Logic Shield Blog - The Security Dozen 12 Requirements for PCI Compliance

The Security Dozen: 12 Requirements for PCI Compliance

Understanding how to be PCI compliant is relatively straightforward; getting there is a little more complex, especially if you don’t have the right tools.

The PCI Security Standards Council outlines 12 specific thresholds every business that processes credit cards must meet in order to maintain compliance. These dozen metrics are categorized into six different silos.

Let’s look more closely at the requirements for PCI compliance and what each of them means for your business.

Build and Maintain a Secure Network

  • Install and maintain a firewall configuration to protect cardholder data.

    When configured properly, a firewall lets through all the traffic you want to travel freely on your network and prohibits all other traffic. If a firewall were the TSA, it would be responsible for reviewing all entrants, along with the “carry-ons” attached to them, to make sure they have the proper credentials and aren’t trying to sneak anything suspicious to your devices.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.

    A firewall isn’t worth much if you don’t take the time to bolster the security picture of your brand. Many systems come with defaults to enable you to set up your network according to your needs, but these defaults are meant to be updated with strong alphanumeric and character-based passwords. Do not ignore this important step or all your security efforts will be wasted.

Protect Cardholder Data

  • Protect stored cardholder data.

    The best way to protect cardholder data is to never store it someplace accessible to you or your team in the first place. Modern industry best practices suggest that end-to-end encryption, where not even you can see the details of your digital transactions, is the way to go. This ensures that, even in the event of a breach, you’ll be protected.
  • Encrypt transmission of cardholder data across open, public networks.

    Ideally, you wouldn’t ever use an open public network to transmit data. You instead want a private network, and you want the transmission itself to be encrypted, giving you double the assurance that cardholder data remains safe.

Maintain a Vulnerability Management Program 

  • Use and regularly update anti-virus software or programs.

    Antivirus software isn’t a set-it-and-forget-it proposition. It’s important to keep your software up to date with the latest security patches, as bad actors are regularly in the process of exploiting vulnerabilities, leading product developers to fix them just as quickly via updates.
  • Develop and maintain secure systems and applications.

    Rely on software that’s been proven to protect brand security, with firewalls and mechanisms in place to reduce the risk of a breach. You should have team members or third parties you trust to manage these applications and react instantly if a risk is identified.

Implement Strong Access Control Measures

  • Restrict access to cardholder data by business need-to-know.

    As we mentioned above, there’s really no good reason to ever have access to the details of your customer’s credit card information. You want only as much cardholder data is necessary to conduct your operations, no more, no less. This protects you in the event of a breach.
  • Assign a unique ID to each person with computer access.

    If you do have a business case for storing cardholder data, then every individual within your company who would need access to that information should be given a unique user ID. No sharing of passwords is permissible. You want a digital footprint available so you can easily identify any conspicuous behavior and trace potential breaches back to the source.
  • Restrict physical access to cardholder data.

    So much time is spent on the digital aspect of data protection that it’s easy to forget that every computer terminal and storage space is a potential conduit to this data. It’s therefore important to have strict procedures for logging in and out of systems, ensuring that you have physical protections in addition to all the aforementioned digital protections.

Regularly Monitor and Test Networks

  • Track and monitor all access to network resources and cardholder data.

When you follow the previously mentioned steps, you’ll be in a good position to take note of any irregular traffic patterns. Monitoring the network in this manner is yet another crucial step in protecting your brand, as it enables you to respond at once if a threat is detected.

  • Regularly test security systems and processes.

Best practices are constantly shifting, so it’s important not to rest on your laurels. Look at your systems as if you were a hacker, constantly putting your network through its paces. Test things from all angles, considering fresh approaches to data breaches that you may not have thought of previously. You can even conduct emergency drills for team members responsible for these processes, thereby ensuring they’ll be prepared when a real threat arises.

Maintain an Information Security Policy

  • Maintain a policy that addresses information security for employees and contractors.

    Finally, as a redundancy, you need to make sure all of the above steps are available in writing. These can and should be stored both physically at your various locations and digitally to those who need to access it. Everyone should understand the role they play in maintaining brand security and how important it is to protect cardholder information.

That’s that: the 12 requirements for PCI compliance.

Now that you know, you can see where you might have holes in your defenses and what could be improved. Thankfully, Logic Shield is here to help. Our software is designed from the ground up to meet these requirements and protect your brand (and your customers) from harm.

Let’s talk about how we can work together to ensure the safety and security of your operations.

Related Posts

LS Blog - Understanding the 4 Levels of PCI Compliance Where Do You Stand
Understanding the 4 Levels of PCI Compliance: Where Do You Stand?

We explore the four levels of PCI compliance, as well as what you’ll need to do to satisfy the reporting Read more

LS Blog - Cisco Meraki PCI Compliance Why It’s the Right Security Solution
Cisco Meraki PCI Compliance: Why It’s the Right Security Solution

[Cisco Meraki is] a single pane of glass setup that brings all of the data from across your systems and Read more

LS Blog - What Is PCI Compliance?
What Is PCI Compliance?

PCI compliance.  This essential part of the customer experience is taken for granted by far too many businesses. It’s an issue confronting Read more