As the character Don Draper from the classic TV series “Mad Men” once said, “change is neither good nor bad, it simply is”. Payment card technology brought with it countless new opportunities but also countless new risks. In order to tackle those risks a new ecosystem of protection tools was created with its own complexities and problems. To govern this ecosystem, security standards such as the PCI DSS (Payment Card Industry Data Security Standard) were created. Non-strict adherence to the PCI DSS requirements, means the loss of the right to use credit and debit cards.
What is needed for PCI DSS compliance?
Processing of payment card transactions involves the creation and storage of sensitive data. The PCI DSS stipulates requirements that ensure the safe and secure storage of such data.
Types of data created during payment card transactions
There are two types of data which are generated during payment card transactions, each with its own PCI DSS regulations:
- Authentication data which is not allowed to be stored and must be instantly erased from any storage system. This includes: Card Verification Value (CVV); Primary Account Number (PAN) and Personal Identification Number (PIN)
- Non-authentication data that may be stored and processed in the condition that the organization protects that information by adhering to security standards. This data includes the cardholder’s name, card expiration date and service code.
The 12 requirements laid out by the PCI DSS
The PCI DSS specifies 12 obligatory requirements every seller/ payment card processing services must fully meet. These 12 requirements are usually grouped under 6 goals:
1. Build and Maintain a Secure Network
- Installing and maintaining a firewall to scan all network traffic and block access attempts from untrusted networks.
- Default security configuration parameters (such as vendor supplied passwords) must be changed and modified on existing and new systems.
2. Protect Cardholder Data
- PCI DSS requires protecting cardholder’s data by using methods such as encryption, hashing, masking, truncation and erasing when needed.
- Cardholder’s data should be encrypted when stored and when transferred. In any event where a cardholder’s data is transmitted across open, public networks, it should be encrypted using strong encryption standards (SSH, TLS etc).
3. Maintain a Vulnerability Management Program
- Installation of regularly updated antivirus/ antimalware applications on all systems (local and remote). The regular update should keep these applications up to date and able to supply protection against old known virus/malwares and new ones.
- All applications and systems must constantly be updated. The latest up-to-date security patches should be immediately installed to fix any kind of vulnerability.
4. Implement Strong Access Control Measures
- PCI DSS requires restricting access to cardholder data only to authorized personnel on a need-to-know basis. Furthermore a record of each person, their role, and access privileges must be kept.
- A unique identification (ID) must be assigned to each person with access to system components, in order to permit access identification, authentication, record and accountability of access to data.
- Physical access to cardholder data or systems containing this data must be restricted.
5. Regularly Monitor and Test Networks
- All access to cardholder data and network resources must be constantly tracked and monitored, i.e a system log should be maintained to track user activities.
- Each and every security system, process and software must be frequently and regularly checked and tested in order to actively detect weak points and vulnerabilities.
6. Maintain an Information Security Policy
- Managing an information security policy for all personnel (employees, vendors, contractors etc). This policy should include, for example, regular security briefings, making sure all personnel understand their responsibility to protect the sensitive data and comprehensive background checks.
Top 12 PCI Compliance Solutions
We will now discuss the top 12 solutions for ensuring PCI DSS compliance.
SIEM (Security Information and Event Management) Solutions
Pricing: Free Edition, Premium Edition - $595 ; Distributed Edition - $2,495
EventLog Analyzer encrypts and retains all of the log data created by network systems, applications, and devices, in a centralized repository. It’s suited for businesses of all sizes. However, log correlating is complicated and there isn't a good security integration when it comes to cybersecurity.
Pricing: Starts at $25.00 per endpoint per year
CrowdStrike Falcon X is a cloud-delivered endpoint protection service with detection, response and threat hunting capabilities. The solution is designed for businesses of all sizes but may be cost-prohibitive for small businesses. Moreover the system demands high bandwidth resources.
Pricing: Free versions/ annual license that starts at $9,000
Event Manager streamlines data from different sources into one central location and then merges and normalizes it to distinguish between harmful activities and innocent ones. It is suited to small and mid-size businesses. It lacks the ability to drill down into individual data points.