Our previous article provided an overview of the PCI DSS and the levels it uses to categorize businesses. Now we will outline the specific security requirements businesses must meet, according to the PCI DSS.
Security Requirements of the PCI DSS
For those businesses that are subject to the PCI DSS, there are twelve security requirements that they must implement and enforce. This is an addition to being compliant for their respective compliance level. These security requirements are as follows:
- The use of network security devices:
This includes the deployment of firewalls, routers, and network intrusion devices located near wherever a customer’s credit card is being processed.2. Making use of robust passwords:
The passwords that are created must be long and complex enough so that they are difficult to crack on the first attempt. The use of a password manager is strongly encouraged to create and enforce these kinds of passwords.
3. Protecting credit card numbers:
The use of encryption must be used in order to scramble the credit card numbers, so that they remain in a useless state if they were to be intercepted by a Cyberattacker.
4. The lines of communication must be made secure:
Whenever credit card numbers and relevant data are transmitted to the credit card company, the network lines of communication through which this occurs must also be encrypted.
5. The use of anti-virus software:
The Point of Sale (PoS) terminals as well as other devices that interact with the actual credit card must have anti-virus software installed, and they must be kept updated with the latest software on a timely basis.
6. All devices must be protected:
In addition to the anti-virus requirement stated in #5, all other devices that are used to safeguard the credit card information and transactions—either directly or indirectly—must have anti-virus software installed and it must be kept up-to-date.
7. Access to credit card data must be appropriate:
Anybody who needs to have access to credit card information/data must have privileges and permissions that are appropriate to do their job, not more and not less. Anyone who does not need to have access (especially external, third parties) should not be given any rights or permissions under any circumstance.
8. Unique IDs must be established:
Parties who need to have access to credit card information/data must have their own ID that is specifically created for this reason. The use of the same ID for multiple entities is strictly prohibited.
9. All storage mediums should be securely stored:
Any kind or type of device that is used to store credit card numbers and other relevant information (whether in a physical or digital form) must remain locked in a secure area at the place of business. Access to these storage devices should be heavily restricted as well.
10. Accurate records must be kept:
Any credit card transactions that take place must be thoroughly documented and archived for a certain number of reviews, for both compliance and audit-related purposes.
11. Testing for vulnerabilities:
Any environment that processes or stores credit information/data must be tested on a regular basis for any unknown vulnerabilities that could exist. This can be primarily done through penetration testing and/or threat hunting.
12. Create a security policy:
A specific and dedicated security policy must be crafted and strictly enforced for any businesses that fall into the four types of level categories, as reviewed earlier in this article.
These security requirements can be summarized in this illustration:
Interestingly enough, the PCI DSS standards are not enforced at the federal level. But they are under close scrutiny by the major credit card providers, and the penalties for noncompliance can be quite stiff. A future article will examine those penalties, as well as the other provisions that have been set forth. If you have further questions, see a detailed FAQ guide by PCIComplianceGuide.org.
Ravi is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas.Tech, Inc. He is also studying for his CompTIA Security+ Certification.