Opening Statement:
Accepting Credit Card payments is a necessity for businesses and a core requirement for business operations. However, credit card fraud and identity theft are increasing alarmingly.
The payment ecosystem includes shopping applications and websites, point of sales devices, payment service providers (Stripe, Checkout, Authorize.net, etc.), software, issuing and acquiring banks, and card networks (VISA/MasterCard/ American Express, etc.). Security vulnerabilities can show up anywhere throughout the payment processing ecosystem.
To ensure consumer data security and trust in the payment ecosystem, a minimum security standard for data security was established. VISA, Master Card, American Express, Discover, and JCB formed the Payment Card Industry Security Standard Council (PCI SSC). To set up and maintain a minimum security standard for companies that handle Credit Card data. The standard they introduced is the Payment Card Industry Data Security Standard (PCI DSS), which sets up a benchmark of security for consumer data protection and all components of the payment ecosystem.
For a comprehensive overview of PCI DSS and its impact on businesses, Forbes provides an insightful analysis that explores the practical implications and benefits of compliance.
PCI DSS Version and Requirments:
The Payment Card Industry Data Security Standard (PCI DSS) has a set of 300+ security controls to administer the database, communicate data, access controls, and monitor operations. Many documents are published by the Payment Card Industry Security Standard Council (PCI SSC) to help you understand what security controls apply to your business model and how these can effectively be implemented and verified during security audits.
This article will help you understand how the PCI DSS standard would uplift the security posture of your business and minimize the risk of Consumer data and identity theft.
The current standard for PCI DSS is 3.2.1, which would expire on March 31st. The new Standard is 4.0. This will be discussed in detail in this article.
Overview of PCI DSS compliance:
PCI DSS is a global security framework that applies to any organization that accepts and processes credit card information. PCI DSS standard is not a law or regulation. Instead, it is an Industry mandate for receiving and processing digital payments.
Payment Card Industry Data Security Standard (PCI DSS) is not just a list of technical controls. It also includes operational and organizational controls to which a company must comply for baseline customer payment data and identity security.
There are four ongoing components to consider for your business to comply with the PCI DSS standard 4.0
Primary Account Number (PAN) and Card Data Environment (CDE):
The storage of sensitive account information, usually called the Primary Account Numbers (PANs), should not be done unless required explicitly for business operations. PANs or sensitive account data are stored in the Card Data Environment (CDE) environment.
Companies that do not require the storage of sensitive data should not if Card Data or PANs are not stored. The company may only require confirming 35 from the 300+ security controls for PCI DSS compliance.
Companies that need to handle cards must maintain all their business processes and IT assets associated with handling card data. Analyze them for flaws and undergo a formal PCI DSS assessment.
Segmentation of Card Data Environment (CDE):
PCI DSS defines CDE as people, processes, and technologies that store, process, or transmit Credit card data - Or any system connected to it. To limit the scope of the PCI validation, segmenting the CDE from the rest of the business is essential.
Suppose an organization is not able to limit the CDE with proper segmentation. In that case, the 300+ security controls of the PCI Standard will then apply to all laptops, systems, and personnel of the organization.
Monitoring and Logging:
Companies should be able to monitor and log operational activity to maintain the security posture of the organization as per the security controls of the PCI DSS standard.
The organization must implement tools and processes to log and monitor any changes applied to CDE. As per the general security requirements of the PCI DSS standard to be discussed later, the organization should have tools and mechanisms to report any breach or vulnerability and remediate it with an effective response plan.
Validate and Maintain:
The organization must always ensure that the tools and technologies, systems, and processes put in place to Comply with the Security controls of the PCI DSS standard are always active and operational.
Most of the vulnerabilities occur when system updates and changes are implemented, which affect security control implementation and expose the CDE and sensitive card data to risks. The organization must make periodic checks and scans to help guarantee ongoing protection.
Regardless of the scope of the CDE and the process put forth to maintain the organization's security posture, the PCI standard also requires completing a PCI validation form annually. Later in this article, we will discuss the forms and annual validation required based on different business models and the total count of yearly transactions the organization processes.
PCI DSS security and operational requirements explained:
To understand more about the PCI DSS security standard for credit card payments, let’s overview the comprehensive set of requirements and security measures that PCI DSS V4.0 provides to organizations to handle consumer account data and identity. (They differ slightly from the security controls of v3.2.1)
PCI DSS requirements involve the following main components:
Build and maintain Network Security Controls:
As discussed, segmentation is crucial in limiting the scope of PCI DSS controls. Segmentation is achieved by defining network segments (or subnets); a firewall manages and administers traffic that flows in and out of the network segment.
The firewall runs a set of predefined policies and rules. The firewall controls network traffic between two or more logical or physical network segments and can be referred to as the network policy enforcement points.
Historically, this has been done using physical firewalls. However, cloud access controls, virtualizations, container orchestration, and other software-defined network technologies can be security controls.
Protect stored Consumer Card data:
Per PCI DSS standards, organizations are not authorized to store Primary Account Number (PAN) unless necessary for business. The organization must provide documented business process justification for storing Card data.
Companies should not store sensitive account or authorization data before and after the transaction unless necessary.
Suppose sensitive account data or authorization tokens are saved. In that case, the organization should ensure that the stored data is not readable as per the security controls of the PCI DSS standard.
PAN secure transmission over the network:
Cardholder data on the move is exposed to higher risk. Sensitive data can be exposed to threats due to an insecure network, usage of legacy encryption, or malicious network configurations. The organization must ensure that multiple security measures are in place before the movement of the consumer card data.
This ensures PAN transmission companies can encrypt the session over which the data is transmitted, encrypt card data before it is sent, or both.
Protection Against Malicious Software:
All networks and system components should be protected against malicious software. Attackers intend to inject negative pieces of code without the consent of the organizations, putting sensitive account data at risk.
Antivirus software must be installed for prevention on all endpoints and system components interacting with the CDE. The organization should ensure that the antivirus tools and software are continuously monitored and updated to provide coverage and defense against malicious software.
Maintain System Security and Development Standards:
Attackers intend to exploit security vulnerabilities in applications and systems that store and transmit sensitive card data. However, security patches are released by companies that are responsible for the maintenance of these systems. The organization must maintain a mechanism for constant upgrades and ensure the latest security patches are installed on critical system components.
Organizations must also patch systems that are not critical in an appropriate period. Recognized and industry-approved coding practices must be followed for any new software development. A mechanism for code reviews and vulnerability scans must be in place to eliminate and mitigate any risk. A proper mechanism for release management and a rollback plan must be in place.
Robust Access Control Mechanism:
The organization should implement systems and processes to ensure that only authorized individuals can access sensitive information. The individuals who access the information should also have a legitimate reason for accessing the information.
Threat actors can penetrate and access critical data when required controls for user identity verification and access of information from an unrecognized machine or network are not active or not in place. The organization should also set training schedules for team members to understand identity theft and how the threat actors hijack the digital identity.
The organization must ensure that only the information that helps individuals do their job is provided. The provision of information should only be based on the job requirements, not on the level of security clearance or approvals.
Identify user authentication:
The organization must have the relevant process, tools, and mechanisms in place to allocate a unique identifier to the person who has access to the sensitive data. This would also empower the company to trace the actions back to that user. This mechanism should be applied to all users with administrative, operational, or read-only rights.
Restrict physical access to Cardholder data:
Physical access to the servers, routers, and all system components storing cardholder data should be restricted.
Log and monitor system access:
System logging is fundamental to PCI DSS security control. Logging tracks all user activity, detects system anomalies, and enables the organization to have a practical forensic analysis. Without system logs, it is impossible to identify the cause of the compromise. Logging should be enabled on all system and network components of the CDE.
System logs and alerts should be in place to detect if any critical system is turned off or goes offline. An alert mechanism should be implemented to notify the security officials of any potential breach.
Security Audit:
Security is an ongoing process; cybercriminals constantly evolve with new and twisted ways to breach sensitive cardholder data. The organization must ensure that all security tools, methods, and controls are practical and functional.
Periodic checks must be implemented to ensure all system components are updated for security patches and security controls are functional.
Organizational policies and programs:
The best defense against attacks and data breaches is awareness; the organization must ensure that the employees understand the sensitivity of the cardholder data and what they must do to protect it. Periodic training and awareness programs must be in place to enhance employee awareness and capacity.
Renewal of the PCI DSS would also ensure that the organization meets the security criteria for handling electronic payments.
How to get your PCI DSS compliance:
Step 1: Select the PCI compliance Level:
Your business might fall into four PCI DSS compliance levels depending on the volume of card transactions your organization handles every year.
The first step for your PCI DSS compliance would be to select the compliance level and fulfill the corresponding requirements.
Compliance Level | Applies to | Requirements to be fulfilled |
|---|---|---|
Level 1 |
|
|
Level 2 | Organizations that process 1 million to 6 million transactions per year |
|
Level 3 | Organizations that process 20,000 to 1 million transactions per year | Same as above |
Level 4 | Organizations that process less than 20,000 transactions per year | Same as above |
Step 2: Trace Card Holder Data:
You must completely map out where the Cardholder data is located and how it got there. It will start with the input of the Card data from your interface (Shopping cart or subscription page, etc.); you will also have to identify all the touch points, from where the data got to its resting position, and all of the systems and processes connected to these components.
This would include your load balancers, application clusters, queueing systems, monitoring and logging systems, and databases. Internal system networks should be isolated from the external world. Layered architectural topology needs to be followed on a top level, and system segmentation at a granular level needs to be adapted.
The best way would be to pinpoint how card data is handled throughout the system and who has access to it from an operation and technical perspective.
Tools are available to map the card data flow and provide trace packets to analyze the complete journey of cardholder data.
Step 3: Enforce Security controls and Protocols:
Now, once you have control over your cardholder data at rest and in transit, you can map the complete journey of the cardholder data in and out of the system.
The following process is to enforce and implement the PCI DSS security controls to protect this sensitive data.
Implementing access control policies, monitoring, logging, network security, data encryption, vulnerability response plans, antivirus management, security patch management, and regular validation of these controls would be best.
This might seem a lot, but if the system's foundation is laid right and the goal for the organization is to uplift the security of its consumers' data, The PCI DSS standard provides a system approach to fulfill these requirements. Most security controls overlap with HIPAA, GDPR, and other privacy mandates. A few of them may already be in place in your organization.
Step 4: Monitor and Maintain:
As the data flow and the touch points evolve, new tools and tech stacks are introduced in the system. PCI DSS is not a one-time event; organizations must ensure that they evaluate and comply with the security controls of the PCI DSS standard throughout the year and year on year.
PCI DSS security controls are operational and technical, requiring cross-departmental collaboration and support. It may be worthwhile to create a dedicated team internally to ensure compliance.
The organization must make sure that the security controls put in place are practical and operational. Necessary tools, logs, and monitoring are in place to oversee the security operations.
Conclusion:
PCI DSS compliance is crucial for safeguarding payment data in today’s digital world. Most organizations set up large teams, and extensive expenses are not required for PCI DSS compliance. The optimum approach is to make the right technical choices and consult with the individuals to help you navigate this path.
One of the major problems that organizations face is navigating what controls apply to their businesses; there are around 1800 pages of official documentation Published by the PCI council for the PCI DSS standard and 300 pages to understand which form to use when validating compliance. For a detailed guide on setting up SPF, DMARC, and DKIM to further secure your email communication as part of your PCI DSS compliance, refer to this comprehensive article. Additionally, transitioning from Pay-As-You-Go to a CSP model with Microsoft can provide more streamlined and secure payment solutions, as outlined here. With years of experience and a dedicated team to manage compliance requirements, we can assist in providing the most optimum path for your compliance journey. With years of experience and a dedicated team to manage compliance requirements, we can assist in providing the most optimum path for your compliance journey.
We also assist the organization in optimizing its technical architecture and operational management and recommend and help them configure the right tools and technology stacks that limit the scope of the PCI DSS. This is achieved by minimizing the overall risk exposure of the organization. The recommendations we propose are from years of experience that positively impact the timelines of getting PCI DSS compliance and improve the organization's security posture.
We also offer training programs for teams and executives to equip them to make the right decision, and teams and executives are also well informed of the overall journey of PCI DSS standard compliance.
Last Updated 1 month ago
