14 best practices for your business

Close-up of Visa credit card on a laptop.
Image: CardMapr.nl/Unsplash

I have worked in the payments industry for over 15 years as a system administrator and have spent the majority of my career working in Payment Card Industry Compliance, which covers the security requirements of companies handling credit card data.

SEE: Password Cracking: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)

PCI compliance is a very complex area with guidelines that organizations in the industry must adhere to in order to authorize payment processing.

What is PCI Compliance?

PCI compliance is a framework based on requirements established by the Payment Card Industry Security Standards Council to ensure that any company that processes, stores or transmits credit card information maintains a secure operating environment to protect its business, customers and confidential data.

Known as the Payment Card Industry Data Security Standard, the guidelines were published on September 7, 2006 and directly affect all major credit card companies.

PCI SSC was created by Visa, MasterCard, American Express, Discover and the Japan Credit Bureau to administer and manage PCI DSS. Companies that join PCI DSS have confirmed PCI compliance and are therefore trusted to do business with.

All merchants that process more than 1 million or 6 million payment card transactions per year and service providers that store, transmit or process more than 300,000 card transactions per year must be audited for PCI DSS compliance. The scope of this article is for companies covered by this annual audit.

It’s worth noting that PCI compliance doesn’t guarantee data breaches any more than a fire-compliant home is completely fire-safe. This simply means that the company’s operations are certified to strict security standards, so these organizations provide the best possible protection against threats to ensure the highest level of trust among their customers and regulatory requirements.

Failure to comply with PCI requirements can result in severe financial penalties ranging from $5,000 to $100,000 per month. Businesses that comply with a data breach can expect significantly reduced fines.

14 PCI Best Practices for Your Business

1. Know your cardholder data environment and document everything you know

There should be no surprises when it comes to implementing PCI compliance; all systems, networks and resources must be thoroughly analyzed and documented. The last thing you want is an unknown server running somewhere or a bunch of mysterious accounts.

See also  Focalboard is a kanban device that anybody can use for higher activity administration

2. Take a proactive approach and enforce security policies everywhere

It is a huge mistake to think of PCI compliance security as something that needs to be “glued on” or applied as needed where requested. Concepts must be baked into the entire environment from the ground up. Items such as requiring multi-factor authentication in production environments, using https instead of http and ssh instead of telnet, and mandating regular password changes should be implemented up front. The more safety-conscious an organization is, the less work needs to be done after the inspection period.

3. Conduct employee background checks on employees handling cardholder information

All potential employees should be thoroughly vetted, including background checks on those who work with cardholder data, either directly or in an administrative or support role. Any applicant who has been charged with a serious crime should be rejected, especially if it involves financial crimes or identity theft.

4. Creation of a centralized cyber security authority

The best PCI compliance requires a central body that serves as the decision-making authority for all enforcement, governance, and recovery efforts. This is typically the IT and/or cyber security department, where employees trained in this area and familiar with PCI requirements should be.

5. Implementation of strong security environmental controls

Strong security controls must be in place across all elements that manage cardholder data systems. Use firewalls, NAT, segmented subnets, anti-malware software, complex passwords (do not use default system passwords), encryption and tokenization to protect cardholder data.

As an additional tip, use as limited a scope as possible for cardholder data systems, dedicated networks, and resources to minimize the effort involved in securing the smallest pool of resources possible.

For example, don’t allow development accounts to access production (or vice versa) because the development environment is currently considered to be in effect and subject to enhanced security.

6. Implement the least privileged access required

Use dedicated user accounts when performing administrative work on card-holder systems, not root or domain administrator accounts. Make sure users are only given minimal access, even those with administrative roles. If possible, rely on “user-level accounts” and separate “privileged accounts” that are used only to perform elevated-level tasks.

See also  Linux kernel 5.19 consists of main networking enhancements

7. Perform logging, monitoring and alerting

All systems must rely on centralized logging of operational and access data. This logging should be comprehensive but not overwhelming, and a monitoring and alerting process should be in place to notify appropriate personnel of audited or potentially suspicious activities.

Examples of alerts include too many failed logins, a locked account, someone logging in directly to the host as root or administrator, a root or administrator password change, an unusually high amount of network traffic, and anything else that could be considered a potential or incipient security breach. .

8. Implement software update and repair mechanisms

Thanks to step 1, you know which operating systems, applications and devices are running on your cardholder data. Make sure they are updated regularly, especially when critical vulnerabilities appear. In IT and cyber security, vendor alerts should be required to receive notifications of these vulnerabilities and details of patch applications.

9. Perform standard system and application configurations

All systems built into a cardholder environment, as well as the applications running on them, must be part of a standard build, for example from a live template. There should be as little variation and divergence between systems as possible, especially between redundant or clustered systems. This live template needs to be regularly patched and maintained to ensure that new systems generated from it are completely secure and ready to deploy.

10. Complete a Discontinued Priority Employee Checklist

Too many organizations do not properly track employee departures, especially when there are different departments and environments. HR should be tasked with notifying all application and environment owners of employee departures so that their access can be effectively terminated.

The IT and/or Cyber ​​Security department should compile and maintain a comprehensive checklist of all system and environmental employees handling credit card information and follow all steps to ensure 100% removal of access.

Do not delete accounts; instead, disable them, as PCI auditors often require verification of disabled accounts.

The experts at TechRepublic Premium have put together a handy checklist for additional guidance on onboarding or offboarding employees.

See also  Kaspersky report identifies new ransomware developments for 2022

11. Use of secure data destruction methods

When removing the cardholder’s data, a secure data destruction method must be used in accordance with the requirements. This can involve software or hardware-based processes such as file deletion or disk/tape destruction. Often, destruction of physical media requires evidence to show that it was properly done and witnessed.

12. Perform a penetration test

Arrange for in-house or external penetration tests to check your environment and make sure everything is sufficiently secure. You’d much rather find any errors you can fix yourself before a PCI auditor does.

13. Educate your user base

Comprehensive user training is essential to maintain safe operation. Educate users on how to securely access and/or manage cardholder data, recognize security threats such as phishing or social engineering, secure workstations and mobile devices, use multi-factor authentication, detect anomalies, and most importantly, who to contact should be contacted if they wish to report any suspected or confirmed security breach.

14. Prepare to cooperate with auditors

Now we come to audit time, where you meet with a person or team whose goal is to analyze your organization’s PCI compliance. Don’t be nervous or fearful; these people are here to help you, not spy on you. Give them everything they ask for and only what they ask for – be honest but minimal. You are not hiding anything; we provide only the information and answers that adequately meet their needs.

Also, keep evidence such as screenshots of settings, system vulnerability reports, and user lists as they may be useful in future audit work. Consider all their suggestions for remediation and changes as quickly as possible, and be prepared to provide evidence that this work has been completed.

Carefully review proposed changes to ensure they do not negatively impact your operating environment. For example, I have seen scenarios where TLS 1.0 was requested to be removed in favor of newer TLS versions, but applying this recommendation would have broken the connection with older systems and caused an outage. These systems first had to be upgraded to meet the requirements.

Source: https://www.techrepublic.com/article/pci-compliance-security-guide/