3 min read

What the twelve requirements of PCI DSS compliance ask of your business

Featured Image

Card fraud is damaging for everyone; for customers who have to negotiate getting their stolen money recompensated, the merchants who suffer financial and reputational damage following a data breach, and even society at large, when profits made by these criminals go to fund other anti-social activities such as drug smuggling and terrorism.

Happily, by ensuring that your enterprise achieves PCI DSS compliance, you can help to play your part in reducing the instances of fraud. If you process card transactions or deal with customer's financial details, you must ensure that you are fully compliant, as the repercussions for failing to do so can be significant, and range from heavy fines to being denied the ability to take card payments.

Four Levels of compliance

There are four tiers, and twelve requirements for meeting PCI DSS compliance. The highest tier, Level One, is for organisations making the greatest number number of card transactions in a year (usually over six million, depending on chosen card payment), or for places where data breaches have occurred in the past, whilst the lowest Level Four is for those processing up to 20,000 card transactions annually.

Level One compliance involves yearly on-site audits and network scans, whilst for the lower tier organisations, a self-assessment questionnaire is required. However, every organisation looking to achieve compliance is directed to the key framework of twelve requirements, irrespective as to which Level they may be classified.

The Twelve Requirements: a framework for compliance

The first requirement is having a firewall in place. A properly configured and maintained firewall is effective protection for your system, and therefore your customers' valuable data. It's important to install both hardware and software firewalls, as each has an important part to play in your security measures. Hardware firewalls offer the greatest security for your network, whilst software firewalls offer vital defence against threats found through employee mobile devices or emails.

The second requirement mandates that you look at passwords and settings, particularly for items such as routers and third-party software, that usually come ready to use with factory default settings and access codes. It's best to assign someone to inventory all passwords and settings to ensure that they aren't set to the originals. This must be applied to every system and every device used in your enterprise.

Requirement Three means ensuring that any card data you store is encrypted. If you aren't sure if your system stores this information, you need to check, as you will be asked to draw up a flow diagram showing how card data is handled by your organisation. Software such as PANscan or Pllscan can help you track down card data in order to securely encrypt it, or delete as necessary.

The fourth requirement follows on from this, as it involves looking at encryption for card data as it is transferred across public networks. Tools such as PCI DSS encryption key management can help you achieve optimal security.

The fifth requirement asks you to maintain anti-virus software. It must be installed across all systems or devices susceptible to malware, and be updated regularly. Part of achieving compliance is demonstrating a commitment to your security, so it's important to be proactive and stay aware of any new malware threats, so that you can configure your defences appropriately.

Requirement Six involves being attentive to any dangerous security holes, so that they can be patched as soon as possible. The regular updates mentioned in Requirement Five will help to keep you protected, and your security software vendor should be able to send you notifications when you need to patch or upgrade.

Requirements Seven to Nine involve your employees. Make sure that access to card data is restricted, both via systems and to the physical machines where the information may be accessed if stolen. Ensure each employee has a unique password and user ID, with multi-factor authentication being used.

Perhaps the most important requirement, number Ten deals with system event logging. Failure to comply with this requirement has led to a significant number of data breaches, so it's vital to pay attention to any flagged incidents and deal with them fast. You should review incident logs at least once a day, and show that you have a robust process for dealing with any anomalies that may arise. Software such as log management systems can help you stay ahead of any threats.

Requirement Eleven insists upon vulnerability scans and penetration tests, and follows on from Requirement Six, as these tests can show if any patches have been fully successful. The frequency with which you are asked to perform these tests will depend on which Level your organisation sits within.

The twelfth and final requirement instructs you to keep all evidence and documentation relating to your security measures, and includes employee manuals, third-party vendor contracts, and your incident response strategies. You are also required to carry out an annual risk assessment, which is designed to help you improve your security practices going forward.

The compliance process may seem daunting, but achieving optimal security can only be of benefit to your organisation. With the availability of third-party payment services using tokenisation and automated telephone card processing, it's easy to integrate processes that ensure compliance.