Category: PCI

PCI DSS has been in place for years, but we still see many businesses struggling to achieve compliance with the standard.

Even those that do achieve compliance often struggle to maintain it due to the complexity of the standard itself, since each of the twelve requirements have their own nuances and obligations.

As a Level 1 provider on the Visa Europe Merchant Agent List, we’re often brought in to help businesses understand exactly what they need to do to properly safeguard cardholder data on an ongoing basis.

With that in mind, we’ve broken each requirement down to help you understand some of the common complexities associated with PCI DSS, and how you can overcome them to become – and remain – compliant.

 

Requirement 1: Install and maintain a firewall to protect cardholder data.

Many businesses understand the importance of installing and maintaining a firewall, but fewer realise that this is just the first step to PCI DSS compliance.

We have a lot of experience in reconfiguring firewalls to help businesses cover their entire IT infrastructure, examine all network traffic regardless of how insignificant it may seem, and block any transmissions that don’t meet specified security criteria. This helps them maintain compliance over time.

Under PCI DSS, businesses must also keep a log of all changes made to the firewall in readiness for mandatory checks every six months.

 

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Forgetting to change vendor default passwords can give businesses a false sense of confidence around the security of their systems. Attackers can, and often do use these and other system defaults to access shared files and unencrypted cardholder data.

One of the first pieces of advice we often give businesses is to immediately change defaults upon receipt from vendors, and regularly audit their attack surface to confirm whether certain pieces of software are really needed.

 

Requirement 3: Protect stored cardholder data.

PCI DSS mandates that businesses have audited, end-to-end processes in place to store, transfer and process cardholder data securely. Importantly, this data should only be held if it’s business critical, and if so, the processing system should mask the Primary Account Number (PAN) when it is displayed.

 

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

We’ve worked with several organisations that believed the minimum was enough when it came to encryption, but approved standards such as TLS 1.1 only apply to one point in time, and relying on these can still leave data exposed.

We’ve helped multiple businesses to put encryption at the heart of their security strategies by understanding internal data entry and exit points and throughout their supply chain. This helps to ensure that sensitive information is encrypted whether at rest or in transit, guaranteeing ongoing compliance with PCI DSS.

 

Requirement 5: Use and regularly update antivirus software or programs.

Although many businesses already have antivirus software in place, some still fall foul of malware and other threats by failing to ensure that it is regularly updated and tested. This ongoing maintenance is essential for PCI DSS compliance – especially with new threats emerging on a daily basis.

For many businesses, this is a job that they don’t have time to treat as a priority, which is why clients often pass the responsibility to us.

 

Requirement 6: Develop and maintain secure systems and applications.

Developing and maintaining secure systems and applications has been seen as a complex process by many organisations that we’ve worked with, partly because of differences in defining ‘secure’ among organisations, and a lack of interest from board members.

Implementing robust processes here is important. This is where we often come in to help businesses categorise vulnerabilities, carry out security reviews of code and ensure that an auditable trail is left to track changes.

 

Requirement 7: Restrict access to cardholder data by business need-to-know.

Left unchecked, businesses can quickly lose track of who has access to private information. While helping one retailer investigate multiple credit card fraud incidents, we found that some employees were trusted to access the Cardholder Data Environment (CDE) just because they had worked there for a long time.

Under PCI DSS, its vital that businesses have a tighter grip on access to cardholder data. This can be achieved by implementing Role Based Access Control (RBAC), which restricts unnecessary exposure by assigning access according to an individual’s role.

 

Requirement 8: Assign a unique ID to each person with computer access.

Some businesses we encounter believe that they will be sacrificing productivity for security by reducing employee access to databases through unique IDs, but this doesn’t have to be the case.

By implementing clear policies and procedures, we’ve helped many organisations track exactly who has access to data, issue unique access codes to suppliers, and implement two-factor authentication to further secure their perimeter.

 

Requirement 9: Restrict physical access to cardholder data.

Restricting physical access to cardholder data is often overlooked when it comes to PCI DSS, but failing to address this requirement can undo all the hard work that organisations put in to secure their IT estates.

If, unlike us, you don’t have access to an underground bomb-proof nuclear bunker to house your data in, it’s worth starting with a full audit of where cardholder data is physically held, along with how it’s transferred and destroyed – including on USBs.

 

Requirement 10: Track and monitor all access to network resources and cardholder data.

Many organisations simply track access to network resources but it’s essential to analyse and log the traffic, too.

This enables businesses to respond to an issue on the network via an automated Security Information and Event Management (SIEM) system, or following dedicated analysis – such systems should be upgraded or modified regularly to suit businesses’ changing needs over time.

 

Requirement 11: Regularly test security systems and processes.

Businesses can struggle to implement the proper knowledge and skills necessary to test their systems against new threats, and the increasing complexity of legacy systems combined with new assets only serves to compound the issue.

We spend a lot of time educating organisations on the need to test security systems at least quarterly through both internal and external vulnerability scans, and conducting penetration tests annually, as a minimum. Once a vulnerability or issue is identified, we also help businesses put procedures in place to escalate them and respond appropriately.

 

Requirement 12: Maintain a policy that addresses information security for employees and contractors.

We’ve found that the final requirement of PCI DSS can also be one of the most complex for businesses to understand and implement. Maintaining a robust policy that addresses information security for employees and contractors – and ensuring that everyone adheres to it – is often seen as an insurmountable task.

A lot of our work is focussed on businesses becoming aligned with other standards such as ISO27005 and ISO27001 to build a clear framework and simplify the journey to PCI DSS compliance.

 

Still unsure of how to be PCI DSS compliant?

PCI DSS is complex, but businesses that treat it as a tick-box exercise will only endure more problems down the line. To ensure ongoing compliance, its vital to understand both the fundamentals and the finer points of each requirement, and how these should be maintained over time.

We are currently offering a free one-hour risk assessment, conducted over the phone by one of our PCI DSS specialists, to help you establish a clearer picture of your current situation and risks, and the opportunities that compliance can bring to your business. Our compliance experts are always on hand to help you rationalise your scope of PCI compliance, implement QSA processes and assist in your compliance journey with our range of services, which have been designed around the standard.

Download our whitepaper here to find out what the impact of non-compliance with PCI DSS can look like, and see some war stories from those who have fallen foul.

Despite monetary penalties being long-established for non-compliance with PCI DSS, it is only in the eight months following the introduction of the General Data Protection Regulation (GDPR) that businesses have truly started to pay attention to the potential cost of inadequate data security.

Although GDPR was brought in to properly safeguard the collection and processing of sensitive personal information as a whole, and PCI DSS was specifically designed to protect payment card data, there is some cross-over that it is important to recognise.

With payment card data falling under personally identifiable information (PII), any breach involving this type of data will now not only contravene PCI DSS requirements, but could also result in companies being given a potentially devastating fine from the Information Commissioner’s Office (ICO) under GDPR.

The fast-paced evolution of the payment industry, and the technology it is built on, is making it increasingly difficult for organisations that collect, store and process payment card data to achieve compliance. It is therefore more important than ever to understand PCI DSS and its relationship with GDPR in order to avoid having to face the music for security negligence.

The cost of non-compliance

We recently analysed all non-marketing-related ICO fines issued between 2015 and 2018 involving breached financial information, to highlight the importance of compliance with PCI DSS now that GDPR is in force.

Overall, this research revealed that these fines could have risen from £1.74 million to nearly £889 million under GDPR.

In one case, an organisation was fined £400,000 for simply neglecting to update its database software – this could have very easily equated to a cumbersome £71.3 million under current regulations.

Another saw hackers exploiting a vulnerability that went unnoticed, resulting in a £500,000 bill – the highest fine that could be issued by the ICO at the time, which could now equate to £102 million when taking the company’s global turnover into consideration.

These fines resulted in both a financial and reputational hit for the companies involved and, what’s worse, implementing a few simple security measures could’ve prevented many of these breaches in the first place.

The bigger picture

As data security remains centre stage, it’s clear that basic security measures are still being missed. Businesses therefore need to place a renewed focus on creating robust security defences that cover the right areas – and complying with PCI DSS is a vital avenue to follow for those that handle cardholder data.

Maintaining continuous compliance with PCI DSS can be a complex process, but putting the necessary measures in place will not only safeguard your customers and your reputation, it can also result in other dividends for your organisation.

Since the requirements of PCI DSS offer an end-to-end approach to keeping information safe and cover people, processes and technology, its principles can be applied to a wide range of different data sets.

Embedding these technical controls into your business can therefore hugely improve the security of all types of data across your organisation, helping to lay the necessary foundations needed to comply with GDPR and other compliance mandates.

But PCI DSS and implementing robust security measures are problem areas that businesses are still struggling to tackle, often because they try to go it alone.

Our PCI DSS experts at The Bunker know the standard inside out, and can work with your business to help you understand how to satisfy each requirement, while enhancing overall security to meet further regulations.

Download our whitepaper here to find out more about the penalties you could face and what you can do to make your PCI DSS compliance journey as smooth as possible.

Most organisations are aware of the importance of the Payment Card Industry Data Security Standard (PCI DSS), a set of regulations introduced to tackle credit card fraud in the early 2000’s. What might not be as clear, however, is exactly what this standard entails and the considerations that organisations need to make in regard to it – an issue exemplified by the drop in PCI DSS compliance over the last twelve months, reported in Verizon research.

What is PCI DSS?

The mistake that some organisations make is seeing PCI DSS as a tick-box exercise, rather than as an ongoing process which requires continual improvement. However, it necessitates careful consideration to ensure that your organisation is – and remains – compliant. Failure to do so can result in hefty fines or a damaged reputation.

Being compliant with PCI DSS means that the people, processes and technologies within your organisation must all be driven by security, creating a secure environment that can handle payment details securely.

Does it apply to me?

As PCI DSS is such a far-reaching standard, it can often be difficult for organisations to know whether it applies to them in the first place.

Put simply, PCI DSS applies to any business that stores, processes or transmits cardholder data. More generally, this means that PCI DSS applies to merchants, payment processors, payment gateways or ecommerce providers. If you handle payment details of any kind, then PCI DSS will apply to you.

It’s also worth noting that PCI DSS is just one of three security standards, each of which has separately defined applications:

1. PCI PTS, which applies to manufacturers and PIN entry devices
2. PCI PA DSS, which applies to software developers and payment applications
3. PCI DSS, which applies to merchants, service providers and secure environments

Even if PCI DSS doesn’t apply to your organisation specifically, being compliant to the standard can still be beneficial since it can help towards compliance with other regulations, including GDPR, and also highlights that your businesses prioritises the safety and security of the data it handles.

What do I need to consider?

PCI DSS is complex. There are many facets to the standard that organisations will need to consider to ensure compliance – from the physical security of cardholder details, to the continuous testing necessary to ensure that systems remain secure.

It’s also essential that security is prioritised when storing, transferring or handling data in order to comply with PCI DSS regulations, and just as vital is making sure that everyone in your organisations is onboard and well versed with exactly what PCI DSS is, as well as what is required to remain compliant with the standard.

It’s worth noting that since cardholder data can be passed from pillar to post in the process of a transaction, tracking exactly who and what has access to this data at any given time is essential under PCI DSS regulations.

PCI DSS spans your entire IT estate, both physically and digitally, so there isn’t a one-size-fits-all solution to the regulation – it may require large scale changes to guarantee compliance, and many organisations often struggle to succeed with this in-house.

With so many things to consider, organisations often don’t have the capacity to effectively tackle PCI DSS singlehandedly. At The Bunker, our team have a decade of experience in guiding companies to full PCI DSS compliance.

We work closely with organisations to ensure that the process of meeting the standard is simple and straightforward, giving peace of mind and compliance guaranteed.

To find out more about PCI DSS, and the impact of non-compliance, as well as the most common challenges we’ve seen and how we can support your compliance journey – download our whitepaper here.