These days, if you are building an app that accepts payments, payment providers that you can potentially use to manage payments (e.g. Paypal or Stripe) offer services such that you don’t need to know about PCI DSS. They do an incredible job of abstracting all that from you. So what is PCI DSS and what does it mean? Payment Card Industry Data Security Standard (PCI DSS) compliance is required by merchants (start-ups or enterprises) that handle credit card data. PCI DSS compliance by merchants ensures security of the card holder data. This article explores what PCI DSS compliance is and the requirements that vendors need to meet in order to be PCI DSS certified.
Introduction
As the world moved online to purchase services, there was a substantial increase in online credit card transactions. The large volume of credit card transactions, put the cardholder data at risk and increased the probability of credit card fraud. Hence around 2006 the Payment Card Industry Security Standards Council (PCI SSC) was formed with the goal of putting in place processes to ensure safety of card holder data. PCI SSC is an administrative entity composed of MasterCard, American Express, Visa amongst others, that developed the PCI DSS standard and are responsible for governance and continued development of the standard. The PCI DSS standard is used to handle credit cards from all major card providers and is composed of 12 mandatory requirements that a merchant accepting online credit card transactions must comply with to be PCI DSS certified. To further ensure safety of card holder data, the governing body has mandated that a merchant’s PCI DSS compliance status must be validated quarterly or annually relative to the volume of the merchant’s transactions.
PCI DSS compliance requirements
For a business to be PCI DSS compliant, it needs to ensure it’s systems meet the following 12 criteria.
| No | Requirement | Description |
|---|---|---|
| 1 | Install and maintain a firewall configuration to protect cardholder data | To ensure a secure network is maintained with, correctly configured Firewalls with appropriate rules to incoming and outgoing traffic standardised process to toggle access To be renewed bi-annually |
| 2 | Do not use vendor-supplied defaults for system passwords and other security parameters | Focusing on all organisation hardware such as servers web servers access points or network devices cannot be accessed using default username and password. In addition maintain, inventory of all hardware documentation to removing default settings |
| 3 | Protect stored cardholder data | To ensure safety of cardholder data, Follow the rules on how primary account numbers are displayed Know the data being stored as well as It’s physical location and Retention period, also ensure the data Is encrypted using industry accepted algorithms Lastly, have a well defined encryption key management process |
| 4 | Encrypt transmission of cardholder data across open, public networks | Ensure the safety of card holder data such that Data being transmitted over the network is encrypted Data is transmitted over a secure protocol e.g. TLS, SSH |
| 5 | Use and regularly update anti-virus software or programs | Any device whether used onsite or remotely, is susceptible to malware. Hence, ensure All employee devices have anti-virus software installed Anti-virus solution is updated regularly |
| 6 | Develop and maintain secure systems and applications | Patch all systems within the card data environment, including, Operating systems Firewalls, Routers, SwitchesApplication software DatabasesPOS terminals (if any?) (applies to branch) |
| 7 | Restrict access to cardholder data by business need to know | Implement role based access control (RBAC) to toggle access to card data and systems. Maintain a list of users who need to access cardholder data. The list should have a clear definition of the role, it’s existing privilege level It’s expected privilege level |
| 8 | Assign a unique ID to each person with computer access | This requirement talks about ensuring, every user has a unique ida complex password have 2 factor authentication for remote admin access |
| 9 | Restrict physical access to cardholder data | This requirement focuses on the physical security of the data centre such that unauthorised persons cannot gain entry |
| 10 | Track and monitor all access to network resources and cardholder data | Ensure the system has sufficient logging mechanisms in place to, log system events to server give the capability to review them to look for anomalies construct an audit trail of records that meet a pre-defined standard for the info contained PCI DSS requires this data to be stored securely and must not be stored for more than a year. |
| 11 | Regularly test security systems and processes | This mandates the following activities, Wireless analyser to scan for all authorised and unauthorised access points each quarter External IPs and domains exposed in CDE to be scanned by a PCI approved scanning vendor Internal vulnerability scans to be done quarterly External IPs to go through Applications and Network penetration test annually or when there is a significant change |
| 12 | Maintain a policy that addresses information security for all personnel | Implement, maintain, review and review information security policy for all employees and other relevant parties. Also perform, Annual formal risk assessment User awareness training Employee background checks Incident management |
Summary
In it’s current state while the Mesh can satisfy most requirements from an infrastructure standpoint, the Mesh was built as an internal marketplace for API as opposed to handling credit card transactions.
If you find any of my posts useful and want to support me, you can buy me a coffee 🙂
https://www.buymeacoffee.com/bhumansoni
While you are here, maybe try one of my apps for the iPhone.
Products – My Day To-Do (mydaytodo.com)
Have a read of some of my posts on AWS
Deploy NodeJS, Typescript app on AWS Elastic beanstalk – (mydaytodo.com)
How to deploy spring boot app to AWS & serve via https – My Day To-Do (mydaytodo.com)
Some of my posts on Javascript …
What is Javascript event loop? – My Day To-Do (mydaytodo.com)
How to build a game using Vanilla Javascript – My Day To-Do (mydaytodo.com)
Vanilla Javascript: Create Radio Buttons (How-To) – Bhuman Soni (mydaytodo.com)
Java Spring Boot & Vanilla Javascript solution – My Day To-Do (mydaytodo.com)
Vanilla Javascript: Create Radio Buttons (How-To) – Bhuman Soni (mydaytodo.com)
0 Comments