“If everyone is moving forward together, then success takes care of itself.” – this is the core belief of Pavel and his team of highly experienced professionals in Seven Security Group. And this is extremely valid when we talk about developing the highest possible security standards for emerging fintech companies. Pavel wrote for us an insightful article that will help you to understand why PCI compliance is like having a child. Enjoy the read!
PCI DSS 101
The Payment Card Industry Data Security Standard (PCI DSS) takes care of the security of cardholder data and as such adds a layer of security over your operations, processes, technology and people. The standard is maintained by VISA, Mastercard, AMEX, Discover and JCB and applies to Merchants and Service Providers alike, with some variation for annual number of transactions – levels of compliance; and number or requirements to adhere to – depending on what you do with the cardholder data and how you do it.
Do you need to be PCI DSS compliant?
The short answer here is yes. That is if your business stores, processes and/or transmits card (debit or credit) data. Chances are PCI DSS compliance is required from you by acquirers, issuers and other payment service providers your business interacts with.
Why do it?
Apart from being mandatory, complying with the standard also has merits that one should consider. As more and more transactions are being facilitated through online, contactless and other non-cash-in-hand means, the importance of card data is increasing constantly. And so are the appetites of hackers for other peoples’ money. To counteract and protect from hackers’ appetites, PCI compliance gives you that layer of security, which is based on probably the most comprehensive, detailed and robust security standard out there. Besides your heightened state of serenity, your reputation will benefit too, with your customers being able to trust their money with you, instead of, say, the competition.
Beware, you may be penalized
Being more trustworthy is all very nice, but that’s not all. Without PCI DSS compliance, you stand the risk of losing data, thus having to answer for its loss, facing penalties and ultimately risking to have your card-payment processing privileges revoked altogether.
How is it achieved?
The PCI DSS engagement starts with understanding the Scope of technology, processes and people that need to comply to the standard’s requirements. In play come Qualified Security Assessor (QSA) companies – the only officially recognized authority validating your claim at compliance.
As a second step, your business undergoes a Gap Analysis against the 12 major PCI DSS requirements:
- Install and maintain a firewall configuration to protect cardholder data – this is designed to help protect from unauthorized access of applications to your data processing facilities and software applications.
- Do not use vendor-supplied defaults for system passwords and other security parameters – this one is almost self-explanatory. If you can read what the default password is in a vendor-supplied manual, so can any hacker.
- Protect stored cardholder data – yes, the more protected the storage, the less chance of it being stolen.
- Encrypt transmission of cardholder data across open, public networks – the Internet is one big, open (and public) network with hackers standing in as man-in-the middle, i.e. eavesdropping on your traffic. Encrypt it, make their lives hard.
- Use and regularly update antivirus software – needless to say, attackers come up with new ways to break in all the time. Your antivirus can stop them, but it needs to constantly know what new ways the attackers have cooked up to steal your data.
- Develop and maintain secure systems and applications – all of the above are not always enough. You need to implement security in designing and developing your systems and applications.
- Restrict access to cardholder data by business need-to-know – do not make the circle of people that can access the data bigger than it absolutely needs to be. The more people know, the more chance of one of them telling (or stealing).
- Assign a unique ID to each person with computer access – yes, accountability cannot be transferred, thus you want to know who is doing what with card data at all times. Being able to identify the “who” is the trick here.
- Restrict physical access to cardholder data – unrestricted physical access to data can facilitate all sorts of issues, such as but not limited to physical theft and/or destruction of equipment, service interruption and various outages.
- Track and monitor all access to network resources and cardholder data – just like with requirement 8, recording activities and knowing is half the solution to an incident. It also serves as a deterrent for ill-minded actions.
- Regularly test security systems and processes – even “if it ain’t broke”, fix it. Some processes and systems are seldom-to-never used and some are used as fail-over provision. How do you know they will do the job when/if the time comes? Testing, testing, testing. So that you don’t forget, PCI requires you to periodically perform penetration testing, segmentation testing, Approved Scanning Vendor (ASV) testing and internal vulnerability testing.
- Maintain a policy that addresses information security – the first place where you can ensure your business objectives and strategy are properly addressed by security measures. The policy is the “mother” of everything else you do in information security – your standards, procedures and instructions, guidelines. PCI DSS compliance starts and ends here.
With gaps addressed and requirements met on a par, the Formal Assessment stage begins. All documents and evidences are gathered, organized and filed. Your people are interviewed and everything gets explained in a Report on Compliance (ROC) and summarized in an Attestation of Compliance (AOC), which are the only valid documents proving your compliance.
When does it all end?
It never really does. One may say that achieving PCI compliance is similar to bringing a child into this world – giving birth is the hard part. After that, there are only the birthdays to get busy with. Yes, compliance validation is an annual thing, with most of the stages remaining the same, testing, ROC, AOC, the whole nine yards.
Good news is QSA companies are here to help. Talk to one. Not only to get assessed, but also to get oriented. Make sure you understand what lies ahead and what your involvement is expected to be.
About the author:
Pavel Kaminsky, Partner and Head of Operations of Seven Security Group.
PCI QSA, CISSP, CISA, CEH, Information Security expert, auditor, penetration tester, regular lecturer at various conferences in the country and abroad, founder, partner and operational director of Seven Security Group – an Information Security company that is also the first QSA company in Bulgaria certified by the PCI Security Standards Council.