The 12 Requirements Of Compliance

The 12 Requirements Of PCI DSS Compliance

Secure PCI DSS certified payments are a feature of DigiDesk’s comprehensive cloud contact centre solution, but there’s a lot more to compliancy than you might think…

Achieving PCI DSS compliance ensures your organisation plays their part in reducing instances of card fraud. When processing card transactions or dealing with a customer’s financial details, you must be wholly compliant, as the repercussions of being anything but, can be significant!

There are four tiers, and twelve requirements for achieving PCI DSS compliance. Level 1 – the highest tier – is for organisations turning over the largest number of card transactions per annum, or those with a history of data breaches, and is subject to yearly on-site audits and network scans. Tier 4 – the lowest level – is suitable for entities processing up to 20,000 card transactions per annum, and compliance is subject to a self-assessment questionnaire. However, every organisation looking to achieve compliance is directed to the key framework of twelve requirements, no matter which tier they operate under.

1. Protect your system with firewalls

An expertly configured and professionally maintained firewall provides effective protection for your system and, in return, your customers’ data. Both hardware and software firewalls are required. Hardware firewalls deliver robust network security, whereas software firewalls defend against threats from employee mobile devices or emails, etc.

2. Configure passwords and settings...

Inventory and configure all passwords and settings, especially for routers and third-party software that often ship with factory default settings & access codes, to ensure they are unique and not set to the defaults. This must be applied to every system and device used throughout your organisation.

3. Protect stored cardholder data...

Ensure all card data you store is encrypted. You will be asked to present a flow diagram outlining how card data is handled by your organisation. Software such as PANscan or Pllscan can help you track card data for secure encryption, or deletion where necessary.

4. Encrypt transmission of cardholder data across open, public network...

Card data must be encrypted as it’s transferred across public networks. Tools like PCI DSS Encryption Key Management can help you achieve optimal security.

5. Use and regularly update anti-virus software...

You must install, maintain and regularly update anti-virus software across all systems and devices susceptible to malware. The ability to demonstrate an ongoing commitment to your security is part of achieving compliance, so it’s important to adopt a proactive approach and remain vigilant where new malware threats are concerned.

6. Regularly update and patch systems...

You must remain attentive to any potentially dangerous holes in your cyber security, so they can be fixed as soon as possible. Regular anti-virus updates will help to keep you protected, and your security software vendor should keep you apprised of any available patches and/or upgrades as and when they’re available.

7. Restrict access to cardholder data to business need-to-know...

Implement a role-based access control (RBAC) system, to facilitate access to card data and systems on a need-to-know basis. You must configure administrator and user accounts, to prevent exposure of sensitive data to those who don’t require it.

8. Assign a unique ID to each person with computer access...

User IDs and passwords must be sufficiently unique & complex. Although, system security should not solely rely on the complexity of a single password. No password should be deemed uncrackable, which is why all remote access to in-scope systems requires multi-factor authentication, as of 01/02/2018

9. Restrict physical access to workplace and cardholder data...

You can not store sensitive information, such as payment card data, out in the open. In fact, you must physically limit access to areas with cardholder data, as well as document the following:

  • Who has access to secure environments and why they need this access
  • What, when, where, and why devices are used
  • A list of authorized device users
  • Locations where the device is and is not allowed
  • What applications can be accessed on the device

10. Implement logging and log management...

Failure to comply with this requirement has resulted in a significant number of data breaches. You must monitor any flagged incidents and deal with them quickly! Incident logs should be subject to review at least once daily, and you must demonstrate an effective, robust process for dealing with any potential anomalies.

11. Conduct vulnerability scans and penetration tests...

Vulnerability scans and penetration tests are imperative, and can highlight whether patches & upgrades have been successful. The frequency with which you are asked to perform these tests will depend on the tier your organisation must adhere to.

12. Documentation and risk assessments...

You must keep documentation, policies, procedures, and evidence relating to your company’s security practices. You must also undertake an annual, formal risk assessment to identify any critical assets, threats, and vulnerabilities to help improve your ongoing security practices.
For more information around PCI DSS compliance, or to discuss our PCI DSS certified payments solution, get in touch with the team at DigiDesk. We look forward to hearing from you.

Recomended Posts