There are 12 requirements of all organizations that process, store or transmit credit card data. All of them are common sense security measures that focus on attention to detail and risk management.
1. Install and maintain a firewall configuration to protect cardholder data.
Have a firewall configuration policy that protects cardholder data and build a plan for testing it.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
This means not storing full credit card numbers anywhere – even outside of your computer system.
4. Encrypt transmission of cardholder data and sensitive information across open, public networks.
The breaches you’ve heard about recently to several large retailers occurred because they were not using point-to-point encrypted devices.
5. Use and regularly update anti-virus software or programs.
Malicious software, commonly referred to as “malware”, refers to viruses, worms, and Trojans. They enter a network during many business-approved activities including employee e-mail and use of the Internet, mobile computers, and storage devices. Anti-virus software must be used on all systems commonly affected by malware, and the anti-virus software needs to be updated regularly to avoid attack by new forms of malicious software.
6. Develop and maintain secure systems and applications.
Keep up to date with new security vulnerabilities that may impact your environment. Sources for information often include vendor websites, industry news groups, and mailing lists. Once you identify a vulnerability that could affect your environment, evaluate and rank the risk imposed by that vulnerability. This will allow you to prioritize and address the highest risk items more quickly and reduce the likelihood that vulnerabilities posing the greatest risk will be exploited.
7. Restrict access to cardholder data by business need-to-know.
Have systems and processes in place to limit access based on need to know and according to job responsibilities. “Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job.
8. Assign a unique ID to each person with computer access.
Assigning a unique ID to each person ensures that each individual is uniquely accountable for their actions. This allows you to trace actions taken on critical data and systems to known and authorized users and processes. This requirement applies to all accounts, including point-of-sale accounts, all accounts used to view or access cardholder data or to access systems with cardholder data, and accounts used by vendors and other third parties (for example, for support or maintenance).
9. Restrict physical access to cardholder data.
Physical access to data or systems that store cardholder data provides the opportunity for individuals to remove systems, electronic media or hard copies containing cardholder data, and should be appropriately restricted. This applies to full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the premises. It also applies to a vendor, guest, service workers, or anyone who needs to enter the facility for a short duration.
10. Track and monitor all access to network resources and cardholder data.
Logging and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs. This requirement means that you must restrict access to the logs (to prevent altering them), and the logs must be reviewed regularly.
11. Regularly test security systems and processes.
Malicious individuals continually discover vulnerabilities that can be introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment. You should have policies and procedures to detect and identify both authorized and unauthorized wireless access points. Unauthorized wireless devices may be hidden within or attached to a computer or other system component, or be attached directly to a network port or device, such as a switch or router. Such unauthorized devices could result in an unauthorized access point into the environment.
12. Maintain a policy that addresses information security for employees and contractors.
A strong security policy sets the security tone for the whole company and informs personnel what is expected of them. PCI training is a must. You should have a formal training program on what they have to do to ensure they are handling credit card data in a manner that supports the PCI requirements. The training program should apply to full-time and part-time employees, temporary employees, contractors and consultants who are “resident” at the company’s site or who otherwise have access to the cardholder data environment.