How important is data protection to your customers? Reports estimate that ninety percent of people feel that data privacy is one of the most important factors when they partner with a company or a brand.
One of the areas where customers are most protective of their data privacy relates to their finances. If your organization has a data breach related to credit card data, you will lose more than time and resources solving the breach—you could lose your customers’ trust for good.
PCI-DSS offers a set of requirements your organization must comply with to effectively protect customer credit card data.
This post provides you with the ultimate PCI compliance checklist you can use to ensure you’re maintaining compliance with the requirements of PCI-DSS.
What is PCI-DSS Compliance?
PCI-DSS stands for the Payment Card Industry Data Security Standard. Released in September of 2006, this standard outlines processes and requirements to ensure that any company accepting, storing, or transmitting credit card data takes the proper precautions to keep that consumer data secure.
Related Read: What is PCI Compliance?
Any organization that processes credit card payments or stores card data in any capacity must follow the standards outlined in PCI-DSS. The PCI Standards Security Council enforces these standards. This council was formed by representatives from major payment card companies, including MasterCard, American Express, Visa, Discover, and JCB.
If your organization fails to comply with PCI-DSS, you may be subject to fines and penalties. You may be required to pay monthly penalties of up to one hundred thousand dollars. Your fees are determined by the number of months your organization was non-compliant.
In a breach, you may be required to pay fines of up to five hundred thousand dollars per incident. Additionally, when your organization has a breach caused or exacerbated by PCI-DSS non-compliance, you may face lost business due to the loss of public trust in your organization, resulting in losses that ultimately far outstrip the already sizable penalties.
PCI Compliance Checklist
- Network Security Controls
- Secure Configurations
- Data Protection
- Encryption
- Anti-Malware Software
- Secure Systems & Software
- Restrict Access
- Unique User IDs
- Physical Access
- Log and Monitor Access
- Regular Testing
- Maintain a Policy
Requirement 1. Network Security Controls
What does this requirement mean?
You must maintain a secure network by implementing and correctly configuring an appropriate firewall. This will restrict traffic flowing into and out of your network to help secure and protect the card data in your system.
How can you ensure you’ve met it?
The best way to ensure you’re meeting this requirement is to clearly establish network security controls practices and standards for your organization. Distribute this information in writing and ensure your configurations are regularly reviewed and updated.
Requirement 2. Secure Configurations
What does this requirement mean?
You must apply secure configurations to all system components. You should never use vendor-supplied defaults for passwords, as these are easy to guess, and some are available online.
How can you ensure you’ve met it?
Always change passwords and usernames away from the default. Also, maintain good password hygiene and ensure all passwords are complex and difficult to guess.
Related Read: 5 Cybersecurity Tips to Improve Employee Habits
Requirement 3. Data Protection
What does this requirement mean?
All cardholder data must be appropriately stored and protected. You must encrypt your data with accepted algorithms or take steps to truncate, tokenize, or hash the data. You must also follow an encryption key management process per this requirement.
How can you ensure you’ve met it?
Set up an encryption key management process in your organization and ensure all workers in your business follow it. Additionally, note all locations where card data may be stored and ensure that the data is appropriately secured and displayed, revealing only the first six and last four digits of each card number.
Requirement 4. Encryption
What does this requirement mean?
Requirement 3 mandates that you secure card data in your network. This requirement mandates that card data is also encrypted when being transmitted during transactions.
How can you ensure you’ve met it?
Utilize transmission protocols like TLS or SSH to ensure you transmit only a secure version of the card data. These steps will make it less likely that a cybercriminal can access the full card number during transactions.
Requirement 5. Anti-Malware Software
What does this requirement mean?
Per this requirement, you must maintain anti-malware software on all laptops, mobile devices, or workstations that store cardholder data or may be used to access a system that contains cardholder data.
How can you ensure you’ve met it?
Ensure you have anti-malware software installed on all machines owned by your organization. If you have a BYOD policy that allows employees to use personal devices, ensure you have strong processes in place for installing and maintaining anti-malware software on these devices as well.
Requirement 6. Secure Systems & Software
What does this requirement mean?
Your organization is responsible for maintaining all software used to store and transmit cardholder data. You should also identify and mitigate security risks and vulnerabilities on all operating systems, software, terminals, and more.
How can you ensure you’ve met it?
Create and implement a strong process to ensure all security patches and updates are completed as quickly as they are available on all systems and software.
Requirement 7. Restrict Access
What does this requirement mean?
Not every worker in your organization needs access to the cardholder data in your network. Cardholder data access should be restricted to only employees who need that data to perform their job duties.
How can you ensure you’ve met it?
Maintain a list of all employees, roles, and permissions needed to perform their roles appropriately. Conduct regular audits on user access to ensure that permissions are awarded or stripped based on changing access needs.
Requirement 8. Unique User IDs
What does this requirement mean?
You should not use group usernames and passwords for any system containing cardholder data. For example, if your entire accounts payable team logs into a database with the username “AP_Team,” you violate this requirement. The reason for this requirement is that it makes it easier to identify the source of a breach if each employee has their own login credentials.
Related Read: Human Factors in Regards to Cybersecurity
How can you ensure you’ve met it?
Create unique user IDs and passwords for every user who requires access to cardholder data. You should also implement two-factor authentication wherever possible.
Requirement 9. Physical Access
What does this requirement mean?
You must restrict all access to cardholder data, but this is especially true of physical access to systems containing cardholder data. Carefully monitor who has physical access to your installation in a manner that would allow them to steal, destroy, or otherwise corrupt cardholder data.
How can you ensure you’ve met it?
Monitor data center entrances and exits with cameras, electronic locks with individual PINs, or other security measures. Also, ensure that all portable sources of cardholder data are destroyed as soon as there is no longer a business need for them to exist.
Requirement 10. Log and Monitor Access
What does this requirement mean?
You must have systems in place to log and monitor all access to networks and databases containing cardholder data. In addition to detection and monitoring alerts, organizations must address failure of critical security control systems. Ensure you implement an audit policy and set up a solution that sends access logs to a central server. You must hold these audit logs for at least one year.
How can you ensure you’ve met it?
Implement a Security Information and Event Monitoring (SIEM) tool to log all network activity. You can engage in File Integrity Monitoring processes or use a System Integrity Assurance tool like CimTrak to help prevent or flag unauthorized changes.
Requirement 11. Regular Testing
What does this requirement mean?
Test your security processes and systems regularly. Cyberattackers are constantly finding new vulnerabilities to exploit. As a result, you must regularly test your systems against all known vulnerabilities and attack vectors to ensure your data is secure. File integrity monitoring is required and explicitly stated that organizations must implement FIM software.
How can you ensure you’ve met it?
Engage in the following testing procedures:
- Quarterly analyses to discover unauthorized wireless access points
- Quarterly scans using a PCI Approved Scanning Vendor for all external IPs
- Quarterly internal vulnerability scans
- Annual application and network penetration testing for all external IPs
- Use of FIM software to ensure data cannot be changed without generating alerts
Requirement 12. Maintain a Policy
What does this requirement mean?
You must create and maintain an information security policy in your organization. Review this policy annually and ensure that all employees, vendors, and contractors receive and acknowledge receipt of this policy each year.
How can you ensure you’ve met it?
Beyond creating and disseminating your policy, ensure you conduct the following:
- Security awareness training
- Employee background checks
- Formal risk assessments each year
- Incident management practices
Beyond the PCI Compliance Checklist
This PCI Compliance checklist is an excellent starting point for preparing your organization to comply with PCI-DSS requirements and keep your customer’s data secure.
The key to maintaining PCI compliance is strong file integrity monitoring. PCI requirement 11.5 requires your organization to have file integrity monitoring processes in place to ensure you are protecting your customers’ data.
To learn more about implementing strong File Integrity Monitoring in your organization, check out our free resource, the File Integrity Monitoring Guide, today!
