PCI DSS White Papers
Beginner’s Guide to PCI Compliance
Major credit card companies, including Visa, MasterCard, American Express, Discover, and JCB, acted against the increased number of data security breaches by coming together to create the PCI Security Standards Council. This Council developed a security standard for merchants that process credit card data, known as the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS encourages and enhances cardholder data security by providing globally-recognized data security measures.
Merchants, service providers, and subservice providers that store, transmit, or process cardholder data, including credit, debit, or other payment cards, are required to adhere to the PCI DSS. The PCI DSS audit is designed to test whether your organization is compliant with the 12 technical and operational requirements established to protect cardholder data.
Guide to PCI Policy Requirements
The purpose of the PCI DSS is to ensure that all of that data that lives within the cardholder data environment (CDE) is protected and secured from theft or unauthorized use. If you are a merchant, service provider, or subservice provider who stores, processes, or transmits cardholder data, you are subject to comply with the PCI DSS but doing so may seem daunting.
Why? Because the PCI DSS has almost 400 controls, 6 control objectives, and 12 major subject areas, and many organizations struggle with the documentation aspect of a PCI assessment. However, established best practice states, “If it’s not written down, it’s not happening.” Organizations need documented policies, procedures, and standards to control risks to business assets, but to also have a common understanding and language that creates consistency amongst your organization.
The 12 PCI DSS Requirements
PCI REQUIREMENT 1: Install and Maintain a Firewall Configuration
Welcome to PCI Requirement 1. Are you a merchant, service provider, or sub-service provider who stores, processes, or transmits cardholder data? If so, this is a great place to be introduced to the PCI DSS. In these videos, you will learn why the PCI DSS was developed, who participates in the PCI environment, what the 12 PCI DSS requirements are, and what the foundational elements of a PCI DSS engagement are.
PCI REQUIREMENT 2: Do Not Use Vendor-Supplied Defaults
Welcome to PCI Requirement 2. Did you know that vendor-supplied default information, such as account names and passwords, pose a serious threat to your organization’s security? Yes, vendor-supplied defaults might make installation or even support easier, but they also make it pretty simple for hackers to find the information needed to attack and exploit your system. How can we prevent this?
PCI REQUIREMENT 3: Protect Stored Cardholder Data
Does your organization store cardholder data? If so, you’re in right place to start learning how to appropriately protect and store cardholder data. PCI Requirement 3 gives organizations an opportunity to consider which retained data is required and which is becoming a liability for your organization. So how do you protect the stored cardholder data that is vital to your business?
PCI REQUIREMENT 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks
The culture we live in revolves around satellite technology, cell phones/GSM, Bluetooth, laptops, wireless Internet, and more. We may consider these things private, but the PCI DSS deems them to be public. PCI Requirement 4 helps prevent organizations from being a target of malicious individuals who exploit vulnerabilities in misconfigured or weakened wireless networks. To comply with PCI Requirement 4, sensitive data that your organization transmits over open, public networks must be encrypted.
PCI REQUIREMENT 5: Protect All Systems Against Malware and Regularly Update Anti-Virus Software or Programs
There are more people than you think looking to harm your environment. PCI Requirement 5 specifically calls out that your organization should protect against malware and use anti-virus software. Malware constantly shows up in today’s headlines. Malware could be viruses, worms, ransomware, Trojans, etc. Your organization should take every precaution possible to prevent a potential attack.
In these videos, you will learn about anti-virus solutions, malware protection, commonly affected systems, and the evolving threat landscape. Meeting PCI Requirement 5 will help protect your organization from being infected by malware attacks.
PCI REQUIREMENT 6: Develop and Maintain Secure Systems and Applications
Complying with PCI Requirement 6 will help your organization build a vulnerability management program that develops and maintains secure systems and applications. Attackers often use common security vulnerabilities to gain entry to systems in the targeted environment. Many common security vulnerabilities could be fixed with vendor-supplied security patches, but the issue arises when those patches are installed too late or not at all. The PCI DSS calls for all systems and applications to have all appropriate security patches implemented within an appropriate period of time in order to protect the cardholder data environment. This requirement is directed towards all applications in your environment, not just applications you’ve bought commercially or ones that you’ve developed.
Our PCI Requirement 6 videos will cover how to identify security vulnerabilities, patch installation, how to develop secure applications, secure coding strategies, change control processes, common coding vulnerabilities, and more.
PCI REQUIREMENT 7: Restrict Access to Cardholder Data by Business Need to Know
Complying with PCI Requirement 7 is critical to ensuring that cardholder data is accessed only by authorized personnel. If someone’s job requires that they have access to cardholder data, grant it. But if they can function without it? Deny access. The more people who have access to cardholder data, the more risk there is. Limiting access to those with a legitimate business need can help your organization prevent mismanagement of cardholder data.
Our PCI Requirement 7 videos will discuss the systems and processes that must be in place to limit access to cardholder data based on business need to know.
PCI REQUIREMENT 8: Identify and authenticate access to system components
Welcome to PCI Requirement 8, which focuses on two actions: identify and authenticate. How do you trace the actions of each user in your system? Are your user IDs and passwords secure? How do you know if your users are who they say they are? Does your staff know what to do if they suspect their account is at risk?
Our PCI Requirement 8 videos will show you how to establish a process of identifying and authenticating access into your organization’s systems.
PCI REQUIREMENT 9: Restrict physical access to cardholder data
Complying with PCI Requirement 9 is critical to the physical security of your organization’s sensitive cardholder data. What would the consequences be if your organization had no physical access controls? No locks on the doors, no badge or identification system, no security guards, no receptionist? Without physical access controls, you give unauthorized persons a plethora of ways to potentially gain access to your facility and to steal, disable, disrupt, or destroy your critical systems and cardholder data.
Our PCI Requirement 9 videos will discuss the systems and processes that must be in place to physically protect cardholder data.
PCI REQUIREMENT 10: Track and monitor all access to network resources and cardholder data
If data was compromised at your organization, how would you determine the cause? PCI Requirement 10 focuses on a critical aspect of data protection: logging and tracking. Implementing logging mechanisms at your organization gives you the ability to track user activities, which is crucial in preventing, detecting, and minimizing the consequences of a data breach. Without logging and tracking, it’s almost impossible to find the source of the data breach or compromise.
This set of videos will help you understand what’s required of your organization to comply with PCI Requirement 10.
PCI REQUIREMENT 11: Regularly test security systems and processes
How do you ensure that the security of your system is actually working? PCI Requirement 11 focuses on a critical aspect of PCI compliance: testing.This testing should be of wireless access points, incident response procedures, vulnerability scans, penetration testing, intrusion-detection, change-detection, and policies and procedures. Regular testing ensures that new vulnerabilities are caught by the right people and measures are taken to protect against new threats.
This set of videos will help you understand what’s required of your organization to comply with PCI Requirement 11.
PCI REQUIREMENT 12: Maintain a policy that addresses information security for all personnel
Welcome to PCI Requirement 12, the final requirement listed in the PCI DSS. This requirement is centered around the management of your information security program, which stems from a strong information security policy that sets the tone and expectations for your employees.
This set of videos will help you understand what’s required of your organization to comply with PCI Requirement 12.
PCI DSS Blog Posts
6 Steps of a PCI Audit
To protect the security of cardholder data, the PCI Security Standards Council requires organizations that work with payment cards to maintain compliance with the PCI DSS. If you’re an entity that stores, processes, or transmits cardholder data, you may be asking QSA firms, “How do you conduct a PCI audit?” At KirkpatrickPrice, we take a six-step approach in the PCI audit process to help your organization gain PCI compliance.
4 Reasons to Start a PCI Audit Right Now
Let’s face it: our society is becoming more reliant on cashless payment systems, from payment cards to contactless pay. With this digital focus, the security of cardholder data is top of mind to consumers. In fact, according to Pew Research Center, “41% of Americans have encountered fraudulent charges on their credit cards.” If your business cannot prove that your services are secure, why would consumers choose to do business with you when there’s hundreds of others who will protect their cardholder data? Has your business been hesitant to start a PCI audit? Let’s discuss a few reasons why you should stop waiting and start a PCI audit right now.
How Do I Find a QSA For My PCI Audit?
Are you a merchant, service provider, or sub-service provider who stores, processes, or transmits cardholder data? Going through a PCI audit for the first time? Your organization will need an individual who can help you maintain PCI compliance and provide you with a high-quality PCI audit. Who can do that? A Qualified Security Assessor (QSA). In fact, a QSA is the only individual who can deliver a PCI RoC for your organization. Without hiring a company that has a certified QSA, you won’t be able to meet your PCI compliance requirements and are at risk for additional data threats. You know you need a QSA, but where should you start? Let’s begin by defining what you’re looking for when choosing a QSA.
How Do I Become Compliant with PCI?
Becoming PCI Compliant for the first time can be an overwhelming undertaking if you are unsure of where to start. With approximately 394 controls, this comprehensive data security standard can be a large undertaking that is best tackled with expert assistance.
Most Common PCI Gaps
In the payment card industry, our auditors come across the same vulnerabilities and gaps time and time again across different organizations. Even for a retailer as big as Macy’s, security gaps showed up in full force when their payment card systems were breached in 2018. Did Macy’s security team take the time to mitigate the most common PCI gaps? Could they may have saved the millions of dollars by implementing best practices? To give your organization an advantage as you start your PCI audit process, we have gathered common PCI gaps that can be associated with each PCI DSS requirement. Let’s get a head start on your PCI compliance journey.
What You Need to Know About PCI Requirement 11.3.4.1
Nine new PCI DSS v3.2 requirements turned from best practices to requirements on February 1, 2018. One requirement in particular, PCI Requirement 11.3.4.1, outlines new PCI penetration testing requirements and caused confusion among many service providers. PCI Requirement 11.3.4.1 states, “If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.”
Let’s discuss why this PCI penetration testing requirement might apply to you, what segmentation is, what the six-month rule means, and what you need in order to comply with this requirement.
PCI DSS Update: Version 3.2.1 Released
On February 1, 2018, nine new PCI DSS requirements went into effect. Four months later, the PCI Security Standards Council (SSC) published a minor revision to the PCI DSS. PCI DSS v3.2.1 replaces v3.2 and addresses effective dates and Secure Socket Layer (SSL)/early Transport Layer Security (TLS) migration deadlines that have passed. Though PCI DSS v3.2.1 does not introduce any new requirements, let’s discuss the minor revisions made, when they go into effect, and what you need to do to ensure compliance with this new version of the PCI DSS.
What is PCI Compliance?
This is a question KirkpatrickPrice, as a PCI QSA, is frequently asked. Let’s start with what it stands for.
PCI stands for the Payment Card Industry. When we talk about compliance, we’re talking about the PCI DSS, or Payment Card Industry Data Security Standard. The PCI DSS originated from efforts by major credit card brands (Visa, MasterCard, American Express, Discover, and JCB) to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.
PCI DSS Webinars
PCI Readiness Series: PCI Requirements 1 and 2
Are you a merchant, service provider, or sub-service provider who stores, processes, or transmits cardholder data? If so, this is a great place to be introduced to the PCI DSS. This webinar will cover PCI DSS requirements 1 & 2 in-depth, so don’t miss out!
PCI Readiness Series: PCI Requirements 3 and 4
This session in our PCI Readiness Series focuses on PCI DSS Requirements 3 and 4, which focus on encryption and protecting cardholder data. PCI Requirement 3 states, “Protect stored cardholder data.” PCI Requirement 4 states, “Encrypt transmission of cardholder data across open, public networks.”
PCI Readiness Series: PCI Requirements 5 and 6
This session in our PCI Readiness Series highlights PCI Requirements 5 and 6, which work together to help organizations build and maintain a vulnerability management program. PCI Requirement 5 states, “Protect all systems against malware and regularly update anti-virus software or programs.” PCI Requirement 6 states, “Develop and maintain secure systems and applications.”
PCI Readiness Series: PCI Requirement 7
In this webinar, our PCI expert spotlights PCI Requirement 7, which states, “Restrict access to cardholder data by business need-to-know.” This requirement is focuses on authorization and establishing a program of least privileges. PCI Requirement 7 supports the implementation of many of the controls in PCI Requirement 8.
PCI Readiness Series: PCI Requirement 8
This session in our PCI Readiness Series dives into PCI Requirement 8, specifically about identifying and authenticating access to system components. In this webinar, we will cover strong, secure passwords in transmission and storage, disabling accounts for terminated employees and unused accounts, changing default passwords, and disabling generic accounts with shared usernames and passwords.
PCI Readiness Series: PCI Requirement 9
PCI Requirement 9 evaluates all aspects of physical security controls to cardholder data – updated devices, visitor badges, security cameras, etc. The PCI DSS states, “Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted.”
PCI Readiness Series: PCI Requirement 10
This session in our PCI Readiness series spotlights PCI Requirement 10, which examines the tracking and monitoring of all access to network resources and cardholder data. Our panelist for this session, Jeff Wilder, explains each part of PCI Requirement 10 in detail, along with some of the common struggles that come along with this requirement.
PCI Readiness Series: PCI Requirement 11
This session in our PCI Readiness series focuses on Requirement 11. This requirement requires regular monitoring and testing of security systems and processes, which validates an organization’s risk/threat management program and determines if it’s functioning correctly. To successfully validate your system, scans should validate your risk identification and risk ranking program. Internal scan results should be used to address risk through your risk management program.
PCI Readiness Series: PCI Requirement 12
When creating an information security policy, an organization must create a policy that addresses information security for all personnel. Let’s emphasize “all” – this policy is not just for the IT department but is for anyone that would/could be involved in some capacity with storing, processing, and transmitting cardholder data. PCI Requirement 12 helps oversee and govern an organization’s PCI DSS compliance program.
PCI Readiness Series: Scoping the Assessment
Knowing how to scope a PCI assessment is crucial to your organization’s compliance. Defining a correct scope is the first and most important step. Scoping is so vital that assessors should not even begin the assessment until they have fully determined the scope. So, how does your organization determine if an asset is in scope? Any people, process, or technology that stores, processes, or transmits cardholder data is considered to be within your cardholder data environment and in scope for your PCI assessment.
If your people, processes, or technology has the ability to impact the security of account data and sensitive authentication data, then your organization needs to have the appropriate controls applied in the appropriate places.
PCI Readiness Series: Penetration Testing
We often see clients struggling with the new requirements for penetration testing with regard to PCI compliance. The intent behind the new penetration testing methodology is to define the means and the methods by which a penetration test will be executed in your organization’s environment. Your organization’s penetration testing methodology should define the things that a penetration tester needs to do in order for your organization to have a comprehensive PCI assessment.