PCI DSS Requirements and Common Control Failures
Editor’s note: This blog post is an excerpt from Hyperproof’s new ebook PCI DSS Compliance: Why It Matters and How to Obtain It.
Data breaches compromising sensitive cardholder data are incredibly common. In 2018 alone, $24.26 billion was lost due to payment card fraud worldwide, and the United States took the lead as the most credit fraud-prone country, with 38.6% of reported card fraud losses. Meanwhile, identity theft was the third largest cause of fraud in the US. in 2018.
When businesses don’t take precautions to secure their systems and network, they’re likely to be targeted. Sensitive cardholder data can be stolen from many places, including compromised card readers, paper stored in a filing cabinet, data in a payment system database, hidden cameras recording entry of authentication data, or a secret tap into your store’s wireless or wired network.
In 2006, major payment brands American Express, Discover, JCB International, MasterCard, and Visa Inc. came together to address the vital need to have a secure payment ecosystem. The Council created the PCI Data Security Standards (PCI – DSS) — a set of technical and operational requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions. By following these standards, organizations can keep their defenses up and minimize the chances of suffering from costly attacks aimed at stealing cardholder data.
Related: Integrated Risk Management for Your Business
What Are the Requirements Specified in the PCI Data Security Standard?
If you accept or process payment cards, the following standards apply to you.
|GOALS||PCI DSS REQUIREMENTS|
|Build and Maintain a Secure Network||1. Install and maintain a firewall configuration to protect cardholder data|
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|Protect Cardholder Data||3. Protect stored cardholder data |
4. Encrypt transmission of cardholder data across open, public networks
|Maintain a Vulnerability Management System||5. Use and regularly update anti-virus software or programs |
6. Develop and maintain security systems and applications
|Implement Strong Access Control Measures||7. Restrict access to cardholder data to a need-to-know basis |
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data|
11. Regularly test security systems and processes
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security for employees and contractors.|
These are the fundamental basics regarding PCI compliance goals and guidelines that must be met by companies that either accept or process card payments. To better understand the full scale of responsibility that these companies are required to take on and the questions they have to consider to do so, take a look at this checklist of PCI compliance.
Additional resource: The Growing Importance of Security Assurance (And What It Means to Be Good at Compliance Operations)
PCI Compliance Checklist
Build and Maintain a Secure Network
This component outlines the various requirements for how to develop a secure network and be able to keep it running effectively over time. This specifically involves the installation and maintenance of strong routers and firewalls by organizations.
- Do you have a firewall or other security measures in place to protect systems that transmit, process, or store cardholder data?
- Is the firewall regularly updated?
- Have default passwords been replaced with stronger ones?
- Is access to those passwords protected?
- Are sufficient security controls in place?
Protect Cardholder Data
This data security category is primarily concerned with protecting all forms of various data elements. This includes protecting data in storage, processing, transit, and even physical form (receipts, records, and invoices). Encryption and tokenization are often used as appropriate measures for disguising and protecting said data.
- Is cardholder data secure during transit?
- Are you using an approved encryption method?
- Is data protected across open networks?
- Is access to cardholder data restricted?
Maintain a Vulnerability Management System
This checklist category is primarily concerned with application security, and it goes into great detail regarding how businesses should go about protecting their systems against various threats. Viruses, malware, exploitations of coding, and other elements all have the potential to impede the application’s security measures.
- Do you have antivirus or virus-prevention programs?
- Is your software up to date?
- Is your software regularly reviewed and updated?
- Is your software the most recent version?
- Do you have applications and security systems, and are they being maintained?
Implement Strong Access Control Measures
There are three primary elements to this category of security requirements. The first two elements address access control measures and user identity. This refers to how a program can authenticate a user and the access level or the number of permissions a user has to acquire specific resources within the system- like cardholder data. The final element of this category involves controls surrounding physical access to information, including cameras and locks.
- Does each member of your organization have a unique ID for data access with specific permissions and limitations?
- Do you monitor access to programs and facilities where data could be accessed?
- Is all data stored securely?
Regularly Monitor and Test Networks
This requirement is primarily concerned with a company’s ability to properly maintain its existing security measures and ensure that they are strong enough to adequately protect people’s confidential data. Companies need to be able to monitor their networks to detect security breaches closely. They also need to test and ensure that their security systems and coding are undergoing regular updates.
- Are there network review processes to prevent breaches or data exploitation?
- Is the process logged?
- Are those logs secured?
- Are systems tested for vulnerability and then improved?
- Are tests done every time software is changed or implemented?
Maintain an Information Security Policy
This policy is meant to set the standards for an organization’s information security strategy, and it should address your company’s overall attitude toward data security and PCI compliance. This section should also involve training and continuing education programs for employees.
- Does your company have internal information security policies?
- Do these policies comply with PCI DSS requirements?
- Are policies reviewed annually?
- Does your organization have an incident response plan ready in case of a breach?
Additional Resource: Many Businesses Have GRC Software, Yet Most Still Struggle to Manage IT Risks Consistently
What Are the Common PCI DSS Control Failures?
The founding members of the PCI Security Standards Council continually monitor occurrences of account data compromise. Forensic analysis of compromises has shown that common security weaknesses, which are addressed by PCI DSS controls, are often exploited because PCI DSS controls either were not in place or were poorly implemented when the compromises occurred.
Examples of common PCI DSS control failures include:
- Improper scoping: The scope is the cardholder data environment (CDE) and includes all of the systems, people, processes, and technologies that handle cardholder data. It is important to note that systems that support and secure the (CDE) must also be included in the scope of PCI DSS. Examples of in-scope systems include antivirus, patch management, and vulnerability scanning.
Organizations often try to reduce the scope of their PCI DSS compliance effort by using network segmentation or sectioning off one network into smaller segments, in such a way that limits or prevents communication between them. However, when network segmentation is done improperly, hackers may be able to enter from a less secure area (such as an office zone) into a merchant’s cardholder data environment.
- Storage of sensitive authentication data (SAD), such as track data, after authorization. Many compromised entities were unaware that their systems were storing this data. It is important to note per PCI you are only allowed to use SAD strictly to process the payment and you should not store the data after completing the authorization process
- Inadequate access controls due to improperly installed point-of-sale (POS) systems, allowing bad actors in via paths intended for POS vendors
- Default system settings and passwords were not changed when the system was installed
- Poorly coded web applications result in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the website
- Missing and outdated security patches
- Lack of logging. Audit trails for each of the following processes must be established and have sufficient storage to house the transaction logs:
- Individual users with cardholder data
- All actions performed by users with administrative privileges
- All invalid access attempts
- Tracking of audit log clearings
- Secure assessment trail logs and access restrictions to those with a job-related need
- Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and change-detection mechanisms)
- Encryption key management. The biggest challenge is the effective utilization of encryption and tokenization tools. There are five fundamentals of key management that should be adhered to present weaknesses in the process. The standard includes 1) key storage, 2) key policy management, 3) key authentication, 4) key authorization, and 5) key authorization.
- Not addressing PCI DSS compliance in your quarterly or semiannual security check assessment. A process should be incorporated to flag exceptions that occur in the course of daily operations and investigate the exception.
To learn more about how to meet the requirements of PCI DSS and secure your cardholder environment, check out the full guide PCI DSS Compliance: Why It Matters and How to Obtain It (click on the image).
Get the Latest on Compliance Operations.
Hyperproof has built innovative compliance operations software that helps organizations gain the visibility, efficiency, and consistency IT compliance teams need to stay on top of all of their security assurance and compliance work. With Hyperproof, organizations have a single platform for managing daily compliance operations; they can plan their work, make key tasks visible, get work done efficiently and track progress in real-time.
Organizations using Hyperproof are able to cut the time spent on evidence management in half, using the platform’s intuitive features, automated workflows and native integrations. Hyperproof also provides a central risk register for organizations to track risks, document risk mitigation plans and map risks to existing controls. Hyperproof is used by fast-growing companies in technology and business and professional services, including Netflix, UIPath, Figma, Nutanix, Qorus, Glance Networks, Prime8 Consulting and others.