The Silver Lining In Your Cloud TM

Meeting the 12 Major Controls for PCI DSS Compliance: Part 2

Continued from Part 1, which detailed PCI DSS compliance controls 1-4:

Requirement #5: Use and Regularly Update Antivirus Software or Programs

Antivirus (or anti-malware) security software is one of the most common protections against malicious software and intrusion attempts.Every business environment should have a basic anti-malware program that can scan email attachments, links, and websites for the presence of malicious software programs that could be used to compromise a business’ network.

To remain effective for preventing the installation of newer malware, the antivirus program a business uses should be continuously updated with the latest security patches and threat signals. Hackers often rely on older security vulnerabilities, and unpatched antivirus applications leave these weaknesses open to attack.

Specifically, the PCI compliance requirement states that businesses handling payment card data need to:

  1. Deploy anti-virus software on all systems affected by malicious software (particularly personal computers and servers).
  2. Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs. (1)

The audit log requirement is particularly important, as it goes towards filling out the traceability requirements of many security compliance standards beyond PCI.

Here, businesses have a variety of choices for antivirus that they can use. Any antivirus that a business uses should be optimized for the architecture that business runs its infrastructure on. So, a heavily-virtualized infrastructure may be better run with an agentless anti virus solution rather than a traditional setup that installs and runs everything on each machine in use.

Having a managed cloud service solution that automates the process of patching and updating AV program security can help reduce complexity for this task, saving internal resources.

Requirement #6: Develop and Maintain Secure Systems and Applications

This is another requirement with very broad wording. The overall goal of this major control for PCI data security standard compliance is to eliminate key system vulnerabilities that hackers could exploit to access payment account numbers (PANs) or other sensitive cardholder data.

Key requirements of this control include:

  • Staying up to date with the latest vendor-supplied security patches for all systems and components. Critical patches should be applied within one month of release.
  • Establishing a process to identify and rank new security vulnerabilities as they’re discovered. The PCI DSS compliance checklist recommends basing these rankings on “industry best practices and guidelines.”
  • All software application development (internal or external) in accordance with all PCI DSS requirements using industry best practices. IT security should be core throughout the dev cycle.
  • Following change control processes and procedures for all changes to any system component.
  • Developing applications based on secure coding guidelines. All custom coding should be reviewed for coding vulnerabilities according to best practices in the industry.
  • Keep all public-facing web applications (such as APIs) protected against known attack methods by using either vulnerability reviews or by installing web app firewalls. Doing both is better than one or the other alone.

While the title of the requirement itself could be interpreted very broadly, the specifics of this rule mostly demand diligence from companies when it comes to spotting and remediating potential system vulnerabilities.

Managed cloud service providers can often take over the task of running security patches, but internally-developed applications are going to require exhaustive penetration testing and security reviews.

Requirement #7: Restrict Access to Cardholder Data by Business Need to Know

Generally speaking, the more people in an organization that are able to access a specific data set, the less secure it is. This control requirement is designed to limit the exposure of cardholder data by making sure that only those who need cardholder data to fulfill their job requirements have access to it.

Under this rule, companies are required to do two specific things:

  1. Limit access to system components and cardholder data to only those individuals whose job duties require this access.
  2. Create an access control system for components with multiple users that restricts access based on user need to know, and is set to deny all access unless specifically allowed.

Here, having a system that enables role-based access rules for users can be very helpful in meeting compliance requirements.

Requirement #8: Assign a Unique ID to Each Person with Computer Access

Most companies have a system for assigning user access that includes a unique user ID. At face value, this requirement sounds easy to meet, but there are a few specific rules that could be deceptively tough to meet.

As noted in the PCI Data Security Standard reference guide, companies have to do the following to meet the rules of this requirement:

  • Assign all users a unique user name before allowing them to access system components or cardholder data.
  • Employ at least one of three types of authentication:
    • Something that is privileged knowledge, such as a password
    • A physical authentication device, such as a tokenization device or smart card
    • A biometric verification of identity, such as fingerprint scanning
  • Enact two-factor or stronger authentication for remote access to the network by employees and third parties. These factors cannot be a repeat of the same authentication types (e.g. cannot use two passwords, even if they’re different).
  • Ensure that all stored user account passwords are unreadable for all system components during storage and transmission by encrypting them.
  • Enact proper user identification and authentication management for non-consumer users and administrators on all system components.

Although the broad, top-level requirement sounds simple, there are a lot of things that companies need to do to meet the rules for controlling access and verifying user identity.

Additionally, these requirements apply to ALL user accounts, including point of sale accounts as well as any accounts with access to stored cardholder data.

This requirement provides companies with several options for fulfillment in several categories. However, to create the most secure user accounts, companies should go above and beyond the minimum requirements outlined in the guide.

For instance, rather than enacting two-factor authentication for just remote access to the network, apply two-factor or better authentication rules for all access points.

Furthermore, any passwords used should meet minimum strength requirements such as being 8 or more characters long with capital and lowercase letters, numbers, and symbols included in each password.

By meeting or exceeding these requirements, businesses can enable easier tracking of all actions in the cardholder data environment to specific authorized users. This is a must for spotting illicit access activities and tracing the problem to its source.

This series will conclude with Part 3, which covers rules 9-12.