With the passage of time the PCI DSS Standard has matured and become recognized as a framework with a solid base in information security best practice.
There are still many organizations that not yet fully compliant with the standard. Research conducted by Verizon in 2011 showed that the organizations that suffered a breach of security were more likely those that were not yet compliant to the standard, with a smaller number that were found to be compliant in their previous assessment. It is important to note here that compliance in not a one-time process. It is an ongoing process and organizations need to keep themselves compliant throughout the year rather than just validate for the compliance at one particular point of time. Only this way they can effectively protect their customer data from possible breach and ensure its integrity and security.
Annual PCI DSS assessment is only an indication of how well an organization is complying at the time the assessment is made. It is not an indicator of the time period between two annual assessments. In order to consistently comply with the PCI DSS requirements, an organization needs to have a formal security set up that operates at all times and remains implemented throughout the year.
The following are some of the best practices an organization needs to adopt, to effectively implement and maintain PCI DSS compliance:
Determine the Scope of PCI DSS Compliance
Before implementing PCI DSS in to your organization, it is important to determine the scope implementation. As a minimum you will need to identify infrastructure that is related to the storing, processing and transmitting of cardholder data, and identify all payment channels, locations and data flows.
Most organisations will restrict implementation of PCI Controls to just the identified infrastructure, however consideration should be given to the fact that often the parties attempting to exfiltrate card holder data will use the organisations weakest link to penetrate the network, using it as a foothold for lateral spread. It is much easier to attack vulnerabilities of internal systems if you are already within the organisations infrastructure.
Conduct a Gap Analysis
For every entity that comes under the scope of PCI DSS compliance, measure its current level of compliance against the standard requirements. This can be done with the help of the PCI Self Assessment Questionnaire (SAQ) which will enable you to determine which of your tools and systems are in place and which are lagging behind.
Develop Policies and Procedures
A set of formal policies and procedures must be developed to comply with the standard requirements and should be regulated and enforced within the organization.
Train the Personnel
It is important that every individual involved in handling cardholder data should be well aware of the PCI DSS requirements and for this purpose regular trainings should be carried out to new as well as old employees.
Encrypt Sensitive Data
Payment card data should never be left unencrypted whether it is being stored or transmitted via any medium. Sensitive data must always be encrypted with the help of an authorized encryption program.
Ensure Physical Security of Data
Physical security of data is as important as it is on an electronic system. Only authorized personnel should be allowed to physically access the data.
Scramble Track Data
Encoded data at the back of the credit card on the magnetic strip is known as track data. This data can be read by Point-of-sales systems and should not be stored, as some POS systems collect this information without informing the merchants. Hackers can easily access and exploit this information. Hence, it is important for POS vendors to scramble the track data in order to make it unreadable for third parties.
Use Secured Wireless Connections
Wireless connections should always be secured with a security key to minimize any potential intervention of an outside user.
Review Logs Regularly
System audit and security logs should be regularly reviewed to identify any possible non compliance issues. Year after year the Verizon breach report has stated that indications of a breach were consistently found in the accounting and audit logs of organisations that lost card holder data. Typically almost nine out of every ten breaches had indications of compromise within the audit logs, if somebody was looking the breaches could have been detected and disrupted.
Minimize the Scope
To make the process of implementing the PCI DSS easier, it is important to minimize the initial scope of compliance. This will help to reduce both the cost and the efforts required to achieve the compliance. Scope can be reduced by minimizing the cardholder data environment (CDE). Anything that is related to storing, processing or transmitting cardholder data forms a part of the CDE. You can achieve this either through network segmentation or through tokenization.
Phase two could then look at extending the PCI controls to other organisational infrastructure.
Regularly Update the Software
It is important to regularly update all your company software to maintain your defense against external threats. Vulnerabilities in existing software implementations is a natural target for those attempting to access your cardholder data. Patching should be a regular activity on operating system, databases, iMIS, and other PCI approved payment applications.
Implement a Layered Security System:
A layered Security System helps achieve a higher level of protection because if one defense mechanism fails, the attack can still be stopped by the next layer and so on. Different vendors are encouraged for different layers, for example the use of different Firewall vendors at each layer will inhibit lateral spread if one of the vendor solutions is compromised.
Follow the Mobile Payment Acceptance Guidelines
These guidelines provided by PCI SSC are actually for companies that have already implemented a PCI DSS compliant system within their framework. They allow merchants and application developers to follow a set of best practices to accept and process payment through a mobile device. By following these guidelines, account data cannot be accessed when it is entered into a device, or when it is being stored or processed.
Adopt Best Practices for Skimming Prevention
In the simplest of terms, skimming is a process through which thieves steal your credit or debit card information, and use it for their own criminal purpose. Skimming mostly occurs at retail outlets or ATM’s where criminals steal your information using organized tools and technology. The PCI Security Standards Council has issued a set of best practices for prevention of skimming at the hands of criminals. It comprehensively defines different situations and techniques of skimming and how these can be prevented.
To make things easier to understand and implement, the PCI Security Standards Council has released a number of documents of Best Practices and Guidelines that can help altogether in the implementation of PCI DSS in to your organization. These include, but are not limited to, the following:
- Skimming Prevention Best Practices
- Risk Assessment Guidelines
- Cloud Computing Guidelines
- PCI Compliance Maintenance Best Practices
- Tokenization Guidelines