“The people who establish the laws, acts, and regulations already did the tedious work; the rest of the process is just putting the Credit Acts into Action” (The Credit Repair Book). Unfortunately, for an SME, putting PCI DSS compliance into action is not at all trivial.
A business that handles card data must comply with the 12 PCI DSS requirements; potentially reading and digesting the standard  (a mere 139 pages) but also the supporting documents. Here we take a brief look at what compliance means to an SME and dig further into the detail of the 12 PCI DSS requirements.
What does compliance mean?
PCI DSS defines a level of protection for cardholders so as to reduce data breaches and therefore fraudulent transactions. Any business that accepts or processes card payments must comply with the requirements:
- Ensuring credit card protection for customers, by collecting and transmitting their details securely
- Storing data in a secure manner
- Verifying that the business is compliant, by carrying out annual validation and submitting self-assessment questionnaires (SAQs)
How do the requirements apply to an SME?
A business that handles cardholder data must define the people, processes and technology that handle this data, collectively known as the cardholder data environment (CDE). Understanding and documenting the CDE will involve a data mapping analysis, to define the systems, networks and job roles that interact with cardholder data.
The business must carry out the level of checks and documentation appropriate to its volume of transactions and payment methods. For example a level 3 business, processing between 20,000 and 1 million online transactions annually, must complete an annual SAQ, an attestation of compliance (AOC) and a quarterly network scan by an approved vendor.
A variety of SAQ types may be required, depending on how the business collects card payments, for example, type A for card-not-present, type A-EP for E-commerce merchants that outsource their payment processing to a third party.
The key aspects of compliance, however, are the 12 requirements. By adopting best practices that comply with these main requirements, the business will safeguard its customers’ data and maintain their trust. These are:
1. Install and maintain a firewall configuration to protect cardholder data. Any networking device, such as a router, that connects to the CDE is also in scope. The business must implement configuration standards so that firewalls are identified and tested. Firewalls must restrict network traffic to and from “untrusted” networks.
2. Do not use vendor-supplied defaults for system passwords and other security parameters. Default passwords must be updated and default accounts must be removed before a system is installed on the network. Strong cryptography must be used to encrypt any non-console admin access.
3. Protect stored cardholder data. Wherever possible, cardholder data should never be stored and the sensitive chip data and CVC2/CVV2 must never be stored. If the business model dictates that limited cardholder data needs to be stored, this must have a clear retention time. The primary account number (PAN) must be masked from all but authorised staff.
4. Encrypt transmission of cardholder data across open, public networks. Security protocols and strong cryptography must be used to protect data over internet, wireless and mobile networks. PANs must never be sent using email or messaging.
5. Protect all systems against malware and regularly update anti-virus software or programs. Virus protection must be implemented on all systems, such as servers and desktop/laptops, ensuring that it cannot be disabled by an end-user.
6. Develop and maintain secure systems and applications. This applies to commercial, bespoke and internally developed software. The business must implement a process for identifying security vulnerabilities and applying security patches, critical patches must be installed within one month.
7. Restrict access to cardholder data by business need-to-know. Default access control should be “deny all”, with access only given to those staff members whose roles require it. Security policies and procedures must be documented and form part of staff training.
8. Identify and authenticate access to system components. All end users must have a unique user name used to gain access to systems. They must be authenticated by at least one of: a password, a device or a biometric.
9. Restrict physical access to cardholder data. Access to data or systems must be controlled based upon staff members’ job roles. Visitors must be authorised before entering secure areas. Media must be highly controlled, especially backups. Any distribution using media must be authorised and strictly monitored.
10. Track and monitor all access to network resources and cardholder data. Logging must be used to generate audit trails that can be analysed to determine what happened in the event of compromised data.
11. Regularly test security systems and processes. Networks must be tested using a vulnerability scan every quarter and following any significant configuration change. Penetration testing must be used at least once a year.
12. Maintain a policy that addresses information security for all personnel. The business must establish a security policy and publicise it to all staff. The policy must be reviewed annually and updated whenever there is a change to the CDE.
By understanding the 12 requirements and how they apply, an SME can implement best practice not only to comply with them, but also to protect its customers’ data and therefore safeguard the future of the business.