Storage

Five+ tips to ensure PCI DSS compliance

When Michael Kassner helped a friend get through a PCI DSS compliance audit, he found out the hard way that it's no small task. His advice will help you take the right steps to protect cardholder data.

On occasion, I help a friend who owns several businesses. His latest venture is required to comply with the Payment Card Industry Data Security Standard (PCI DSS). My friend is computer savvy. So between the two of us, I assumed the network was up to snuff. Then went through a compliance audit.

The audit was eye opening. We embarked on a crash course in PCI DSS compliance with the help of a consultant. My friend thought the consultant could help prepare for the mandatory adoption of PCI DSS 2.0 by January 1, 2011.

The PCI Security Standards Council defines PCI DSS this way:

"The goal of the PCI Data Security Standard is to protect cardholder data that is processed, stored, or transmitted by merchants. The security controls and processes required by PCI DSS are vital for protecting cardholder account data, including the PAN -- the primary account number printed on the front of a payment card."

The consultant's first step was to get familiar with the network. He eventually proclaimed it to be in decent shape, security-wise. Yet the look on his face told us there was more. Sure enough, he went on to explain that more attention must be paid to protecting cardholder data.

Back to school

The consultant pointed out that PCI DSS consists of 12 requirements. These requirements are organized into six guides. Although the requirements are for PCI DSS compliance, I dare say the guides are a good primer for any business network, regardless of whether PCI DSS is a factor. With that in mind, I've used the guides as the basis for these tips.

1: Build and maintain a secure network

Guide 1 states the obvious, and books have been written on how to secure a network. Thankfully, our consultant gave us some focus by mentioning that PCI DSS places a great deal of emphasis on the following:

  • Well-maintained firewalls are required, specifically to protect cardholder data.
  • Any and all default security settings must be changed, specially usernames and passwords.

Our consultant then asked whether my friend had offsite workers who connected to the business's network. I immediately knew where he was going. PCI DSS applies to them as well -- something we had not considered but needed to.

2: Protect cardholder data

Cardholder data refers to any information that is available on the payment card. PCI DSS recommends that no data be stored unless absolutely necessary. The slide in Figure A (courtesy of PCI Security Standards Council) provides guidelines for cardholder-data retention.

Figure A

One thing the consultant stressed: After a business transaction has been completed, any data gleaned from the magnetic strip must be deleted.

PCI DSS also stresses that cardholder data sent over open or public networks needs to be encrypted. The minimum required encryption is SSL/TLS or IPSEC. Something else to remember: WEP has been disallowed since July 2010. I mention this as some hardware, like legacy PoS scanners, can use only WEP. If that is your situation, move the scanners to a network segment that is not carrying sensitive traffic.

3: Maintain a vulnerability management program

It's not obvious, but this PCI DSS guide subtly suggests that all computers have antivirus software and a traceable update procedure. The consultant advised making sure the antivirus application has audit logging and that it is turned on.

PCI DSS mandates that all system components and software have the latest vendor patches installed within 30 days of their release. It also requires the company to have a service or software application that will alert the appropriate people when new security vulnerabilities are found.

4: Implement strong access control measures

PCI DSS breaks access control into three distinct criteria: digital access, physical access, and identification of each user:

  • Digital access: Only employees whose work requires it are allowed access to systems containing cardholder data.
  • Physical access: Procedures should be developed to prevent any possibility of unauthorized people obtaining cardholder data.
  • Unique ID: All users will be required to have an identifiable user name. Strong password practices should be used, preferably two-factor.

5: Regularly monitor and test networks

The guide requires logging all events related to cardholder data. This is where unique ID comes into play. The log entry should consist of the following:

  • User ID
  • Type of event, date, and time
  • Computer and identity of the accessed data

The consultant passed along some advice about the second requirement. When it comes to checking the network for vulnerabilities, perform pen tests and scan the network for rogue devices, such as unauthorized Wi-Fi equipment. It is well worth the money to have an independent source do the work. Doing so removes any bias from company personnel.

6: Maintain an information security policy

The auditor stressed that this guide is essential. With a policy in place, all employees know what's expected of them when it comes to protecting cardholder data. The consultant agreed with the auditor and added the following specifics:

  • Create an incident response plan, since figuring out what to do after the fact is wrong in so many ways.
  • If cardholder data is shared with contractors and other businesses, require third parties to agree to the information security policy.
  • Make sure the policy reflects how to take care of end-of-life equipment, specifically hard drives.

Final thoughts

There is a wealth of information on the PCI Security Standards Council's Web site. But if you are new to PCI DSS, or the least bit concerned about upgrading to 2.0, I would recommend working with a consultant.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

26 comments
Michael Jay
Michael Jay

as PCI/DSS is a vendor side issue, what about home credit card readers, and do they provide another level of security or are they a solution looking for a problem?

Brenton Keegan
Brenton Keegan

I remember reading thru the PCI compliance stuff a while ago. Their standards are pretty vague, but I guess it has to be. Network security is always a moving target. I haven't experienced an audit but I imagine there is much that won't come up on their list. It seems it could be easy to get PCI compliance and not really have a secure network. The fact that it took them all the way to July 2010 to disallow WEP I find incredibly disturbing...

rmaillet
rmaillet

What I see to be the biggest problem with PCI/DSS is as follows Internet merchants cannot capture any information from the mag strip. On the other had swiped cards do capture mag strip info and most grocery stores that use Microsoft cash register software does capture and store mag strip date unencrypted and accessible to anyone that works in those stores yet they do not face the same stringent testing that us Internet merchant do. I find this rather prejudicial to Internet merchants because the majority amount of stolen credit cards come from face to face merchant transactions and not from Internet merchants. The Associations should have just mandated the SET protocol for Internet merchants and none of this PCI/DSS compliance would be necessary but it was going to cost A particulate Credit card processor to much money to deploy. (they were going to loose to much money processing charge backs, I know I was there when it all took place.)

oldbaritone
oldbaritone

This sure makes it obvious why so many merchants use a third-party service to handle the online payment instead of DIY.

Michael Kassner
Michael Kassner

They are the responsibility of the financial institution they are attached to. The same applies to SMB with similar credit-card readers.

Michael Kassner
Michael Kassner

As long as customer data is secure. That is all PCI DSS cares about. WEP actually is not that big a deal. PCI DSS stresses data security and isolation, meaning it is encrypted with minimally SSL/TLS or IPSEC.

Michael Kassner
Michael Kassner

I appreciate your comment. I was under the impression that PCI DSS applied to all businesses that deal with payment cards.

rmaillet
rmaillet

What I see to be the biggest problem with PCI/DSS is as follows Internet merchants cannot capture any information from the mag strip. On the other had swiped cards do capture mag strip info and most grocery stores that use Microsoft cash register software does capture and store mag strip date unencrypted and accessible to anyone that works in those stores yet they do not face the same stringent testing that us Internet merchant do. I find this rather prejudicial to Internet merchants because the majority amount of stolen credit cards come from face to face merchant transactions and not from Internet merchants. The Associations should have just mandated the SET protocol for Internet merchants and none of this PCI/DSS compliance would be necessary but it was going to cost A particulate Credit card processor to much money to deploy. (they were going to loose to much money processing charge backs, I know I was there when it all took place.)

Michael Kassner
Michael Kassner

My friend is looking into that. There is an advantage as there are multiple businesses. But, TPVs also know the complexity and are charging accordingly. Ironically, we the consumers will eventually pay for having more security one way or the other.

Justin James
Justin James

DIY is a hassle. The problem is, as soon as you get into variable, recurring payments, you need to either ask the customer to pay the bill each month (a headache for them) or store their credit card on file for rebilling (bringing you into PCI DSS territory). J.Ja

MyopicOne
MyopicOne

This would be a good primer, unless anyone can suggest a better one-to-two page source.

auogoke
auogoke

"Although the requirements are for PCI DSS compliance, I dare say the guides are a good primer for any business network, regardless of whether PCI DSS is a factor..." I first ran into PCI DSS while researching a paper for a class on wireless networking. I came to the same conclusion as you did (above.) Anyone building a secure network had better be aware of and incorporate PCI DSS requirements. Thanks for a great article and reminder.

Justin James
Justin James

The application I've been working on does CC billing on a regular basis. I hate this kind of headache. Good article, thanks for this information, it was very timely for me! J.Ja

Brenton Keegan
Brenton Keegan

Calling it secure doesn't make it so. My point is that guessing from the vagueness of their standards it will be easy to get pci-compliance but that doesn't mean it's actually secure.

Michael Kassner
Michael Kassner

As my friend is not involved with that. PCI DSS disallows retaining the information on the mag stripe. So, how do re-occuring payments work?

Michael Kassner
Michael Kassner

PCI DSS is a consideration that many developers overlook until afterwards. I know you, so I was not worried about that.

Michael Kassner
Michael Kassner

What I meant very well. The card data has to be encrypted. Then if the data travels over a Wi-Fi network it most likely will be encrypted again. If they data is not encrypted to SSL/TLS or IPSEC, the business is not certified.

Michael Kassner
Michael Kassner

It's real import is when the card is used in an ATM. The irony of it, is that it is backwards. I suspect that online transactions are going to require individual card readers, sooner than later. That said, according to the .govs I am working with, many of the smaller financial institutions do not verify the encrypted information on the mag stripe. That is how criminals can use the visible information to make a fake card and it works at some ATMs. What's more, there is an underground list of ATMs that do not verify the mag strip code. Edit: Spelling

AnsuGisalas
AnsuGisalas

After all... most online payments are done by the customer writing the numbers in a form... so no mag stripe data involved in the first place - only the stuff written on the card (i.e. cardholder data).

Michael Kassner
Michael Kassner

That is why criminals can steal money from ATM, with just the visible information on a card and the PIN.

Justin James
Justin James

If you can't store it and it is needed, that would make stuff like Amazon's one click payment or recurring payments impossible. J.Ja

Michael Kassner
Michael Kassner

Is required to verify certain transactions with the bank. If I understand correctly. . I think it might be ATM and customer present-transactions. Edit: Correct my misconception.

Justin James
Justin James

The details needed for many/most online payments are not all of the details. My CC gateway doesn't need the security code, just the CC number, exp. date, and basic personal details (name, address). So I don't ask for what I can't store. :) J.Ja