PCI compliance can seem overwhelming if your organization tries to tackle everything all at once. This handout simplifies and divides tasks into monthly checklists.
OVERVIEW:
This handout aims to assist those who are new to PCI compliance. This suggested guideline is based on the PCI Council’s Prioritized Approach to help direct and organize your PCI tasks into a year-round task list. This is not a comprehensive handout and PCI compliance should be addressed based on how your organization handles cardholder data. A complete list of control requirements can be found here.
PCI Compliance In A Year:
PROTECT AND SECURELY DELETE CARDHOLDER DATA
PERFORM A RISK ASSESSMENT
MAINTAIN ACCURATE NETWORK DIAGRAMS
EVALUATE YOUR FIREWALL AND NETWORK
UTILIZE STRONG ENCRYPTION AND ANTIVIRUS
INVENTORY YOUR DEVICES
SECURE YOUR PAYMENT CARD SYSTEMS
MONITOR ACCESS TO YOUR SYSTEMS
STRENGTHEN PHYSICAL SECURITY
ASSESS YOUR TECHNOLOGY
TRAIN YOUR EMPLOYEES
UPDATE AND MAINTAIN YOUR COMPLIANCE
MONTH 1
PROTECT AND SECURELY DELETE CARDHOLDER DATA
How you store and delete data is vitally important to protecting customer cardholder information. Use the first month to store and dispose of data more securely.
Ensure you meet cardholder data requirements by not storing the following data types post authorization:
The magnetic stripe (track data) on the back of a card
Data contained on a card chip
A card’s PIN/PIN block
CVC/CVV
Evaluate whether or not you need to store other card information, such as:
Cardholder name
Primary account number (PAN)
Expiration date
Service Code
If cardholder data is stored for business or legal reasons, the PAN must be hashed, truncated, or encrypted
Identify and document every location cardholder data is stored
Create a data retention and disposal policy that:
Limits data storage amount
Specifies how long data should be stored, based on your business needs and legal requirements
Contains specific requirements for retaining cardholder data
Addresses your process for securely deleting data
Identifies data that doesn’t meet retention requirements
Add your data retention and disposal policy to your company policy and procedures
Securely delete unnecessary cardholder information by:
Shredding, incinerating, or pulping hard-copies of cardholder data
Securing data storage containers that are to be destroyed
Rendering cardholder data unrecoverable on electronic media
MONTH 2
PERFORM A RISK ASSESSMENT
PCI Data Security Standard (DSS) requires that all entities annually perform a formal risk assessment that identifies vulnerabilities, threats, and risks to their organization, especially their cardholder data environment (CDE). This requirement helps organizations identify, prioritize, and manage information security risks.
Implement a risk-assessment process that identifies:
Critical assets
Vulnerabilities
Threats
Risks
Assess vulnerabilities and threats
Perform your risk-assessment annually and when you experience:
An acquisition
A merger
Relocation
Or any other significant change
Organize your risks into a prioritized list of security issues
Create a risk management plan based on your prioritized list
Implement your risk management plan
MONTH 3
MAINTAIN ACCURATE NETWORK DIAGRAMS
Accurate network diagrams are vital because they demonstrate and document how your systems interact with card data. Systems in your network that store, process, or transmit card data need to be properly secured and separated from other systems on your network.
Create a network diagram that shows how cardholder data:
Enters your network
Flows through your network
Leaves your network
Decide what your card flow diagram needs by asking yourself:
How is my network constructed?
Is there one firewall at the edge of my card-processing environment?
Is my network segmented internally?
Does my environment have a multi-interface firewall?
Do I have multiple firewalls?
What device(s) am I using for transactions?
A virtual terminal?
POS system?
What happens to the card data after a transaction?
Is cardholder data encrypted?
When is data encrypted?
Do I store card data before it’s sent to the processor for approval?
How does settlement occur?
How is data authorized and returned by the processor?
Is card data backed up on my system?
Are my backups encrypted?
Is my backup server at a different data location?
Where might card data be transferred or moved in processes not part of authorization and settlement?
Maintain your diagram throughout the year
After changes to your CDE, identify if you need to add any additional flows (e.g., new payment process, website, or locations)
MONTH 4
EVALUATE YOUR FIREWALL AND NETWORK
Protecting your systems and networks can help you be prepared in the event of a security breach. Analyze your firewall and implement a DMZ to protect against unauthorized access to your internal network.
Make sure your firewall meets PCI requirements
Review your firewall and router
Build firewall and router configurations that restrict connection between untrusted external networks
Restrict inbound and outbound traffic to only what is necessary
Secure and synchronize your router configuration files
Install perimeter firewalls between all wireless networks and your CDE
Configure these firewalls to deny unauthorized traffic
Prohibit direct public access between the internet and your CDE
Implement a DMZ that limits inbound traffic to only authorized services, protocols, and ports
Limit inbound Internet traffic to IP addresses within your network perimeter
Ensure you can block forged or spoofed IP addresses from entering your network
Double-check that any systems that store cardholder data are placed in an internal network zone and separate from your DMZ
Install personal firewall software on:
Company-owned computers and employee-owned computers that can access CDE outside of your network
Double-check personal firewalls are actively running and can’t be turned off
Remove all unnecessary:
Scripts
Drivers
Features
Subsystems
File systems
Web servers
Document your security procedure for managing firewalls
Add a section on firewall management to your company policy and procedures
MONTH 5
UTILIZE STRONG ENCRYPTION AND ANTIVIRUS
Card data and encryption keys must be protected to comply with PCI requirements. Leaving encryption keys unprotected is like storing your house key by leaving it in your front door lock, so it’s critical to use a solid encryption key management process.
Use strong, industry-accepted cryptography
Ensure wireless networks that transmit cardholder data use encryption best practices
Update your antivirus software
Deploy antivirus software on personal computers and servers
Ensure your antivirus software:
Detects, removes, and protects against all known types of malicious software
Performs periodic scans
Generates audit logs
Cannot be disabled by users
Evaluate the security of your PAN
Display no more than the first six and last four digits of your PAN
Ensure your PAN is unreadable anywhere it is stored, including:
Portable digital media
Backup media
Logs
Protect your PAN by utilizing:
Encryption
Hashing
Truncation
Tokenization
Restrict access to your cryptographic keys to the fewest personnel necessary
Store your cryptographic keys securely
Retire or replace encryption keys as needed
Add a section on encryption to your company policy and procedures
MONTH 6
INVENTORY YOUR DEVICES
Identifying and protecting devices that can access your CDE is imperative for maintaining your PCI DSS compliance.
Maintain an up-to-date list of devices that includes the following information:
Make and model of the device
Serial number
Unique ID
Periodically inspect devices for:
Tampering
Substitution
Train personnel to detect and avoid attempted tampering
Maintain an Incident Response Plan
Review and test your plan
Modify and evolve your plan as needed
Designate personnel who can be available on a 24/7 basis to respond to security alerts
Provide appropriate training to staff in charge of security
Include alerts from:
Firewalls
Intrusion detection systems (IDS)
Intrusion prevention systems (IPS)
File integrity monitoring (FIM) systems
MONTH 7
SECURE YOUR PAYMENT CARD SYSTEMS
If systems in your cardholder data environment are not secure, hackers can easily compromise your system to obtain cardholder data. Evaluating your applications is essential to protecting your CDE.
Develop configuration standards for all your system components
Use industry-standard hardening such as:
Center for Internet Security (CIS)
International Organization for Standardization (ISO)
SysAdmin Audit Network Security (SANS) Institute
National Institute of Standards Technology (NIST)
Identify security vulnerabilities
Assign a risk ranking (i.e., low, medium, high)
Implement a process to detect system vulnerabilities
Review your custom code to identify any potential coding vulnerabilities
Have someone other than the original coder review custom code
Ensure you follow secure coding practices
Review public-facing web applications
Address new threats and vulnerabilities
Install an automated solution that detects and prevents web attacks, such as a web application firewall (WAF)
Ensure security logs are:
Configured
Being generated
Enable audit trails
Create a payment card application policy section that includes:
Installing any security patches within one month of release
Using secure authentication
Removing any development/test user IDs before releasing an application
Add your payment card application policy section to your company policy and procedures
MONTH 8
MONITOR ACCESS TO YOUR SYSTEMS
Monitoring access privileges allows you to mitigate against and identify unauthorized access to your CDE.
Define job roles by identifying who needs access to what level of cardholder data
Include the level of privilege required, such as user or administrator
Restrict access to the minimum level necessary
Work with management to require documented approval for privileges
Train employees about the following password best practices:
Use strong passwords
Protect their passwords
Not reuse passwords
Change passwords when a password could have been compromised
Not use group, shared, or generic IDs and passwords
Test at least quarterly for unauthorized wireless access points
Identify authorized and unauthorized wireless access points
Maintain an inventory of authorized wireless access points
Use file integrity monitoring tools to be alerted of unauthorized modifications
Add a section on passwords and privileges to your company policy and procedures
MONTH 9
STRENGTHEN PHYSICAL SECURITY
Strict physical security policies can protect your CDE and employees from being targeted by threat actors.
Use video cameras or access controls to monitor individual physical access to any sensitive areas
Review collected data often
Store for at least three months, depending on local laws
Implement physical security controls to restrict public access to:
Wireless access points
Gateways
Handheld devices
Networking hardware
Telecommunication lines
Assign your staff badges to restrict access based on least privilege
Use best practices for visitors such as:
Give visitors an identification badge
Obtain visitor badges before they exit your facility
Utilize a visitor log
Include visitor name
Company/firm
Staff who have authorized visitor badge
Retain visitor log for a minimum of three months
Maintain strict control over your internal and external media distribution
Classify media by sensitivity
Send media by secured courier or other secure delivery methods
Ensure media can be tracked
Securely store sensitive media
Conduct a media inventory
Destroy media when it is no longer needed
Add your physical security policy to your company policy and procedures
MONTH 10
ASSESS YOUR TECHNOLOGY
If your employees are well-informed on what is an acceptable use of your technology and you have a solid inventory of technologies, you can better predict security gaps in your environment.
Define your critical technology, such as:
Remote access to wireless technology
Laptops
Tablets
Removable electronic media
E-mail usage
Internet usage
Ensure your critical technology policy section requires:
Explicit approval by authorized parties
Authentication for using technology
List of all personnel devices and access levels
A method to quickly and accurately determine:
Technology owners
Contact information
Inventory (e.g., labels, coding, purpose)
Acceptable use of technology
Acceptable network locations
List of company-approved products and applications
Automatic disconnect after a period of inactivity
Add your critical technology policy to your company policy and procedures
MONTH 11
TRAIN YOUR EMPLOYEES
Now that you have added specific data and physical security sections to your company policies and procedures, it is time to ensure your staff is adequately trained.
Distribute your company policies and procedures
Assign an individual or a team to:
Update your company policies and procedures
Monitor and analyze security alerts
Create and distribute your incident response plan
Manage user accounts
Train personnel regularly on your company policies and procedures, including:
New hires
Annual company-wide training
Require personnel to acknowledge they have read and understood your policy
Highlight new additions to your policy
MONTH 12
UPDATE AND MAINTAIN YOUR COMPLIANCE
PCI DSS compliance must be a continual, year-round effort. Thoroughly reviewing your policies and plans throughout the year is the best way to protect your CDE.
Maintain your firewall and router configuration standards, including:
Approve and test all network connection changes to your firewalls and routers
Review firewall and router rule sets every six months
Review your security policy annually
Update when you experience environment changes
Document your quarterly review process to include:
Results of your review
Signatures of those responsible for your PCI DSS compliance program
Identify authorized and unauthorized wireless access points on a quarterly basis
Ensure a minimum possible access to cardholder data
Require accountability for maintaining PCI DSS compliance
Validate your annual PCI compliance
Submit your SAQ
Conduct an annual assessment