PCI Data Security Standards
After almost 29 years in the security industry, more than 4 of those years helping companies achieve and maintain PCI DSS compliance (as a Qualified Security Assessor (PCI QSA)) and helping to develop ISACA’s Practical Guide to PCI DSS , I thought I would put together a brief overview of the PCI Data Security Standards (PCI DSS).
If you are a business that has a Merchant ID (MID) associated with payments made with branded (Visa, Mastercard, American Express, JCB, Discover) payment cards, or you are a third party organisation that provides support services to such a business, you have an obligation to ensure that the card data life-cycle is adequately protected.
The data life-cycle begins at the point that you are entrusted with this payment card data, right through to the point that the data is transferred or is no longer required, for justifiable business reasons.
In 2005, the PCI Data Security Standard (PCI DSS) was introduced to provide businesses with a minimum baseline of defense in depth security controls that help to create effective countermeasures and reduce the risks of a costly data breach.
This suite of defensive controls is ever evolving in response to emerging technologies and threats. It focuses on three key areas for which processes are recommended that constitute an effective multi-layered cyber-defense strategy:
These baseline controls are compiled from 6 layered goals:
1. Build and Maintain a Secure Network and Systems
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Think of this as being similar to what you would expect to see being employed by your bank in terms of physical security measures. Members of the general public are restricted from walking off the streeat and straight into the vault.
2. Protect Cardholder Data
As with the money held in your bank, it is maintained under lock and key within the vault. If, at any time, it is required to be transferred out of the vault, it still remains under lock & key during the transfer process (cash in transit).
3. Maintain a Vulnerability Management Program
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Having established secure operations, it is essential that the dynamic environment is well-maintained and regularly updated
4. Implement Strong Access Control Measures
- Restrict access to cardholder data on a need to know basis – update access restrictions regulalarly
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
Access to the vault must be subject to restricted access, based on justified business needs. Once again, using the bank analogy, we don’t want to allow all and sundry access to the vault.
5. Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
These strong baselines can be undermined by the ‘human factor’ and ever-present and changing vulnerabilities and threats. Therefore, effective monitoring and testing is essential to maintain the ongoing value of these controls.
6. Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel
The ‘human factor’ is the most significant risk to the maintenance of any PCI DSS program. Whether that be the end-user, the maintenance staff, managing the transfer of risk to a third party service provider or responding to incidents. Consequently policy and process documentation should be created and maintained. These documents need to be understood and adhered to by all the relevant personnel so ongoing communication and training is required.
Any effective PCI Data Security Standards program requires teamwork, where specialist team members (often termed ‘Security Champions’) take responsibility for specific security duties and regularly report on security status and related incidents or issues.
Identify & Isolate
Critical to the success or failure of any PCI Data Security Standards program is the need to identify any technologies or people involved in the ‘Data Life-cycle’ and to isolate these from other areas of the business, before being able to identify the appropriate PCI DSS controls. In essence, creating a secure silo where the full weight of the PCI DSS defensive controls can be effectively applied. Strategies may be employed to reduce the scope of the environment to which PCI DSS applies, thus reducing the breadth of the attack surface where the Bad Guys are likely to focus their efforts.
Having identified and isolated the environment, along with the applicable controls, there will almost certainly be improvements needed to meet the minimum requirements of PCI Data Security Standards. Treatment of any gaps is an ongoing process, which must become part of an organisations strategy and business processes.
PCI DSS has been developed from strong industry recommendations to help businesses fortify their card payment operations and should be regarded as a positive enhancement. As a customer making a purchase, you are entrusting your payment card details to that organisation and, therefore, we should recognize this trust through the application of PCI DSS, to help safeguard this sensitive Personally Identifiable Information (PII).
Document and Disclose
As already mentioned, integral to any PCI DSS program is the involvement of people. The success or failure of this relies heavily on effective documentation (policies and procedures), that communicated and fully understood by all the support personnel.
If your business revenues have any reliance on purchases made by credit card, either in house, outsourced or a combination of the two, you have an obligation to ensure that the processes that underpin the card data life-cycle within your organization are aligned with the applicable controls from PCI Data Security Standards. The number of controls that apply are heavily dependent on your business environment (not just your IT environment), for example if the payment channel has a network reliance, the number of controls increase and if the payment channel is fully outsourced to a PCI DSS compliant third party service provider, then the controls are significantly reduced.
About Welford Management & Consulting
Welford is a multi faceted technology consultancy providing advice, support and solutions for companies in a wide range of industries. We develop and execute strategies for our clients in three practice areas: Security & Compliance, Business Strategy & Support and Sales & Marketing Automation. Our expertise comes from a team of individuals who focus on one area of our practice disciplines so that we can bring the necessary skills and experience to the business challenge or opportunity that you’re currently facing.
In the Security & Compliance practice we help assess your current level of risk related to the sensitive customer information that you may hold within your organization. This may be payment card information, personal health information or data on European citizens that fall under the requirements of the General Data Protection Regulation (GDPR) which becomes law on May 25th, 2018. We develop and execute strategies to address your data security requirements and support the implementation of the technologies and processes that help reduce the likelihood of you suffering a damaging and expensive data breach.