PCI Compliance Checklist – Everything You Need To Know
If you own a commercial website and sell products online, you must have at some time encountered the terrors of setting up an online payment. It’s not as easy as it seems for the uninitiated. In order to process customer payments, you need to eliminate the risks associated with it. If the cardholder data gets leaked by a hacker it can lead to severe repercussions.
Therefore, in order to nip this problem, major credit card companies have provided solution if you wish to set up online payments. PCI DSS or Payment Card Industry Data Security Standard is a set of 12 requirements that need to be fulfilled in order for a business to accept online payments. Think of them as The Twelve Commandments of payment security if you will. Let us first understand what PCI DSS is all about.
It is a global organization formed by major card companies such as Visa, Mastercard, American Express and Discover. The PCI DSS compliance checklist was created in order to protect customer’s data by making sure that businesses adhere to best security practices in order to minimise risks associated with online payments. Even if you third party payment gateways such as RazorPay, PayPal or Stripe, you are required to comply by the PCI DSS checklist. In short, if you own an e-commerce website, you need to fulfil these requirements. Let’s look into detail into each of the 12 requirements and understand what they mean.
Requirement 1: Safeguard cardholder data by implementing and maintaining a firewall.
Firewalls are considered as the first line of defence in the event of a cyberattack. They are an integral part of computer networks as they identify network security and prevent the passing of any traffic which don’t meet the set system requirements. They deny traffic and public access from untrusted sources
Requirement 2: Create custom passwords and other unique security measures rather than using the default setting from your vendor-supplied systems.
This should be pretty straight forward to understand. If you use default passwords created by your vendors, it’s like an open invitation for hackers to exploit your data. It might be the easiest vulnerability to exploit but also the quickest one to fix. Settings should be also updated to the latest patches available in order to ensure maximum protection.
Requirement 3: Safeguard stored cardholder data.
This accounts for one of the most important security requirements to be met in the PCI DSS checklist. It’s essential for a business to protect their customers data from prying eyes. They need to well informed about the data they’re storing, the type of data, where it is being stored as well as how long it is being stored. A solid advice would be not store cardholder data in the first place and if you are, then store it in a secure fashion and then ensure that it is completely wiped out for a certain amount of time. This requirement also states some important rules as the amount of card numbers that should be made visible.
Requirement 4: Encrypt cardholder data that is transmitted across open, public networks.
Similar to Requirement 3, this step focuses more on encrypting and safeguarding the traffic and transmission rather than the storage part. It is vital to encrypt a cardholder’s payment information whenever it’s being transferred in order to safeguard such confidential information
Requirement 5: Anti-virus software needs to implemented and actively updated.
Antiviruses have become a part and parcel of our daily lives in protecting our systems, so it’s only natural that Payment Industries have adopted the same practice. However when dealing with sensitive information on such a regular basis having a basic antivirus setup is not enough. Top of the line security needs to be provided when dealing with payment information and hence it is expected that antiviruses’ capable of handling such loads should be used as well as they should be regularly updated in order to keep up with the latest security patches.
Requirement 6: Create and sustain secure systems and applications.
Organizations should be able to identify and eradicate risks that are associated with network technologies as well as coding practices. In the case of attacks, the risk department should be well prepared to mitigate risks and ensure the safety of cardholder data. Conducting regular risk assessments should be a priority for businesses.
Requirement 7: Keep cardholder access limited by need-to-know.
It is in the best interest of the company as well as customers that unauthorized personnel don’t get access to cardholder information, both outside and inside the company. Therefore, care should be taken to ensure that only people having security clearance and having tasks associated with that data should be given access to it. This will ensure that unauthorized access is restricted.
Requirement 8: Users with digital access to cardholder data need unique identifiers.
Keeping in track with Requirement 7, it is essential in terms of security to know who has access to a cardholders data at all given times. Therefore people with security clearances to this data should be assigned a unique digital identity so as to keep track of all the people who have handled such sensitive information. This is done so as in the event of a cyber attack it is easier to pinpoint the source or the person behind the attack if it’s an insider job.
Requirement 9: Physical access to cardholder data needs to be restricted.
PCI compliance doesn’t extend to only digital security. When handling sensitive information, it is necessary to ensure that the place where the information is stored is also secure. This includes server rooms, workstations or even paper files. This requirement mandates the use of video cameras, physical security at entry and exit points, and ID checks at every checkpoint. Access logs and recordings need to be stored for a minimum 90-day period.
Requirement 10: Network resources and cardholder data access needs to be logged and reported.
With a logging system it becomes easy to pinpoint who has accessed what data at what time anywhere in the past. By doing so, if any suspicious activity is spotted swift action can be taken so as to prevent further risks. These logs need to be sent to a server to be monitored and reviewed daily.
Requirement 11: Run frequent security systems and processes tests.
Hackers are constantly on the lookout for weak links in the security system by trying and testing new methods. Therefore it is important on your end to continuously monitor and test your system to ensure that it runs flawlessly and cannot be compromised. By doing so, you get a keen understanding of how your system works and where it lacks so as to apply quick patches on security lapses.
Requirement 12: Address information security throughout your business by creating a policy.
In this final step, it is necessary to initiate, create, implement and adopt a companywide security policy in order to become PCI compliant. This policy should cover employees, management as well as third part businesses associated with your organisation. It should be reviewed periodically so as to ensure that any security lapses don’t go unnoticed. By doing so, you create a safe environment where cardholders data is respected and their privacy is maintained.
We hope that we were able to provide you with in-depth knowledge regarding PCI DSS compliances and that it helped you in understanding the standards set by the industry.