The Silver Lining In Your Cloud TM

Meeting the 12 Major Controls for PCI DSS Compliance: Part 1

The Payment Card Industry data security standard (PCI DSS) is the global standard used by all the major payment card brands for every entity that processes, stores, or transmits cardholder data.

The overall goal of the PCI standard is to protect the privacy of cardholder information so that it cannot be misused by thieves.

In keeping with this goal, the PCI data security standard has a list of 12 major requirements, or controls, that companies processing cardholder data must adhere to.Failure to adhere to these 12 major controls for PCI compliance can have severe consequences for businesses.

One Forbes article highlights how “Target’s profits dropped $440 million in the fiscal fourth quarter following their hack fiasco” where millions of cardholder accounts were compromised.

Considering the damage that a failure to meet the data security requirements of PCI can cause, it’s vital for companies to build a thorough strategy for meeting them all.

Here are the first four requirements as stated in the Quick Reference Guide, and some tips for how to meet them:

Requirement #1: Install and Maintain a Firewall Configuration to Protect Cardholder Data

The first requirement of PCI DSS compliance seems self-explanatory, but it’s important to remember that the firewall needs to meet specific compliance requirements. It’s not enough just to have a firewall—that firewall needs to:

  1. Have a configuration with established standards to formalize testing when said configuration changes and can identify all connections in the network to cardholder data.
  2. Ensure that the configuration of the routers and firewalls restrict all external, “untrusted,” networks and hosts except for those protocols which are absolutely necessary for the data environment.
  3. Prevent direct public access between the Internet and any system component in the cardholder data environment.
  4. Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet and may be used to access the organization’s network.

To meet these requirements takes more than just a strong perimeter firewall (which doesn’t hurt), it takes strong internal firewalls for individual devices that are part of the network and a router access structure that restricts the possible points of entry that a hacker might use to break into the system from the outside.

Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters

The necessity of strong passwords should be drilled into each and every employee in every organization that handles payment card information. Meeting this particular requirement is often less a matter of the technology used by the company, and more an issue of internal security policies.

When deploying any new technology or adding authorized user accounts to a network, organizations should force a mandatory password change ASAP. Default passwords assigned by vendors are often very easy to guess, creating a severe weakness in the network’s security.

New users should be prompted to create a new password for their accounts on first log-in, with automatic enforcement of strong password rules such as:

  • Required minimum character counts (8 or more)
  • Mandatory use of uppercase & lowercase letters, numbers, and symbols (at least one each)

Before deploying any new system, its default password should also be replaced using the above rules.

Requirement 3: Protect Stored Cardholder Data

This is one of the broadest rules for PCI compliance, and the PCI data security council recommends that “in general, no cardholder data should ever be stored unless it’s necessary to meet the needs of the business” in their reference guide. In particular, they state that “sensitive data on the magnetic stripe or chip must never be stored.”

Storing cardholder data such as primary account numbers (PANs), expiration dates, service codes, and cardholder names adds severe risks to the cardholder’s privacy. Organizations storing such data must take strong measures to keep this data secure.

One of the main provisions for storing data such as a PAN is that the number must be rendered unreadable wherever it is stored. This can be done in several ways, such as:

  • Truncating the PAN to just the first six or last four digits
  • Using index tokens with “securely stored pads”
  • Encrypting the card number entirely

Encryption of all PAN data-at-rest and in flight is perhaps the best solution, as it keeps thieves from being able to read the data unless they can crack the encryption key, which will at least create a delay that businesses can use to alert customers to take identity protection measures such as canceling their compromised cards.

When using encryption, encryption keys should be kept secure from outsider access. All processes and procedures for protecting these keys should be fully documented.

At no point should any authentication information such as CVVs or PIN codes ever be stored in any form, encrypted or not.

Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks

When transmitting data over any kind of public network that connects to the internet, there is a risk that hackers may be able to intercept the transmission and the data contained therein. This is a massive concern when transmitting PAN data, which is why the data security standard for PCI requires all cardholder data to be encrypted during transmission.

A powerful data-in-flight encryption tool is a must for sending and receiving cardholder data in any business. Specifically, the PCI data security council recommends using “strong cryptography and security protocols such as SSL/TLS, SSH or IPSec to safeguard sensitive cardholder data during transmission.”

Using industry-leading encryption solutions that go above and beyond the standards set for by the PCI data security standard can help to further protect cardholder data, and your organization’s reputation.

Again, if you’d like to learn more about the specific requirements as set forth, please check out the Quick Reference Guide.

This series will continue with requirements 5-8.