x

PCI DSS : 12 Steps To Compliance

CarlJ
27 January 2025
PCI DSS : 12 Steps To Compliance

This is our suggested 12-step plan to help you become compliant with the new PCI DSS 4.0 standard, if you process or store cardholder data in your network.

Of course, this is a high-level, simplified view, but it will help you organise your thinking. Breaking complicated issues into manageable chunks is a good way to stop them from overwhelming you.

If you have nothing more than a couple of terminals that were provided by your bank or other payment partner, that are encrypted end-to-end, and no cardholder data travels or is stored in your regular network, the good news is a lot of what’s presented below won’t apply.

But still, take note of the sections that mention procedures, policies, logging, and documentation. You’ll still have to satisfy those requirements for any applicable sections.

1. Install and Maintain a Firewall

  • Configure your firewall and routers to protect your payment cardholder data environment.
  • Establish firewall and router rules and policies.
  • Document these rules and policies.

2. Eliminate Vendor Default Settings

  • Always change the default settings on hardware such as servers, network devices such as Wi-Fi routers and firewalls, and on software systems.
  • Document your configuration security hardening procedures.

3. Protect Stored Cardholder Data

  • Understand and document where your cardholder data is stored, for how long, and whether it is transmitted elsewhere.
  • All cardholder data must be encrypted using industry-accepted algorithms and security keys.
  • Card numbers should only be displayed in a compliant fashion. For example, obscuring all but the first six or last four digits.
  • Implement appropriate technical measures to safeguard the cardholder data, such as Managed Detection and Response systems, Managed Extended Detection and Response systems, intrusion and threat detection systems, DMARC anti-phishing measures, and so on.

4. Encrypt Payment Data Transmissions

  • Card payment data must be encrypted when it is transmitted over a network, whether it's an open, closed, private, or public network.
  • Understand what types of transmissions take place. Do you use a payment gateway or an external payment processor, for example?

5. Endpoint Protection Security

  • Endpoint Security software must be deployed to protect against viruses and other malware.
  • Make sure you protect servers, workstations, and laptops, and don’t forget mobile devices such as tablets and phones.
  • The endpoint security software must always be running, centrally managed, and updated regularly with the latest signatures.
  • Staff must not be able to defer updates.
  • The endpoint protection software must create logs that are auditable.

6. Deploy Secure Systems and Applications

  • Create processes that let you identify and classify risks associated with technology changes and roll-outs.
  • Use those processes to conduct a thorough risk assessment regarding the systems and processes that safeguard your card data processing and storage activities. Don’t forget to consider physical access to the cardholder data environment.
  • Address any identified risks. Often, can be as simple as patching and updating outdated software and firmware, or replacing deprecated and unsupported technologies.
  • Remember to include point-of-sale terminals in your risk assessment.

7. Enforce Role-Based Access Rights

  • The access rights to card holder data must be controlled by permissions and allocated according to roles and responsibilities. The principle of least privilege must be applied.
  • A documented business requirement must exist for each type of access.
  • Develop, document, and apply access control policies and procedures. Don’t forget to address controlling physical access to the cardholder data environment.
  • Record all users who have access, what their level of access is, and why, and make sure it is kept up to date.

8. Use Unique User IDs

  • Each user must have their own, unique, username.
  • All access must be secured with credentials and multi-factor authentication.

9. Control Physical Access to the Data

  • Control physical access to cardholder data, including operational areas, server rooms, and if you have any, physical files.
  • Use video cameras and general electronic monitoring to record who access a restricted area. Recordings and logs must be kept for at least 90 days.
  • Your governing processes must distinguish between employees and visitors.
  • Portable media containing cardholder data must be physically secured, and destroyed when there is no compelling business need to retain it.

10. Monitor Network Access

  • Network activity logs must be kept and sent to a centralised server for daily review.
  • A Security Information and Event Monitoring (SIEM) tool will help with logging system activity, and will monitor for suspicious activity.
  • Log files must be maintained for at least one year, and must form a time-ordered audit trail.

11. Penetration and Vulnerability Testing

  • External IPs and domains need to be scanned by a PCI Approved Scanning Vendor (ASV).
  • You must scan for unofficial Wi-Fi access points, quarterly.
  • Internal vulnerability scans must be conducted quarterly, and remedial action taken on identified vulnerabilities.
  • At a minimum, a thorough penetration scan must be performed, and remedial action taken on identified risks and vulnerabilities.

12. Create, Maintain, and Follow an Information Security Policy

  • Your infosec policy must be company-wide, and cover employees, management, and relevant third parties such as contractors.
  • The policy must be reviewed regularly, and at least annually.
  • Annual security awareness training is mandatory, as are background checks on new employees.

Act Now, Don’t Delay

You can refer to the new standard here.

As soon as you can, discuss PCI DSS 4.0 with your PCI service provider. You need to establish what responsibility sits with them, and what sits with you.

Be mindful that even if you have the simplest possible set-up, with end-to-end encrypted payment terminals that avoid any cardholder data passing through your regular network, you’ll still need to address some of the requirements for policies, documentation, and logging.

Of course, Pro-Networks are ready to assist. If you’ve got any questions or concerns, just let us know. We’re always pleased to help.
 

Blog Category

x

 

To speak to an engineer call

01244 535527

Start a remote support session by clicking the button below.

Remote Support

Login to the Helpdesk by clicking the following button.

Helpdesk Login