These days, if you are building an app that accepts payments, payment providers that you can potentially use to manage payments (e.g. Paypal or Stripe) offer services such that you don’t need to know about PCI DSS. They do an incredible job of abstracting all that from you. So what is PCI DSS and what does it mean? Payment Card Industry Data Security Standard (PCI DSS) compliance is required by merchants (start-ups or enterprises) that handle credit card data. PCI DSS compliance by merchants ensures security of the card holder data. This article explores what PCI DSS compliance is and the requirements that vendors need to meet in order to be PCI DSS certified.
As the world moved online to purchase services, there was a substantial increase in online credit card transactions. The large volume of credit card transactions, put the cardholder data at risk and increased the probability of credit card fraud. Hence around 2006 the Payment Card Industry Security Standards Council (PCI SSC) was formed with the goal of putting in place processes to ensure safety of card holder data. PCI SSC is an administrative entity composed of MasterCard, American Express, Visa amongst others, that developed the PCI DSS standard and are responsible for governance and continued development of the standard. The PCI DSS standard is used to handle credit cards from all major card providers and is composed of 12 mandatory requirements that a merchant accepting online credit card transactions must comply with to be PCI DSS certified. To further ensure safety of card holder data, the governing body has mandated that a merchant’s PCI DSS compliance status must be validated quarterly or annually relative to the volume of the merchant’s transactions.
PCI DSS compliance requirements
For a business to be PCI DSS compliant, it needs to ensure it’s systems meet the following 12 criteria.
|1||Install and maintain a firewall configuration to protect cardholder data||To ensure a secure network is maintained with, |
correctly configured Firewalls with
appropriate rules to incoming and outgoing traffic
standardised process to toggle access
To be renewed bi-annually
|2||Do not use vendor-supplied defaults for system passwords and other security parameters||Focusing on all organisation hardware such as|
or network devices
cannot be accessed using default username and password.
In addition maintain,
inventory of all hardware
documentation to removing default settings
|3||Protect stored cardholder data||To ensure safety of cardholder data, |
Follow the rules on how primary account numbers are displayed
Know the data being stored as well as
It’s physical location and
Retention period, also ensure the data
Is encrypted using industry accepted algorithms
Lastly, have a well defined encryption key management process
|4||Encrypt transmission of cardholder data across open, public networks||Ensure the safety of card holder data such that|
Data being transmitted over the network is encrypted
Data is transmitted over a secure protocol e.g. TLS, SSH
|5||Use and regularly update anti-virus software or programs||Any device whether used onsite or remotely, is susceptible to malware. Hence, ensure|
All employee devices have anti-virus software installed
Anti-virus solution is updated regularly
|6||Develop and maintain secure systems and applications||Patch all systems within the card data environment, including, |
DatabasesPOS terminals (if any?) (applies to branch)
|7||Restrict access to cardholder data by business need to know||Implement role based access control (RBAC) to toggle access to card data and systems. |
Maintain a list of users who need to access cardholder data. The list should have
a clear definition of the role,
it’s existing privilege level
It’s expected privilege level
|8||Assign a unique ID to each person with computer access||This requirement talks about ensuring, every user|
has a unique ida complex password
have 2 factor authentication for remote admin access
|9||Restrict physical access to cardholder data||This requirement focuses on the physical security of the data centre such that|
unauthorised persons cannot gain entry
|10||Track and monitor all access to network resources and cardholder data||Ensure the system has sufficient logging mechanisms in place to,|
log system events to server
give the capability to review them to look for anomalies
construct an audit trail of records that meet a pre-defined standard for the info contained
PCI DSS requires this data to be stored securely and must not be stored for more than a year.
|11||Regularly test security systems and processes||This mandates the following activities,|
Wireless analyser to scan for all authorised and unauthorised access points each quarter
External IPs and domains exposed in CDE to be scanned by a PCI approved scanning vendor
Internal vulnerability scans to be done quarterly
External IPs to go through Applications and Network penetration test annually or when there is a significant change
|12||Maintain a policy that addresses information security for all personnel||Implement, maintain, review and review information security policy for all employees and other relevant parties. Also perform,|
Annual formal risk assessment
User awareness training
Employee background checks
In it’s current state while the Mesh can satisfy most requirements from an infrastructure standpoint, the Mesh was built as an internal marketplace for API as opposed to handling credit card transactions.
If you find any of my posts useful and want to support me, you can buy me a coffee 🙂
While you are here, maybe try one of my apps for the iPhone.
Have a read of some of my posts on AWS