Does Your Business Handle Cardholder Data? Here’s an Essential Overview of the PCI DSS
In the past few months, a variety of companies, including Target, Michaels, and Neiman Marcus, have experienced data breaches. While data breaches are becoming an increasingly common occurrence, most of them can be avoided by following the guidelines outlined in the Payment Card Industry Data Security Standard (PCI DSS).
An Introduction to the PCI Data Security Standard
The PCI Data Security Standard includes twelve technical and operational requirements designed to protect cardholder data. These requirements can be split into six control objectives. Here’s an overview of the control objectives and PCI DSS Requirements:
Control Objective: Build and Maintain a Secure Network
- Install and maintain a firewall configuration that protects cardholder data.
- Change vendor-supplied default passwords and other security measures on systems.
Control Objective: Protect Cardholder Data
- Protect cardholder data stored on systems.
- Encrypt cardholder data during transmission across open, public networks.
Control Objective: Maintain a Vulnerability Management Program
- Install anti-virus software on all systems and update on a regular basis.
- Develop and maintain secure systems and applications.
Control Objective: Implement Strong Access Control Measures
- Restrict access to cardholder data on a need-to-know basis.
- Provide unique IDs to each individual with access to computers.
- Restrict physical access to cardholder data.
Control Objective: Regularly Monitor and Test Networks
- Monitor and track access to cardholder data and network resources.
- Test security systems and processes on a regular basis.
Control Objective: Maintain an Information Security Policy
- Maintain an information security policy to address security threats and vulnerabilities.
What Entities Must Comply with PCI DSS?
All entities involved with payment card processing, including financial institutions, merchants, processors, and service providers, must comply with PCI DSS. If you store, transmit, or process cardholder data and/or sensitive authentication data, you must comply with PCI DSS. The PCI DSS also applies to systems in the cardholder data environment (CDE).
Systems in the Cardholder Data Environment
The systems considered to be part of the cardholder data environment include the following:
- Systems designed for security purposes, such as authentication servers.
- Systems designed to facilitate segmentation, such as internal firewalls.
- Systems that may impact the security of the CDE, such as web redirection servers.
- Network components, including switches, routers, firewalls, wireless access points, network appliances, and various security appliances.
- Virtualization components, including virtual machines, virtual applications, virtual applications/desktops, hypervisors, and virtual switches and routers.
- Applications, including purchased or custom applications and internal or external applications.
- Server types, including web, database, application, proxy, mail, authentication, Network Time Protocol (NTP), and Domain Name System (DNS) servers.
- All devices or components within or connected to the cardholder data environment.
While this is a comprehensive list of systems, the cardholder data environment must be used as a guideline. Entities must consider all systems and personnel that interact with, or store card holder data. In addition, entities must consider the PCI DSS on a day-to-day basis, instead of waiting until security problems arise. Ultimately, security should be a top priority for all entities involved with payment card processing.
The PCI DSS also states that all third-party service providers must be considered and validate their own compliance. This validation can be done through a PCI DSS assessment or reviewing their services as part of their customers’ PCI DSS assessments.
To learn more about PCI DSS compliance, please view the PCI DSS Requirements and Security Assessment Procedures Version 3.0 at https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf.
For information on how to protect your customers’ data, give us a call at (415) 963-9900 or send us an email at firstname.lastname@example.org. Tech Officers can help you secure your systems and ensure PCI DSS compliance.