In Q3 2022, data breaches surged by 70% compared to Q2 of the same year. How secure is your customers’ credit card data? Learn what PCI DSS is and why it can be a precious ally in protecting your customers’ most precious information and keeping your organization out of troubles
In 2021, attackers stole the sensitive personal and billing-related data of 21 million VPN users. The 10GBs of stolen data were first put for sale on the dark web and then dumped on Telegram in 2022. Could those VPN providers have dodged this incident if they’d followed the Payment Card Industry Data Security Standards (PCI DSS)? Probably.
Want to avoid seeing your organization’s name dragged through the mud all over the news? PCI DSS may help you. If your organization handles customers’ payment information, you should already be familiar with this industry standard. You’ve heard about it, but you don’t know exactly what it is? Now’s the time to learn.
Discover in this first article of two-part series, the answers to two PCI DSS essential questions:
- What is PCI DSS?
- Why should you, as an organization, care about it?
What Is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a series of security policies set up by the Payment Card Industry Security Standards Council (PCI SSC) in collaboration with the major credit card companies. Its major goal is the same as every card owner (like you and me): to keep the payment data safe (more on that in a minute).
Examples of the types of information you want to protect and secure include:
- Cardholders’ names
- Account numbers
- Service codes
- Card expiration dates
- PINs/PIN Blocks
The latest update of the PCI DSS standard, version 4.0, was published in March 2022 however, the previous version (3.2.1) will remain valid until the end of March 2024 to give enough time for organizations to implement any changes needed. So, PCI DSS version 3.2.1 is the one we’ll cover in this article. It’ll help you get a feeling of what it’s all about. To ensure you get the whole picture, though, the next article of this series will look at the new version and explore the key differences between PCI DSS versions 3.2.1 and 4.0.
Who PCI DSS Applies To
Does your organization handle (i.e., store, process, and/or transmit) card payment data? If the answer is yes, you must be PCI DSS compliant even if you’re a tiny shop. What are the requirements? PCI DSS is divided into four levels, categorizing businesses and organizations by the number of annual transactions they handle. Depending on the volume of transactions processed annually, your organization may fall in one level or another. The fewer transactions you make, the fewer requirements you’ll have to fulfill.
Find out at which level your organization falls by checking the table below:
|PCI DSS Levels||Volume of Transactions|
|Level 1||More than 6 million transactions per year.|
|Level 2||1 to 6 million transactions per year.|
|Level 3||20,000 to 1 million transactions per year.|
|Level 4||Less than 20,000 transactions per year.|
Got it? Now that the PCI DSS meaning is clear, let’s find out more about the goals and requirements of PCI DSS.
The 6 Goals and 12 Requirements of PCI DSS
The PCI DSS is organized into six security goals. To reach those goals and be PCI DSS compliant like 43.4% of organizations in 2020, you’ll have to satisfy 12 requirements.
Sounds complicated? No fear, we’ll make it as simple as possible. Think of it like having two interrelated checklists: to complete the first one (goals) you’ll just have to tick all the points listed in the second one (requirements). Follow the points listed below et voila’, it’s done. The following goals and requirements are covered in depth in the PCI DSS v3.2.1 document we linked to earlier. Our goal here s to provide you with an overview rather than go over the entire doc with a magnifying glass.
|PCI DSS Goals||PCI DSS Requirements v.3.2.1|
|1. Build and Maintain a Secure Network and Systems||1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters.|
|2. Protect Cardholder Data||3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks.|
|3. Maintain a Vulnerability Management Program||5. Protect all systems against malware and regularly update anti-virus software or programs. 6. Develop and maintain secure systems and applications.|
|4. Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need to know. 8. Identify and authenticate access to system components. 9. Restrict physical access to cardholder data.|
|5. Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes.|
|6. Maintain an Information Security Policy||12. Maintain a policy that addresses information security for all personnel.|
OK, the goals are pretty straightforward. However, some requirements may look a bit complicated. Let’s try to clarify them with a few examples and find out how even the smallest store can address them.
1. Install and Maintain a Firewall Configuration to Protect Cardholder Data
In other words, ensure that access to your network is granted only to those you trust. The easiest way to do this? By installing a firewall. Yup, just like in medieval times, when castles were protected by high walls to keep the enemies at bay, a firewall will enable you to:
- Restrict and scan incoming and outgoing network traffic.
- Block access to suspicious or unauthorized users/IP addresses.
- Create specific rules to prevent cybercriminals from getting access to payment data.
Want to know more about how firewalls work? Check out the short video below:
2. Do Not Use Vendor-Supplied Defaults For System Passwords and Other Security Parameters
Default settings in software and applications are convenient, but they’re a security hazard. The same can be said for cloud-based systems, where Trend Micro reports that 65-70% of security issues stem from misconfigurations. Want to tick this second point?
- Change all default passwords and usernames.
- Personalize the security settings of your applications, software, and devices (including firewalls and POS).
- Use strong passwords and authentication methods (e.g., two-factor authentication is good but only if you stay away from SMS-based verification methods).
3. Protect Stored Cardholder Data
Using firewalls and protecting your data in transit with encryption only helps so much if you don’t bother securing the data when it’s stored. Make cybercriminals’ lives harder by protecting your customers’ accounts and payment data at rest (i.e., when it’s saved somewhere, like on a database). How?
- Encrypt your cardholders’ data at rest using symmetric encryption and a cryptographic key.
- Restrict access to servers and databases by applying strict access control rules (e.g., the principle of least privilege).
- Protect your cryptographic keys (public and private keys) by implementing proper key management processes and practices.
4. Encrypt Transmission of Cardholder Data Across Open, Public Networks
When your data is in transit, it’s at its most vulnerable point because it can be intercepted and modified by cybercriminals. Keep payments data secure during transmission by:
- Using a website security certificate (i.e., SSL/TLS certificate) issued by a trusted certification authority (CA). It’ll enable you to securely exchange sensitive information like credit card data by leveraging the power of asymmetric encryption and symmetric encryption to securely exchange keys and create a secure communication channel.
- Sending the data through the secure port 443 (i.e., HTTPS protocol).
5. Protect All Systems Against Malware and Regularly Update Antivirus Software or Programs
Do you have antivirus software installed? Good, but that isn’t enough:
- Run antivirus software on all devices (including servers) that touch your network.
- Regularly apply antivirus signature updates from the vendor. From January to the beginning of December 2022, AVTest identified more than 93 million new pieces of malware. Yup, bad guys never sleep!
- Keep your antivirus logs ready for audits just in case something goes wrong. Log parsers/analysis tools will help you make sense of the myriads of data and give you clear and actionable insights. And many of those tools are free.
6. Develop and Maintain Secure Systems and Applications
Just like your antivirus software, your other IT systems and software must always be up-to-date and secure. This includes both critical and non-critical infrastructure and resources.
- If you use applications you’ve developed, ensure you sign them with a code signing certificate to assert your digital identity and help prevent tampering and malware infections.
- Don’t allow installation of unsigned software. Use AppLocker or Windows Defender Application Control to define rules that’ll block the download of unsigned software. Don’t use the old Software Restriction Policies feature as it’s been deprecated by Microsoft for certain builds.
- Regularly apply patches to address newly discovered vulnerabilities.
- Don’t forget to update third-party components with the help of a software bill of materials (SBOM).
7. Restrict Access to Cardholder Data by Business Need-to-Know
Would you pay with your credit card if the shops would broadcast your credit card details on a big screen? Surely not. Remember the principle of the least privilege we talked about before? It applies here, too, when granting sensitive data access privileges to employees.
- Grant authorized employees and third parties access to payment details only on a business-essential basis. This principle applies to senior management as well.
- Create and document access policies based on roles and permissions. If someone doesn’t need access for their role, don’t grant it.
8. Identify and Authenticate Access to System Components
- Ensure each user has a unique username and password. Or, bypass the use of passwords altogether by using passwordless authentication methods like client authentication certificates instead.
- Implement two-factor or multi-factor authentication.
- Log access activities. In the case of a cyber incident or breach, it’ll be easier to identify who did what and what has been accessed so you can better understand what may have been compromised.
9. Restrict Physical Access to Cardholder Data
Physical security is just as important as digital security. Things get stolen or lost all the time. A few years ago, one of my former colleagues set his laptop bag on the floor of a train station for a few moments so he could blow his nose. Within seconds, the laptop was gone and was never recovered.
- Are your customers’ card data saved on a hard drive? If so, lock it in a secure drawer or room.
- Do you save cardholder data on a server in a data center? Install surveillance cameras, access with code only, and other physical security measures.
- Record all access so you know who comes and goes and when. Keep the logs for at least 90 days.
10. Track and Monitor All Access to Network Resources and Cardholder Data
In the Lord of the Rings, the eye of Sauron was able to see its enemies anywhere. Want to protect your customers’ data? You need to have the same approach when it comes to having full visibility of your IT environment.
- Constantly monitor your whole network with the help of a security information and event management (SIEM) tools.
- Log network activities and accesses involving cardholder data and primary account numbers (PANs).
- Implement an audit policy to ensure that logs are continuously inspected for suspicious activities.
11. Regularly Test Security Systems and Processes
Microsoft’s November 2022 patch Tuesday included mitigations for a whopping 68 vulnerabilities, 11 of which were critical. And this is just a tiny part of the over 189,000 vulnerabilities actually listed on CVE website. Are your systems secure and vulnerability-free? To reach compliance, you must:
- Test your systems and processes for vulnerabilities at least every quarter using PCI DSS-approved scanning vendors.
- If your organization falls into level 1 or 2, conduct penetration tests on your networks and applications at least once a year. A professional white hat can do it for you if you don’t have the in-house resources.
- Implement a change-detection mechanism that’ll automatically compare critical file versions. (Hint: some hashing algorithms are great for this kind of task.)
12. Maintain a Policy That Addresses Information Security For All Personnel
This is the final step of the PCI DSS checklist: document and communicate your security policies for all systems, employees, and software dealing with card data.
- Create an information security policy, review it, and update it often.
- Train your staff — yes, all of them — at least once a year.
- Don’t forget any third parties that are somehow involved with card data. They should read, understand, and sign the policies, too.
That’s it! Checklist done! Ensure you tick all the boxes so that your organization will comply with PCI DSS. Why should you do it? The answer is below, keep on reading.
Before you go on though, let’s have some fun and check out this entertaining video summarizing the 12 PCI DSS requirements in a song:
Why Should Your Organization Care About It?
According to the latest Insider Intelligence forecast, online card fraud losses will reach a colossal $10.16 billion by 2024. But that’s just the tip of the iceberg. There are many other reasons why organizations should ensure that they’re PCI DSS compliant.
Bob, the protagonist of the short video below, learned it the hard way.
Want a few more examples?
- Your organization will be more protected from data breaches and identity theft. You surely don’t want to end up like Medibank. The recent data breach exposed 9.7 million existing and former customers’ personal data. Vastaamo, a Finnish service provider, ended up even worse as it went bankrupt three years after a data breach.
- Being compliant with PCI DSS help you avoid fines and penalties. OK, the PCI SSC has no legal authority to enforce compliance or penalties. However, the credit card companies can and do. Terms and penalties/fines vary depending on the companies. In 2020, Curry PC World (a British retailer) was hit with a penalty of £500,000 (~$600,000) due to a breach caused by insecure point-of-sale (POS) software.
- Being compliant can help keep potential legal actions at bay. Got breached because you didn’t adhere to PCI DSS requirements? Your angry customers may decide to go legal. And if it happens — like in the case of CaptureRx, which was hit with 10 lawsuits — it may cost you an arm and a leg.
- Compliance helps boost your reputation & increase customers’ trust in your organization. 21% of consumers stopped doing business with companies that were targets of data breaches. By the way, did you know that PCI SSC offers digital badges that you can add to your website and profile to promote your certifications?
- It’ll help you comply with other privacy and security regulations. Once you’ve fulfilled all PCI DSS requirements, it’ll be even easier to comply with regulations like E.U.’s General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and others. And those aren’t optional, by the way!
- It’ll improve your organization’s security posture. With cyber attacks increasing by 28% globally in Q3 2022, every organization, even the smallest one, is scrambling to set up some kind of cybersecurity protection. Achieving PCI DSS compliance will put you on the right track. You can hit two birds with one stone by achieving compliance and enhanced security.
Aren’t these reasons good enough to get compliant?
Final Thoughts on What PCI DSS Is
In 2021, the Consumer Sentinel Network received an astonishing 1.4 million identity theft reports, making it customers’ top reported issue of the year. Over 25% of those stolen data were used for credit card fraud.
The solution? Stop worrying and take action. Start leveraging the power of PCI DSS to protect your customers’ payment data from cybercriminals now. Go over the goals and requirements listed in this article to determine what you’re still missing and identify areas where you can improve your cyber defenses. Spotted a gap in your defenses? Fix it by implementing the list of requirements above. For example, encrypt your customers’ sensitive information at rest and in transit, and invest in digital certificates and firewalls.
By the way, did you know that the new version of the standards (PCI DSS v. 4.0) is now available? You have no time to go through the whole document? We’ve got you covered. In our second article of the series, we’ll give you a quick overview of the changes, to help you achieve compliance without grief. Check back for that post in the new couple of weeks!