PCI DSS compliance checklist
To achieve PCI DSS compliance, businesses have to meet several strict requirements. Generally speaking, each requirement helps protect data while it’s at rest and in transit, restricting bad actors from accessing sensitive information.
With that in mind, let’s examine some of the basic steps businesses need to take to achieve and maintain PCI compliance, as outlined in the PCI DSS Quick Reference Guide.
1. Install and maintain network security controls
Most payment card transactions rely on point-of-sale (POS) systems, which connect to computers across networks. Cyber criminals often target merchant networks to steal cardholder and authentication data.
As such, PCI DSS requires businesses to implement strong network security controls to protect customer transactions — like installing and maintaining a firewall and implementing strong access controls. Businesses must also avoid using vendor-supplied defaults for system passwords and other security parameters.
Brick-and-mortar store owners should consult security and IT personnel to ensure their networks contain strong authentication services. Cyber criminals often avoid networks that are difficult to penetrate, seeking easier targets instead.
Similarly, e-commerce providers need to ensure networks are secure for system administrators and remote employees. They should invest in appropriate security controls and ensure the applications they rely on daily are PCI-compliant.
2. Apply secure configurations to all system components
Threat actors often exploit vulnerabilities to gain network access. As a result, businesses should address vulnerabilities as they're announced to keep threat actors out and sensitive data safe.
PCI DSS recommends developing configuration standards for system components that address known security vulnerabilities. Such standards should be consistent with industry-accepted definitions.
3. Protect stored cardholder data — or don’t store it in the first place
According to the PCI DSS guidelines, it’s best to avoid storing cardholder data. Further, businesses should never store sensitive data from a chip or magnetic stripe after authentication.
If storing data is unavoidable, it must be unreadable in a company's systems which is possible through cryptography. Businesses that fail to properly dispose of data or store it securely risk non-compliance should a security breach occur.
4. Encrypt all sensitive credit card data
Cyber criminals often attempt to intercept data sent over public networks with weak security controls. In fact, data interception is one of the main ways threat actors steal private cardholder data.
Because of this, PCI DSS requires businesses to encrypt cardholder data so that it is unreadable without a private key. For the best results, businesses must ensure data is encrypted at rest and in transit. That way, even if a bad actor infiltrates a network, they won’t be able to make sense of the data.
5. Protect all systems and networks from malicious software
Malicious software — or malware — is a common and highly effective attack vector for threat actors. To protect against malware, companies should invest in an endpoint protection solution. Companies also need to produce and retain audit logs and document security policies and operational procedures.
Unfortunately, security isn’t always on the forefront of workers’ minds. For this reason, companies should consider security awareness training teaching them to avoid common pitfalls cybercriminals use to trick unsuspecting end users.
6. Develop and maintain secure systems and software
One of the main reasons cybercriminals attempt to exploit systems and applications is to access sensitive customer data, which includes cardholder information and primary account numbers (PANs).
Businesses can eliminate vulnerabilities and reduce risk by prioritizing application security and being vigilant about installing vendor-approved security patches as soon as they’re released. PCI DSS requires that all critical systems have the most recently released software patches to avoid exploitation. Additionally, the standard requires businesses to patch less critical systems in accordance with risk-based vulnerability management programs.
7. Restrict access to cardholder data
Strong access controls are another critical requirement for PCI compliance. Companies must ensure that only authorized personnel can access critical data.
Best practices suggest that organizations should embrace the principle of least privilege, only allowing users to access the data they need to do their jobs. For further protection, businesses can also use a trusted access control system that can automatically grant or block access based on a user’s credentials. They can also implement additional controls, like multi-factor authentication.
8. Authenticate access to system components
Companies often struggle with access control, losing track of authorized users. When that happens, organizations can face identity sprawl problems.
To avoid this scenario, assign a unique identification number to all individuals with access to critical data and systems. Under the PCI DSS, this requirement applies to all accounts with administrative capabilities, including POS accounts and those with access to cardholder data.
9. Restrict physical access to cardholder data
In addition to protecting digital systems, businesses must also restrict physical access to data and systems that house cardholder data.
The PCI DSS recommends using appropriate facility entry controls to restrict physical access to systems in a data center environment. It’s also a good idea to create procedures to distinguish between different types of employees and limit physical access to sensitive areas to ensure only authorized employees can enter.
10. Monitor access to cardholder data
To effectively manage vulnerabilities and perform effective forensics investigations, companies need to use logging mechanisms to track user behavior.
For this reason, PCI DSS advises companies to use logs in all environments for tracking and analysis purposes. This can help teams rapidly discover the root causes of issues, making it easier to close vulnerabilities quickly.
11. Test system security regularly
Cybersecurity is a never-ending responsibility. To combat evolving cybercrime tactics, businesses must routinely test process and system security, ensuring everything stays updated with the latest patches. As the PCI DSS points out, testing security controls is particularly important when environmental changes occur — like adjusting system configurations and deploying new software.
As a best practice, companies should conduct internal and external vulnerability scans every quarter and after any major network changes. PCI DSS also requires developing and implementing a framework for penetration testing and using intrusion prevention techniques to limit unauthorized entry.