PCI-DSS: The 6 Major Principles

In the credit card processing industry, you’ve likely heard the term PCI-DSS - but do you know what it is, why it’s important, or what the requirements are? PCI-DSS is a complex standard, so we’ve broken it down for you.

What is PCI-DSS?

PCI-DSS stands for Payment Card Industry Data Security Standard. The standard is developed by the PCI Security Standards Council, which was formed in 2006.

The PCI-DSS sets forth the minimum security features that must be in place to limit the chances of a cardholder data compromise. Merchants that comply with the PCI-DSS are less likely to suffer a breach event.

All entities that store, process or transmit cardholder data must validate PCI-DSS compliance. Merchants should work directly with their acquiring bank for instructions on how to validate PCI compliance.

The 6 Major Principles of PCI DSS

The PCI-DSS requirements are broken down into six distinct goals. Each goal can be further expanded to cover the 12 requirements of the PCI-DSS.

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

Build and maintain a secure network

Install and maintain a firewall configuration to protect cardholder data. Firewalls protect internal networks by inspecting network traffic and comparing it to a set of configured rules. Entities must review and update firewall configuration rule sets every six months. Firewall rules must limit traffic to only those Ports and services which are known, documented and required for business purposes. There must be a business justification for any open port and service.

Do not use vendor supplied defaults for system passwords and other security parameters. Cybercriminals and bad actors have easy access to vendor supplied defaults. If these default passwords and accounts are not changed and disabled they can be used to exploit internal networks and compromise cardholder data.

Wireless networks require that all default settings are changed including passwords, passphrases, SNMP community strings, etc. All insecure or undocumented services should be removed to ensure they cannot be exploited for access to internal networks.

Protect Cardholder Data

Protect stored cardholder data. Eliminate storage of cardholder data in all possible circumstances. Cardholder data should be limited to that which is required for legal, regulatory, or business needs. Sensitive Authentication Data (SAD) can never be stored after authorization. Sensitive Authentication includes the data on the magnetic stripe and EMV chip, CVV, PIN / PIN Block.

Cardholder data can be stored when necessary, but must be rendered unreadable. Cardholder data includes the PAN (Primary Account Number), expiration date, and cardholder name.

Encrypt transmission of cardholder data over open public networks. Any transmission of cardholder data over public networks must be encrypted using strong cryptography to avoid compromise by a cybercriminal or bad actor. The encryption method in use must use a secure version and appropriate encryption strength. Primary Account Numbers can never be sent through end-user messaging (i.e: Chat, email, IM, etc.).

Maintain a vulnerability management program

Protect all systems against malware and regularly update anti-virus software or programs. Anti-virus software must be regularly updated, set to scan periodically and generate audit logs. End users should not be able to disable anti-virus. Only administrators authorized by management can disable anti-virus for a limited time.

Develop and maintain secure systems and applications. Entities are responsible for identifying and classifying newly discovered vulnerabilities based on the risk they pose to the cardholder data environment. Common coding vulnerabilities in software development must be accounted for through regular training of developers. These common vulnerabilities include, but are not limited to: cross-site scripting, cross-site request forgery, and buffer overflows. Public facing web applications must be tested via application security tools or methods, or application penetration testing. Also required is the use of a Web Application Firewall.

Implement strong access control measures

Restrict access to cardholder data by business need to know. The principle of “need to know” means that an individual only has access to the least amount of data necessary to perform their job function. This access is based on roles. This principle extends to access to system components which should be set to “deny all” users not specifically granted authorization.

Identify and authenticate access to system components. All users must authenticate access to system components using a unique ID. This ensures accountability for all actions taken. Passwords must be strong, containing a minimum of 7 alphanumeric characters.

Multi-Factor Authentication (MFA) must be implemented. MFA requires a second piece of authentication in addition to a password. This typically looks like a code sent to a device, biometric scan, or key fob/smart card.

Restrict physical access to cardholder data. Video monitoring and/or access control must be used to control and monitor physical access to secure areas within the cardholder data environment. Access data must be retained for 90 days unless prohibited by law.

Any media containing cardholder data must be destroyed when no longer needed. For example, paper forms containing cardholder data should be shredded when they have passed the defined retention period. Also maintain a list of point of interaction devices and protect them from being tampered with or replaced.

Regularly monitor and test networks

Track and monitor all access to network resources and cardholder data. Implement logging on all systems that will tie actions to individual accounts. Logs must be kept for a minimum of one year with three months readily available. Logs must be backed up to a centralized server to avoid altering or deletion of log information. Logs must be reviewed daily and any anomalies should be addressed immediately.

Regularly test security systems and processes. Performing Penetration testing, internal and external vulnerability scans help ensure that the network is secure from newly discovered vulnerabilities. Entities need to scan the cardholder environment for any unauthorized access points using manual or automated methods. File integrity monitoring and intrusion detection systems should provide alerts when unexpected changes occur in the environment.

Maintain an Information Security Policy

Maintain an information security policy. Entities are required to maintain and develop an information security policy documenting policies and procedures related to the protection of cardholder data. Usage policies must clearly state which employees can use which devices for what purpose and in which locations.

Incident response plans must be in place. Incident response plans typically include requirements to notify the card brands, continuity plans, and data backup. Follow the rules in your jurisdiction as they relate to public notifications.

Conclusion

The PCI-DSS standards outline the minimum security features merchants are required to implement in order to reduce the chance of a data breach. The PCI compliance process can be complex, so our PCI Assure program is designed to simplify it for your merchants. For more information, contact Global Payments Integrated today.

Richard Rohena

Manager of PCI Compliance Services

Richard is the Manager of PCI Compliance Services with Global Payments Integrated, providing developers of credit card payment solutions and merchants with a deep understanding of the Payment Card Industry Data Security Standard (PCI-DSS). He has over 8 years of experience working directly with developers and merchants to implement secure payment solutions in a manner compliant with the PCI-DSS.

View Profile

Richard Rohena