PCI is one of the most stringent and detailed security requirements for retailers and merchants. This document outlines the different requirements to meet PCI compliance, maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement access controls and regularly monitor and test networks.
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard designed to help organizations secure cardholder processing environments. Formed in 2004 by Visa, MasterCard, American Express, Discover, and JCB, in response to the emerging threat to cardholder information, the PCI Standard Security Council (PCI SSC) provides 12 requirements that must be met for compliance with the standard; failure to do so may result in steep fines that can reach hundreds of thousands of dollars. PCI DSS V1.2, the latest update, was released in October 2008; the complete document, as well as what is new with V1.2 can be found at the PCI Security Standards Council website.
The number of records containing sensitive personal information involved in security breaches continues to rise. Cyber-attacks have become more sophisticated, involving not only attacks at both the network layer and the application layer but also other factors such as social manipulation, breakdown in internal security processes and trusted insider abuse. The cost to businesses, in lost revenue and customer loss, can be staggering.
PCI DSS is designed to facilitate global adoption of consistent data security measures to eliminate the loss of cardholder information and clearly defines the steps needed to secure a networked environment. The scope of these requirements is broad but straightforward, giving direction to the service providers and merchants on what technologies, policies and procedures are needed to achieve compliance. PCI DSS incorporates guidelines for perimeter security, data privacy, and application security. This paper outlines these PCI DSS guidelines, and offers recommendations for successfully deploying them.
The PCI DSS requires any merchant, processor, point-of-sale vendors, financial institutions and payment companies to implement processes, procedures and technology to protect credit card information. There are twelve PCI DSS required controls that cover access management, network security, incident response, network monitoring and testing and information security policies.
According to the standard, all members, merchants, and service providers that store, process, or transmit cardholder data must meet specific security requirements, which necessitate building a secure network and maintaining a vulnerability management program (Table 1). To demonstrate compliance, most merchants and service providers must provide security assessments and perform quarterly network scans to locate and fix vulnerabilities and reduce the risk of intrusion.
PCI DSS provides comprehensive direction for the 12 PCI required controls, which can be found in Payment Card Industry (PCI) – Requirements & Security Assessment Procedures, V1.2. With many years of experience in the security industry and having assisted many organizations in the deployment of security practices, policies and technologies,
Rapid7 has developed additional recommendations to facilitate the process and enhance the success of these compliance initiatives. Starting with a review of best practices for achieving PCI compliance, recommendations are then provided for many of the required controls.
Best practices to effectively secure the cardholder environment and achieve compliance with the PCI standard start with a properly documented, executive management endorsed, information security policy that must be broadly communicated, tested and enforced. These best practices also include understanding the organization’s cardholder data environment (where the data is located and stored and how it moves between applications), regular monitoring of network for potential vulnerabilities, on-going reporting of network activity, and regular inside and third-party penetration testing. “Best Practices to Protect the Cardholder Environment and Achieve PCI compliance,” a Rapid7 white paper, provides a review of these best practices.
Deploying PCI and other industry and government standards requires the leadership and/or direction of properly trained information security professionals. The International Information Systems Security Certification Consortium, Inc., or (ISC)², is a non-profit organization based in Florida that provides education and certification for security professionals. The CISSP program and certification provide expertise in ten domains of knowledge that are needed to understand how to implement security procedures. This program covers everything from physical access controls to the law and ethics. It is recommended that at least one person in an organization acquire this accreditation. All Rapid7 consultants are CISSP certified and are trained to assist organizations achieve PCI compliance, from establishing a comprehensive information security policy to testing and validating its effectiveness.