Overcoming the complexities of PCI DSS compliance

Posted by Chris Scott

PCI DSS has been in place for years, but we still see many businesses struggling to achieve compliance with the standard.

Even those that do achieve compliance often struggle to maintain it due to the complexity of the standard itself, since each of the twelve requirements have their own nuances and obligations.

As a Level 1 provider on the Visa Europe Merchant Agent List, we’re often brought in to help businesses understand exactly what they need to do to properly safeguard cardholder data on an ongoing basis.

With that in mind, we’ve broken each requirement down to help you understand some of the common complexities associated with PCI DSS, and how you can overcome them to become – and remain – compliant.


Requirement 1: Install and maintain a firewall to protect cardholder data.

Many businesses understand the importance of installing and maintaining a firewall, but fewer realise that this is just the first step to PCI DSS compliance.

We have a lot of experience in reconfiguring firewalls to help businesses cover their entire IT infrastructure, examine all network traffic regardless of how insignificant it may seem, and block any transmissions that don’t meet specified security criteria. This helps them maintain compliance over time.

Under PCI DSS, businesses must also keep a log of all changes made to the firewall in readiness for mandatory checks every six months.


Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Forgetting to change vendor default passwords can give businesses a false sense of confidence around the security of their systems. Attackers can, and often do use these and other system defaults to access shared files and unencrypted cardholder data.

One of the first pieces of advice we often give businesses is to immediately change defaults upon receipt from vendors, and regularly audit their attack surface to confirm whether certain pieces of software are really needed.


Requirement 3: Protect stored cardholder data.

PCI DSS mandates that businesses have audited, end-to-end processes in place to store, transfer and process cardholder data securely. Importantly, this data should only be held if it’s business critical, and if so, the processing system should mask the Primary Account Number (PAN) when it is displayed.


Requirement 4: Encrypt transmission of cardholder data across open, public networks.

We’ve worked with several organisations that believed the minimum was enough when it came to encryption, but approved standards such as TLS 1.1 only apply to one point in time, and relying on these can still leave data exposed.

We’ve helped multiple businesses to put encryption at the heart of their security strategies by understanding internal data entry and exit points and throughout their supply chain. This helps to ensure that sensitive information is encrypted whether at rest or in transit, guaranteeing ongoing compliance with PCI DSS.


Requirement 5: Use and regularly update antivirus software or programs.

Although many businesses already have antivirus software in place, some still fall foul of malware and other threats by failing to ensure that it is regularly updated and tested. This ongoing maintenance is essential for PCI DSS compliance – especially with new threats emerging on a daily basis.

For many businesses, this is a job that they don’t have time to treat as a priority, which is why clients often pass the responsibility to us.


Requirement 6: Develop and maintain secure systems and applications.

Developing and maintaining secure systems and applications has been seen as a complex process by many organisations that we’ve worked with, partly because of differences in defining ‘secure’ among organisations, and a lack of interest from board members.

Implementing robust processes here is important. This is where we often come in to help businesses categorise vulnerabilities, carry out security reviews of code and ensure that an auditable trail is left to track changes.


Requirement 7: Restrict access to cardholder data by business need-to-know.

Left unchecked, businesses can quickly lose track of who has access to private information. While helping one retailer investigate multiple credit card fraud incidents, we found that some employees were trusted to access the Cardholder Data Environment (CDE) just because they had worked there for a long time.

Under PCI DSS, its vital that businesses have a tighter grip on access to cardholder data. This can be achieved by implementing Role Based Access Control (RBAC), which restricts unnecessary exposure by assigning access according to an individual’s role.


Requirement 8: Assign a unique ID to each person with computer access.

Some businesses we encounter believe that they will be sacrificing productivity for security by reducing employee access to databases through unique IDs, but this doesn’t have to be the case.

By implementing clear policies and procedures, we’ve helped many organisations track exactly who has access to data, issue unique access codes to suppliers, and implement two-factor authentication to further secure their perimeter.


Requirement 9: Restrict physical access to cardholder data.

Restricting physical access to cardholder data is often overlooked when it comes to PCI DSS, but failing to address this requirement can undo all the hard work that organisations put in to secure their IT estates.

If, unlike us, you don’t have access to an underground bomb-proof nuclear bunker to house your data in, it’s worth starting with a full audit of where cardholder data is physically held, along with how it’s transferred and destroyed – including on USBs.


Requirement 10: Track and monitor all access to network resources and cardholder data.

Many organisations simply track access to network resources but it’s essential to analyse and log the traffic, too.

This enables businesses to respond to an issue on the network via an automated Security Information and Event Management (SIEM) system, or following dedicated analysis – such systems should be upgraded or modified regularly to suit businesses’ changing needs over time.


Requirement 11: Regularly test security systems and processes.

Businesses can struggle to implement the proper knowledge and skills necessary to test their systems against new threats, and the increasing complexity of legacy systems combined with new assets only serves to compound the issue.

We spend a lot of time educating organisations on the need to test security systems at least quarterly through both internal and external vulnerability scans, and conducting penetration tests annually, as a minimum. Once a vulnerability or issue is identified, we also help businesses put procedures in place to escalate them and respond appropriately.


Requirement 12: Maintain a policy that addresses information security for employees and contractors.

We’ve found that the final requirement of PCI DSS can also be one of the most complex for businesses to understand and implement. Maintaining a robust policy that addresses information security for employees and contractors – and ensuring that everyone adheres to it – is often seen as an insurmountable task.

A lot of our work is focussed on businesses becoming aligned with other standards such as ISO27005 and ISO27001 to build a clear framework and simplify the journey to PCI DSS compliance.


Still unsure of how to be PCI DSS compliant?

PCI DSS is complex, but businesses that treat it as a tick-box exercise will only endure more problems down the line. To ensure ongoing compliance, its vital to understand both the fundamentals and the finer points of each requirement, and how these should be maintained over time.

We are currently offering a free one-hour risk assessment, conducted over the phone by one of our PCI DSS specialists, to help you establish a clearer picture of your current situation and risks, and the opportunities that compliance can bring to your business. Our compliance experts are always on hand to help you rationalise your scope of PCI compliance, implement QSA processes and assist in your compliance journey with our range of services, which have been designed around the standard.

Download our whitepaper here to find out what the impact of non-compliance with PCI DSS can look like, and see some war stories from those who have fallen foul.