Here follow in a shortcut 12 fundamental requirements of PCI DSS (Payment Card Industry Data Security Standard)
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. It was created by the Payment Card Industry Security Standards Council (PCI SSC) to enhance cardholder data security and reduce credit card fraud
- Keep a firewall
- Block access to CDE (Card Data Environment)
- Understanding the network topology and CHD (Card Holder Data) flows
- No defaults
- No vendor passwords
- Disabling features, ports,… I don’t need
- Protect stored data
- Truncating, tokenizing, encrypting.. Goal is that even if attacker get them, he can see them
- Protect transmitted data
- Maintain encryption
- Strong authentication
- Never PANs as plaintext
- Prevent malware
- Having anti-malware software
- Having policies so users can’t disable it
- Develop securely
- Secure SW lifecycle + patching vulnerabilities
- Need-to-know access
- Principle of least privilege: each role sees the least card data, for the least amount of time, to do their job
- Having access control by roles
- Identify access
- If something happens, the “associated human” must be identified
- Unique IDs, no group users, removing old accounts
- Strong password practices, account lockups on X attempts
- Restrict physical access
- Entry control, cctv, locked rooms, etc
- Log everything
- All actions accessing/modifying card data
- Time must be synchronized using one mechanism
- File integrity management
- Test regularly
- Both internal and external. Audit, penetration testing, vulnerability scanning
- Information security policy
- Sum of all policies: usage, incident response, risk assessment, employee roles/screening
- Tech usage policy
- Employee screening
- Formal incident management procedures, yearly tested
Leave a Reply