QSA) will:
(According to the PCI website)
- Verify all technical information given by merchant or service provider
- Use independent judgment to confirm the standard has been met
- Provide support and guidance during the compliance process
- Be onsite for the duration of the assessment as required
- Adhere to the PCI Data Security Standard Assessment Procedures
- Validate the scope of the assessment
- Evaluate compensating controls
- Produce the final Report on Compliance
