We studied the Internal Control standards in our previous post. PCI-DSS refers to the Payment Card Industry and Data Security Standards. It requires all merchants to comply with its requirements. Non-Compliance may lead to monthly fines up to $100,000.
Requirements under the PCI-DSS:
PCI-DSS requires the merchants dealing in any of its five payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa)to fulfill the following 12 requirements:
Control Objective: Build and maintain a secure network:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data:
Firewalls need to be maintained by a specialized person within the organization. They have to be independently tested for efficiency.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters:
The steps taken for the maintenance of firewalls should be recorded as proof of compliance. Wireless LANs should also be included.
Requirement 3: Protect stored cardholder data:
All sensitive data should be encrypted. The following diagram illustrates the customer’s data that should never be stored. If your business stores such data, then valid business reasons should be provided as a check would be conducted.
Requirement 4: Encrypt transmission of cardholder data across open, public networks:
Your organization’s wireless network and remote access controls should be properly configured. You should be able to map the route of your transmissions so that the key areas requiring encryption may be highlighted. Also, the transmissions can be made to use VPN software like SSL and IPSec among other developments.
Control Objective:Maintaining a vulnerability management programme
Requirement 5: Use and regularly update anti-virus software:
You should ensure that the updates of your Antivirus software reach every device. Anti-malware protection needs to be used for all operating systems and all forms of malware. Network Access Control(NAC) ensures that anti-virus has been applied to all individual workstations of your business unit.
Requirement 6: Firstly, develop and maintain secure systems and applications:
Customized application can be difficult to patch and secure. Secondly, alerts for update and security need to be reviewed periodically. Thirdly, a vulnerability assessment needs to be conducted. Last but not the least , a Web-based applications and their protection are mandatory.
Control Objective: Implementing strong access control measures:
Requirement 7: Restrict access to cardholder data by business need-to-know:
Employees working with card related data should only be given access. Encryption and access controls should be configured through a proper system so that sensitive data is not compromised. Hence, the system should be periodically reviewed and monitored.
Requirement 8: Assign a unique ID to each person with computer access:
By assigning a UID (Unique Identification) to each employee, access grants and usage of sensitive data can be tracked. This avoids internal database breaches. Passwords of users should be tested so that they become unreadable during transmission and storage.
Requirement 9: Restrict physical access to cardholder data:
Keep all devices storing card information in a safe environment. Install CCTV camera in server rooms. Restrict access to wireless and wired network needs to prevent internal breaches.
Requirement 10: Track and monitor all access to network resources and cardholder data:
Security Event Management(SEM) and Security Information and Event Management(SIEM) should be installed in order to manage all logs and data. Firewalls, DNS, and other external system logs must be stored through internal systems. Penetration tests need not be taken by QSAs (Qualified Security Advisors) or ASVs (Approved Scan Vendors).
Requirement 11: Regularly test security systems and processes:
All merchants should conduct regular internal and external vulnerability scans for possible weaknesses in the system. Also, there should be scans as soon as someone makes changes to the system.
Requirement 12: Maintain a policy that addresses information security:
A strong policy by the organization guides its employees towards achieving the said requirements. Moreover, IT security should be part of the policy planning of the organization. One should monitor and manage service providers.
How to ensure Compliance with Requirements?
The requirements given under the PCI-DSS are not that easy to be compliant with. However, with help from VComply’s GRC(Governance, Risk and Compliance) services, you can align yourself with all standards. Our 30-Minute Deployment time, Real-Time Alerts, CAL Repository, Compliance Library and Assign and Track feature among many others will help you concentrate on the key aspects of your business. Also, you may explore the services through the Lifetime Free version. To know simply click here.Add to favorites