The Payment Card Industry Data Security Standard (PCI DSS) lays out the official requirements for security controls and processes that keep payment card data safe from exploitation.
We discussed the basics of PCI DSS in my previous post. Today we’ll sort through the first six requirements. They can be divided into three categories for better understanding (Table 1).
|Build and Maintain a Secure Network||
|Protect Cardholder Data||
|Maintain a Vulnerability Management Program||
Build and Maintain a Secure Network
PCI DSS provides two requirements for network security which help merchants to save their internal networks and communications through external networks.
1. Install and maintain a firewall configuration to protect cardholder data
The firewall is the main security tool that controls the network traffic allowed between an entity’s network (internal) and untrusted networks (external). A firewall analyses data and blocks all connections that do not conform security requirements. PCI DSS requires the use of a firewall to prohibit any unauthorized access to system components. Moreover, personal firewall must be installed on each mobile and employee-owned computer connecting to cardholder data or to the public Internet.
Furthermore a DMZ (“demilitarized zone” – a subnetwork) must be created for prohibiting direct public access between the Internet and any system component in the cardholder data environment.
2. Do not use vendor-supplied defaults for system passwords and other security parameters
PCI DSS requires changing all default passwords for all software and network components. Each primary function must be implemented for one server only. All unnecessary functionality should be removed.
Protect Cardholder Data
This category focuses on data storage and transmission. Protection methods such as encryption, truncation, masking, and hashing are significant components of cardholder data protection. A credit card number is stored as encrypted data, so if someone obtained unauthorized access to the database the information could not be deciphered.
3. Protect stored cardholder data
The main principles of the data’s security are:
- PAN must be stored in encrypted format;
- any sensitive authentication data (PIN, CAV2, CVC2, CVV2, CID etc.) must not be stored at all.
Also the whole PAN must be masked during all financial operations. It is prohibited to display more than the first six or last four digits of the PAN. For encryption purposes PCI DSS requires using RSA (1024 bits), DSA (1024 bits) or ECDSA (160 bits) algorithms. Data retention and disposal policies must also be implemented. The policies should include limiting data storage amount and retention time and processes for periodical secure deletion of data if it is no longer needed.
4. Encrypt transmission of cardholder data across open, public networks
PCI DSS requires the usage of strong cryptography and security protocols such as SSL/TLS or IPSec to protect sensitive cardholder data during transmission over networks. PCI DSS suggests using industry standard best practices to implement strong encryption for authentication and transmission. It should be mentioned that the usage of WEP (Wired Equivalent Privacy) is prohibited.
Maintain a Vulnerability Management Program
Vulnerability management is a regulated, continuous use of specialized security tools which actively help to eliminate exploitable risks.
5. Use and regularly update anti-virus software or programs
The merchant must use anti-virus software on all systems that work with any cardholder data environment. Antivirus databases must be up to date.
6. Develop and maintain secure systems and applications
Merchants must use or own an application that was created using the best practices of secure coding (such as OWASP) and approved by the PCI Security Standards Council. А security review of source code by knowledgeable internal personnel or a third party is necessary for a custom app before each release.
PCI DSS requires installing the most recently released patch for critical card payment systems and applications within one month after release. And forget about “I’ll do it later” excuses.