How to make your organisation PCI compliant

PCI Compliant

If your organisation is PCI compliant, it meets the requirements of the Payment Card Industry Data Security Standard – commonly referred to as PCI-DSS. This is a set of standards developed by the PCI Security Standards Council with the aim of making payments and payment account information safer.

Why is PCI-DSS a cybersecurity issue?

Payment information is a key target for cybercriminals. It can provide access to people’s money or credit. However, it can also allow access to data that can be used for identity theft, like birthdates, driver’s licence numbers, and passport numbers. Many Australian organisations hold or handle payment data for individuals or other businesses, making PCI compliance a critical component of cybersecurity.

What are the PCI-DSS requirements?

PCI-DSS 4.0 has 12 base requirements, listed under 6 broad organisational goals.

Build and maintain a secure network and systems

  1. Install and maintain network security controls.
  2. Apply secure configurations to all system components.

Protect account data

  1. Protect stored account data.
  2. Protect cardholder data with strong cryptography during transmission over open, public networks.

Maintain a vulnerability management program

  1. Protect all systems and networks from malicious software.
  2. Develop and maintain secure systems and software.

Implement strong access control measures

  1. Restrict access to system components and cardholder data by business need to know.
  2. Identify users and authenticate access to system components.
  3. Restrict physical access to cardholder data.

Regularly monitor and test networks

  1. Log and monitor all access to system components and cardholder data.
  2. Test security of systems and networks regularly.

Maintain an information security policy

  1. Support information security with organisational policies and programs.

How do I build PCI compliance?

The PCI Security Standards Council recommends a prioritised approach with 6 distinct milestones. We’ve summarised the key action points for these milestones.

Milestone 1: Do not store sensitive authentication data and limit cardholder data retention

The less sensitive data that you store, the less is at risk if your system is compromised by hackers. If you don’t need it, don’t store it.

Milestone 2: Protect systems and networks and be prepared to respond to a system breach

Control points of access to your data:

  • Create an incident response plan and assign a team responsible for carrying it out.
  • Restrict network access to the cardholder data environment and control traffic between trusted and untrusted networks.
  • Use intrusion detection software to monitor network traffic at key points and alert the incident response team.
  • Protect endpoints like user laptops and mobiles.
  • Use malware and phishing protection software, and regularly scan for vulnerabilities.
  • Introduce account management and authentication procedures, including multi-factor authentication for any accounts that have access to sensitive data.
  • Restrict access to physical data points like servers, network jacks, USB sticks, and the like.

Milestone 3: Secure payment applications

Make sure that applications, application processes, and application servers are secured against intrusions:

  • Develop any custom applications following industry standards and best practices for secure development.
  • Identify and address security vulnerabilities.
  • Protect public-facing applications with an automated tool that detects, prevents, and creates alerts about attacks.
  • Separate production and pre-production environments.

If intruders can access these areas, they can compromise your systems and obtain access to cardholder data.

Milestone 4: Monitor and control access to your systems

Detect who, what, when, and how access is being granted to your network and data:

  • Assign appropriate access to staff, and use an access control system to enforce it.
  • Create an authentication policy and communicate it to users.
  • Strictly manage application and system accounts.
  • Keep and regularly review audit logs.
  • Identify and monitor wireless access points.
  • Use a change detection tool to check critical files and alert you if they’ve been modified.

Milestone 5: Protect stored cardholder data

Implement key protection mechanisms for stored primary account numbers:

  • Restrict when the account number is displayed and the ability to copy it.
  • Keep the primary account number strongly encrypted when stored.
  • Manage access to media that contains cardholder data.

This is applicable to organisations that have analysed business processes and determined that they must store primary account numbers.

Milestone 6: Complete remaining compliance efforts, and ensure all controls are in place

Finish all remaining related policies, procedures, and processes needed to protect your data:

  • Implement security awareness training for all personnel.
  • Document security policies and operational procedures, make them available to staff, and keep them up to date.
  • Document a change control process.
  • Conduct regular security reviews and audits.
  • Appoint a person responsible for information security.

How can I get everyone on board with data protection?

Becoming completely PCI compliant requires an organisation-wide, not just system-wide, approach to security and data protection. People need to understand why you’re implementing changes, so they’ll work with you rather than against you. Quality cybersecurity awareness training can help you communicate the need for better data protection measures and minimise human error-related security incidents in your organisation.

About PhishNet

PhishNet delivers highly effective, engaging, and affordable cybersecurity awareness training to help businesses mitigate the risks of human error data breaches.

Talk to PhishNet today to learn more, or click here to download our eBook How to Prevent Cybersecurity Breaches cause by Human Error.

Photo by Towfiqu barbhuiya on Unsplash