Home » Security Bloggers Network » 50 Valuable PCI Compliance Tips

50 Valuable PCI Compliance Tips

by Tim Buntel on August 23, 2019

The Payment Card Industry Data Security Standards (PCI DSS) provides a rigorous security framework and best practices for businesses that store, transmit, or process credit card information.

The PCI DSS is a set of technical and operational requirements that govern modern payment processing. Businesses and organizations in the payments industry must achieve and maintain compliance, or they may become liable to consequences that include increased risk of data breaches, damage to brand reputation, heavy fines, and other sanctions.

With more companies using cloud computing than ever before, PCI compliance in the cloud — such as AWS PCI Compliance — is a growing need. Companies can reduce their risk and streamline compliance by leveraging the right tools. Platforms such as Threat Stack’s Cloud Security Platform^®, which offers continuous cloud compliance, can strengthen your organization’s security posture and build compliance into your technology stack to help you meet PCI DSS requirements as well as compliance requirements for other regulatory frameworks.

To help as you embark on the journey to PCI compliance, we have compiled a list of 50 PCI compliance tips from payment security experts and thought leaders. To make the list manageable, we have divided the tips and quotes into the following five categories:

Sponsorships Available

Disclaimer: The views and opinions expressed in this post are those of the respective authors and do not necessarily reflect the policies or positions of Threat Stack, Inc. The contents of this post are not ranked in terms of perceived value or quality of content. Our intent is simply to provide information that could help you add to your knowledge of PCI standards and best practices.

1. Basic PCI Compliance Tips

1. Learn about new PCI standards for new ways of building software.

“PCI DSS received its last major update in 2013, and it will expire in 2022. Its replacement, the new PCI Software Security Framework, has been published. This gradual transition period between the two is a great time to learn how to align PCI with your modern software development practices. Threat identification, vulnerability detection and mitigation, security testing, and change management are all covered as part of a secure software lifecycle.”

— Tim Buntel, New PCI Standards for New Ways of Building Software, Threat Stack Blog; @threatstack

2. Perform scans as early as possible.

“It is required that all companies submitting quarterly network scans use a company that has achieved ASV status. Note that your organization will be required to submit ‘clean’ scans, meaning there are no failing vulnerabilities found and the scans have been attested-to by both you and your ASV. Oftentimes, organizations choose to perform their first few scans a little earlier than when the quarter ends so that any failing vulnerabilities or issues found can be remediated and a rescan performed in time.”

— Tim Thomas, The PCI Basics & Quick Guide, PCI Compliance Guide; Twitter: @PCISSC

3. Encrypt stored cardholder data.

“Requirement 3 of the PCI DSS sets out technical guidelines for protecting stored cardholder data and the requirements for encryption. At a minimum, the Standard requires the PAN to be rendered unreadable anywhere it is stored, including portable digital media, backup media, and logs. This is essentially a process of masking what could otherwise be an identifiable and useful information asset.”

— Conor Donnelly, How the PCI DSS can help you meet the requirements of the GDPR, IT Governance; Twitter: @ITGovernance

4. Use network segmentation.

“Network segmentation is done by physically or virtually separating systems that store, process, or transmit card data from those that don’t. While network segmentation isn’t required by PCI DSS 3.2, it’s a good idea if you’re looking for ways to reduce cost, time, and effort on achieving compliance. Segmenting can be done through firewalls or physical gaps.”

— Jen Stone, 7 Steps to Achieve and Maintain PCI Compliance, SecurityMetrics (via CardFellow Blog); Twitter: @SecurityMetrics

5. Maintain the security of cardholder data while in transit.

“There are two times that security standards require organizations to provide cardholder sensitive data protection. First, you must undertake best efforts to safeguard cardholder data while stored on your network. Second, you must encrypt cardholder sensitive data when transmitting it across open, public networks. Encryption makes the data unreadable and unusable by cyber intruders who do not have the appropriate encryption keys. In addition, organizations must not save sensitive card validation codes or pin numbers after validation even if encrypted.”

— The 12 Mandated PCI Compliance Policies: Is Your Organization Doing All It Can?, Tidal Commerce; Twitter: @tidalcommerce

6. Prepare adequately for QSA (Qualified Security Assessors) assessments.

“The first step in securing anything valuable is to know exactly where you keep it. With payment card data, that means understanding every segment, facet, and nook & cranny that touches the payment process — or is adjacent or networked to that process. A comprehensive network diagramming exercise is beneficial to understand not only where your payment data resides, but also to identify where it probably isn’t necessary for it to reside or shouldn’t reside at all. Portions of the business like the call or contact center are repositories for vast amounts of sensitive customer information, and should be examined with extra attention. Removing unnecessary networks from the payment process is what is commonly understood when someone speaks about network segmentation and/or de-scoping a payment environment. Understanding where data needs to remain ‘in play’ — while reducing the systems and protocols that touch the payment processes to only those you need in order to properly process payments — minimizes your overall payment security risk to just those areas and reduces the total scope the QSA will assess later.”

— What to Expect During a PCI Assessment (and How to Prepare for One), Semafone; Twitter: @Semafone

7. Reduce the PCI scope of your environment.

“Removing PANs means you dramatically reduce the scope of your cardholder data environment (CDE) and reduce the amount of work you need to do to comply with the Payment Card Industry Data Security Standard (PCI DSS). Sometimes, less really is more.”

— Conor Donnelly, Having trouble complying with the PCI DSS? Here are some tips, IT Governance; Twitter: @ITGovernance

8. Pick payment providers that maintain the highest PCI compliance standards.

“To stay assured that PCI compliance is handled properly and that both yours and your customers’ data is safeguarded against potential breaches, pick a payment provider that meets all the PCI Level 1 compliance standards — the highest PCI level with the strictest requirements.”

— Do I need to be PCI compliant?, Securion Pay; Twitter: @SecurionPay

9. Understand the scope of your environment.

“Determining scope for your organization means identifying the people, processes, and technologies that interact with or could affect the security of cardholder data. These elements are subject to PCI DSS requirements. System components that may be in scope for your environment include: Networking devices, servers, applications, and workstations.

“Understanding where credit card data is entering your system and where it goes from there is critical to securing that data. Create a data flow diagram for all in-scope networks.”

— Jen Stone, 7 Steps to Achieve and Maintain PCI Compliance, SecurityMetrics (via CardFellow Blog); Twitter: @SecurityMetrics

10. Carry out comprehensive penetration tests.

“PCI Requirement 11.3.4.1 requires that a penetration test, which validates the scope and effectiveness of segmentation controls, be performed every six months or after any changes to segmentation controls. The purpose of this additional penetration test is to ensure that segmentation controls continue to operate effectively throughout the year. The continual, complete isolation between CDE and non-CDE systems is key to your PCI compliance.”

— Jenna Kersten, What You Need to Know About PCI Requirement 11.3.4.1, KirkpatrickPrice; Twitter: @KPAudit

11. Take care of your system and network vulnerabilities.

“An organization cannot safeguard cardholder sensitive data if its own network is at risk. At a minimum, maintain and update anti-virus software on the network. Systems and applications residing on the network must also contain security measures intended to minimize intrusions and identify threats. IT staff must make applying security patches and/or software and operating system updates a priority.”

— The 12 Mandated PCI Compliance Policies: Is Your Organization Doing All It Can?, Tidal Commerce; Twitter: @tidalcommerce

12. Restrict access to credit card details.

“Companies should exercise more control over the movement and usage of credit card data. Some companies will allow the Marketing department or a third-party organization to access credit card details. That just expands the scope of the PCI DSS compliance program to the whole company and out to the third parties, so their project becomes huge.

“If they assessed it more closely and asked, for instance, how much use Marketing gets out of the credit card data, they could reduce the scope of their project and reduce cost as well. One of the best ways to tackle PCI DSS is to restrict the number of areas where card data is allowed to go. To make that happen, organizations may need to redesign their business processes so that card data is controlled more tightly. The benefit then is to reduce the scope, cost, and complexity of the compliance program while still remaining compliant.”

— Jan Fry, PCI compliance tips and common mistakes, Computer Weekly; Twitter: @ComputerWeekly

13. Consult with QSAs and security professionals.

“Security experts and Qualified Security Assessors (QSAs) are resources that don’t get used enough. You should always consult a security professional with any update to the PCI DSS (e.g., PCI DSS 3.2). QSAs go through intense training to understand PCI DSS and data security. They have the technical expertise to help you through the PCI process.”

— Jen Stone, 7 Steps to Achieve and Maintain PCI Compliance, SecurityMetrics (via CardFellow Blog); Twitter: @SecurityMetrics

14. Test the effectiveness of your security controls with penetration testing.

“Penetration tests are much more rigorous than vulnerability scans. They are designed to not only identify weaknesses in an organization’s system architecture but also exploit them. This demonstrates to an organization exactly how a cyber criminal would infiltrate its systems and what information they could access. Armed with this knowledge, organizations can pinpoint how effective their security controls are and which areas to improve.

“The testing process can be invasive because, for all intents and purposes, your organization is under attack. You’ll therefore need to conduct the test outside of working hours or let the relevant people know about the test in advance. You’ll also need to hire a qualified professional to oversee the process, as penetration testing involves a very nuanced set of skills and must be performed by someone who is bound to ethical standards.”

— Laura Downes, PCI DSS: The importance of penetration testing, IT Governance; Twitter: @ITGovernance

15. Monitor, track, and test your network.

“Any business that accepts payment cards or processes card data must validate their PCI compliance with a yearly assessment. Rather than conducting a behemoth risk assessment annually, merchants should continuously check their compliance processes throughout the year — in other words, assess compliance as an ongoing element of business operations instead of as an annual event.

“Proactively and automatically managing administrative privileges over credit card information is a critical step in addressing ongoing PCI DSS compliance challenges. This can be done efficiently by implementing a privileged identity management platform.”

— Chris Carroll, Leveraging Privileged Identity Management to Support PCI Compliance, CIO; Twitter: @CIOonline

16. Limit the amount of card data you store.

“Did you know that 61 percent of users have unencrypted card data on their systems? You should never store unencrypted credit card data on your environment. A good way to simplify your PCI compliance is limiting how much card data you store. The less data you store, the less time and resources you have to devote to securing that data.”

— Zach Walker, 7 PCI Compliance Tips For Small Businesses, Security Metrics; Twitter: @SecurityMetrics

17. Use strong passwords.

“Make sure that you insist on the use of strong passwords across your environment — use passwords that are longer than 7 characters, combining uppercase and lowercase letters, symbols such as # or @ and numbers.”

— Top Tips, The UK Cards Association; Twitter: @UKCards

18. Implement QSA Rotation.

“PCI SSC continually seeks to increase the baseline standard of quality within the assessor community; one key indicator (among many) is the quality of resulting PCI Data Security Standard (PCI DSS) assessments. Recently, the notion of lead Qualified Security Assessor (QSA) rotation has been raised as a best practice to help drive quality improvement of assessments. To help ensure that the quality of assessments is of the highest order, PCI SSC encourages organizations to review, implement, and explore this practice.”

— Elizabeth Terry, Lead QSA Rotation as Best Practice, PCI Security Standards; Twitter: @PCISSC

19. Ensure that your clients are also compliant.

“Compliance with PCI DSS also acts as a solid baseline for a corporate security strategy and will help you identify ways to improve the overall efficiency of your clients’ IT infrastructures.

“If your clients are not compliant, it could lead to disastrous consequences, for them and for you. If a client’s business experiences a data breach, it has the potential to hurt their business by incurring fines, loss of revenue, or loss of customer trust due to local press. This could cause your client to lose faith in you as their service provider. Other negative consequences can also include lawsuits, insurance claims, cancelled accounts, and payment card issuer fines.”

— Mark Cline, CI DSS Back to Basics: Quick Tools and Tips for MSPs, Continuum; Twitter: @FollowContinuum

20. Create a workflow map of credit card transactions.

“You need to determine what merchant level and type you are — based on the number of transactions you process, and the environment that you process it in — are you using just point-of-sale terminals, or are you using some secure website for processing transactions.

“Then create a transaction work flow map or a diagram that shows how credit card transactions take place in the organization, and where all the data may reside so you have an idea of what you need to assess. Then identify the applications and systems associated with the processing, storage, and transmission of the credit card data. You might want to do an inventory of any of your point-of-sale terminals or cash register systems, or card readers that attach to a workstation.”

— Tom Walsh, Expert Explains How PCI Can Also Help With HIPAA Compliance, InfoRisk Today; Twitter: @InfoRiskToday

21. Understand the difference between vulnerability scanning and penetration testing.

“Organizations that handle payment card information are legally required to regularly scan and test their systems, but too few understand that these are separate things. Any organization that processes, transmits, or stores cardholder data must comply with the PCI DSS (Payment Card Industry Data Security Standard). This is a complex set of requirements, which includes the need to conduct regular vulnerability scans and penetration tests to identify weaknesses that could be exploited by cyber criminals.

“Unfortunately, many organizations are under the impression that scanning and testing are simply two phrases for the same thing. That’s not true: They are distinct activities with their own requirements and purposes.”

— Luke Irwin, A guide to the PCI DSS’s vulnerability scanning and penetration testing requirements, IT Governance; Twitter: @ITGovernance

22. Segment your environment.

“Network segmentation is the process of separating a network into smaller sub-sections, limiting the ways in which they can communicate with each other. To be considered out of scope for the PCI DSS, a system must be isolated in such a way that the CDE will be unaffected by a breach.

“Segmentation can be achieved via:

Firewalls to segment internal zones
Switches, which are often used behind a firewall to segment network zones
Air gapping, in which organizations use separate network connections for different segments
Analogue phone lines to completely remove the threat of network breaches

— Conor Donnelly, Having trouble complying with the PCI DSS? Here are some tips, IT Governance; Twitter: @ITGovernance

2. Tips for Maintaining PCI Compliance

23. Institute an effective compliance program.

“PCI DSS compliance is a continuous process, not a snapshot in time. Passing an assessment does not ensure that you will remain compliant. Developing an understanding of the industry, the terminology used, the flow of payment card data on your systems and networks, and the processes required for compliance are all essential bits of knowledge that will enable you to manage a compliance program effectively.”

— Julia Dutton, Eight tips for SMEs to improve PCI DSS compliance, IT Governance; Twitter: @ITGovernance

24. Understand the continuity of the PCI compliance process.

“Following their first assessment, businesses are failing to incorporate all the necessary PCI practices into a sustainable approach. That is, PCI compliance is never integrated fully into the organization’s ‘business-as-usual’ dynamic.

“The first-year, QSA-led assessment is based on a point in time when the organization being assessed must prove compliance as of the date of the AoC. From that point forward, however, things change. With the year-two assessment and all subsequent years, all ongoing operating controls that are mandated by the PCI DSS must have been maintained (and the organization must maintain and provide records of performance for support of the QSA assessment).”

— Tim Cunningham, How to Maintain PCI Compliance Following Your First QSA Assessment, PCI Compliance Guide; Twitter: @PCISSC

25. Create a dedicated team to ensure ongoing PCI compliance.

“It’s important to note that PCI compliance is not a one-time event. It’s an ongoing process to ensure that your business remains compliant even as data flows and customer touch points evolve. Some credit card brands may require you to submit quarterly or annual reports, or complete an annual on-site assessment to validate ongoing compliance, particularly if you process over 6 million transactions each year.

“Managing PCI compliance throughout the year (and year over year) often requires cross-departmental support and collaboration. If this doesn’t already exist, it may be worthwhile to create a dedicated team internally to properly maintain compliance.”

— Mike Dahn, A guide to PCI compliance, Stripe; Twitter: @stripe

3. Tips for Implementing PCI Compliance Security Controls

26. Always document security controls.

“Many small businesses often view change control and documented hardening standards as busywork. As a result, many small businesses rarely document their security controls, if they’re following them at all.

“One way to simplify documentation for compliance is to set up a PCI email user or active directory account for PCI and add reminders in the calendar to make sure required security processes aren’t forgotten. Evidence collected from completing PCI compliance tasks can then be stored in this account. This is a low/no-cost solution to help your employees keep PCI compliance on their minds throughout the year and provide you with all the evidence you need for assessments.”

— Zach Walker, 7 PCI Compliance Tips For Small Businesses, Security Metrics; Twitter: @SecurityMetrics

27. Track and secure the cardholder at all touch points.

“Staff needs to understand the lifecycle of a credit card transaction, from the point-of-sale device or virtual terminal, to the payment gateway, to banks and back. It is crucial to understand that all actors within the payments ecosystem have to be in compliance, and that credit cardholder data is safe at all stages of the transaction.”

— Mathieu Gorge, Employee information awareness training: PCI policy templates, Computer Weekly; Twitter: @ComputerWeekly

28. Watch out for vulnerable code.

“Successful attackers find routes to sensitive data through poorly developed code. Common coding problems can create vulnerabilities, which could then allow attackers to successfully use tactics like cross-site scripting.”

— Zach Walker, 5 Tips to Make E-commerce Businesses PCI Compliant, Authorize.net; Twitter: @AuthorizeNet

29. Document security policies.

“Documenting your policies and procedures is important since it helps employees understand what has been done and what needs to be done. Documenting the results of a formal risk assessment helps employees and decision makers know where problems still exist in your environment. Good documentation keeps your security efforts organized and legitimate.

“Documentation also simplifies the PCI process and provides a baseline for security training materials. By writing down your policies, you solidify your intentions for implementing security and training employees.”

— Jen Stone, 7 Steps to Achieve and Maintain PCI Compliance, SecurityMetrics (via CardFellow Blog); Twitter: @SecurityMetrics

30. Establish long-term processes for securing cardholder information.

“Too often organizations get wrapped up in the compliance process and fail to establish effective long-term processes for maintaining the security of cardholder information. The ongoing security of cardholder data should be the driving objective behind all PCI DSS compliance activities — not simply attaining a favorable Report on Compliance (ROC). Compliance is a consequence of security, not the other way around.”

— Howard Solomon, 9 tips for maintaining PCI compliance, ITWorld Canada; Twitter: @howarditwc

31. Use up-to-date SSL/TLS certificates.

“An SSL certificate is a large factor in becoming secure and PI compliant. Merchant Service Providers sometimes offer SSL certificates as part of their online payment processing services. Alternatively, businesses can create a Certificate Signing Request on their server to get an SSL certificate themselves.

“SSL certificates are a large part of ensuring that a business is secure online, but it is not the only requirement for PCI compliance. Merchants have different PCI requirements depending on their level, determined by the number of credit card, debit card, and prepaid card transactions they process per year. The larger the business and the more cards it has access to, the higher the security risk, and therefore a higher level of security and PCI Compliance is required.”

— SSL and PCI Compliance Explained, Charge.com; Twitter: @Chargedotcom

32. Begin with documentation.

“Documentation is an integral part of the PCI DSS compliance programme. It must provide practical operational guidelines for anyone working with payment card data and support all applicable PCI requirements. This is the documentation you must put in place:

Report on Compliance (ROC): This form has to be completed by all Level 1 merchants that are undergoing a PCI DSS audit. A Level 1 merchant is one that processes over 6 million transactions per year. The ROC must be used to verify that the merchant being audited is compliant with PCI DSS standards.
Self Assessment Questionnaire (SAQ): The PCI DSS self-assessment questionnaire (SAQ) is a validation tool that’s intended to assist merchants and service providers that are permitted to self-evaluate their compliance. Merchants must complete the questionnaire every year and submit it to their transaction bank.
The 12 PCI DSS requirements: The PCI DSS requirements that merchants must meet range from installing and maintaining a firewall and protecting stored cardholder data, to developing and maintaining secure systems and restricting access to cardholder data. Every one of the 12 requirements calls for documented evidence to show how the requirements have been met.
An Audit Trail: Merchants should document as much as they can about their processes and procedures, their network, their configuration, and their approach in order to create and maintain an audit trail to refer to should a data breach take place.
Incident Response Plan: It is advisable that all merchants put an incident response plan in place to document the processes that will be implemented if a breach takes place.”

— What are the Documentation Requirements of PCI DSS?, PCIPal; Twitter: @PCIPAL

33. Encrypt cardholder data wherever they reside.

“Make sure you know exactly where and how you are sending cardholder data. Use encryption to secure data in transit and in storage (even temporarily).

“PCI DSS Requirement 4.1 requires that cardholder data must be encrypted when sent across open, public networks. Be sure you are using the latest TLS standards. And if you do need to store cardholder data for business or legal reasons, PCI DSS Requirement 3 says that you must encrypt it or store it through tokenization.”

— Zach Walker, 5 Tips to Make E-commerce Businesses PCI Compliant, Authorize.net; Twitter: @AuthorizeNet

34. Focus on achieving security, not just compliance.

“One of the major misconceptions about PCI DSS compliance is that PCI DSS-certified companies are secure or hacker-proof as vendors in the industry may carelessly advertise. In fact, according to Verizon’s PCI DSS Compliance report, only 29 percent of companies are compliant a year after validation. This means that many businesses are checking the boxes for PCI DSS compliance off their list, or even just implementing compensating controls, and then forgetting about it until the next audit is due. In 2013, Target was certified PCI DSS compliant weeks before hackers installed malware on the retailer’s network. Others such as Heartland Payment Systems suffered a major breach even though assessors deemed their company compliant for six consecutive years.

“Either the PCI DSS is an ineffective security standard for protecting cardholder data, or the organization’s implementation of PCI DSS is conceptually flawed in their approach. If PCI DSS does not guarantee security, what is the actual benefit of being compliant? Besides possibly providing some legal safe harbor, PCI DSS compliance does not eliminate probability of payment data breaches.

“PCI DSS includes security controls to deal with the most common risk scenarios and known attack vectors identified by the PCI SSC. Even though PCI SSC continues to update the PCI DSS over the years, it’s virtually impossible for PCI DSS to anticipate every possible attack scenario. While PCI Security Standards Council is constantly working to monitor threats and improve the industry’s means of dealing with them, ultimately, it’s each organization’s responsibility to provide credit card data security.”

— Christian Moldes, Compliant but not Secure: Why PCI-Certified Companies Are Being Breached, CSIAC; Twitter: @DoD_CSIAC

4. Employee Training Tips for PCI Compliance

35. Train employees to be security conscious.

“Most discussions related to PCI compliance tend to focus on the technology aspects of protecting customer’s personal and financial data. However, there is another aspect of compliance that is just as — if not even more — important: Employee training.

“Inevitably, if you accept payments from customers, your employees are going to have access to data, and as such, they have a responsibility to protect it. Not only that, but your employees are often the first line of defense against fraud, so it’s vital that you thoroughly train them in how to appropriately handle cardholder data and avoid leaving your business open to fraud, data breaches, and significant loss.

“Unfortunately, studies show that as many as 34 percent of businesses have not adequately trained their employees in these important tasks. Even more alarming is that these same companies are also targeted by an average of several dozen social engineering attacks each year, meaning that their chances of falling prey to a criminal and revealing sensitive data are exponentially higher than companies that have provided the required training. The bottom line? Employee training is crucial to keeping your business safe from data thieves.”

— Tiffany Rowe, Why Employee Training Is Vital To PCI Compliance — And How To Do It Right, The Self Employed; Twitter: @TheSelfEmployed

36. Create training programs that focus on internal security policies and best practices.

“Security awareness training is a must for your employees, especially those who interact with payment card data. We recommend that your program is formal, ongoing, and comprehensive so that all staff understand your company’s security policies as well as data security essentials and best practices.”

— Jeff Wilder, The 2019 PCI Compliance Annual Plan, PCI Compliance Guide; Twitter: @PCISSC

37. Ensure that employees understand your security policies.

“As with technology, security policies address vulnerabilities in what is considered an organization’s weakest link: Its staff. If employees don’t know or understand what’s expected of them, they are likely to put cardholder data at risk, regardless of any other security measures in place.”

— Conor Donnelly, Policies and procedures, you need for PCI DSS compliance, IT Governance; Twitter: @ITGovernance

38. Organize security awareness training for employees at all levels.

“Thus, in theory, any person working on computer systems that contain credit cardholder data must be trained, even if he or she never accesses payment application software. Any person working at a cashier or in a call center environment where CHD may be provided by customers is in scope for such training. By extension of this, all technical staff managing call-recording systems, which may contain CHD (even if encrypted according to rules of PCI DSS), are also in scope for such training.”

— Mathieu Gorge, Employee information awareness training: PCI policy templates, Computer Weekly; Twitter: @ComputerWeekly

39. Ensure that employees go through regular cybersecurity training sessions.

“Access to cardholder data should only be given to those who absolutely need it to perform their job. But, even if an employee does not have access to cardholder data, their workstation or device may store usernames, passwords, and other info that may be valuable to a hacker. All it takes is one unwitting employee to accidentally introduce malware into your system. Train employees quarterly, if not monthly, on your company’s security measures and protocols regarding email, attachments, downloads, passwords, etc.”

— Zach Walker, 5 Tips to Make E-commerce Businesses PCI Compliant, Authorize.net; Twitter: @AuthorizeNet

5. Tips for Creating PCI Compliance Policies & Procedures

40. Create PCI-specific policies.

“In most cases the CDE (cardholder data environment) under PCI is a very small portion of the network and should be clearly zoned off from the rest of the corporate network activities. As a separate part of the network, a unique policy (or policy set) should apply for that zone. So PCI-specific policies should exist. However, parts of existing policy — for example strong password controls and reset — can be re-used in the PCI-specific policies where applicable.”

— Ed Moyle and Diana Kelley, Solutions to Tough PCI Problems, TechTarget; Twitter: @TechTarget

41. Implement inbound and outbound network rules.

“In requirement 1.2, we are ensuring that the firewall configuration is designed to be least allowed — allowing the least number of ports necessary for business to occur. This does not require you to drop everything; you must justify each port required and implement only those required to do business. An untrusted network is one which your firm does not control, such as the internet or a partner network.

“Requirement 1.2.1 states that you must restrict inbound and outbound traffic. Your firewall rules should only define the ports and services required for your business purposes and drop everything else. You need to restrict both incoming and outgoing traffic to what is least necessary.”

— Jeremy Reis, PCI Security Standard: Requirement 1, Learnthat

42. Use a secure network.

“Your network must include a robust firewall intended to protect cardholder data while stored in your care. This includes placing a firewall between wireless networks and the environment that holds cardholder-sensitive data. Remember, a firewall and a secure network are only as strong as the password protections and security policies that you create and maintain. Never use default passwords or default security parameters. Multi-level authentication and a mandatory protocol that requires changing passwords on a prescribed schedule provide the best protection against network intrusion.”

— The 12 Mandated PCI Compliance Policies: Is Your Organization Doing All It Can?, Tidal Commerce; Twitter: @tidalcommerce

43. Map data flows.

“Before you can protect sensitive credit card data, you need to know where it lives and how it gets there. You’ll want to create a comprehensive map of the systems, network connections, and applications that interact with credit card data across your organization.”

— Mike Dahn, A guide to PCI compliance, Stripe; Twitter: @stripe

44. Ensure that you have robust risk mitigation processes in place.

“It is imperative that organizations have processes for quickly responding to security control failures. These processes should include restoration to normal operations as quickly as possible, then identifying causes of control failures. Failures in security controls can provide attackers with opportunities to launch other attacks within the environment. Once control has been restored, it may be necessary to increase monitoring frequency.”

— Howard Solomon, 9 tips for maintaining PCI compliance, ITWorld Canada; Twitter: @howarditwc

45. Create remediation workflows.

“If an ASV scan fails, it should trigger a workflow at your organization to remediate and rescan. Because a passing scan is required at least every 90 days, you really can’t afford to wait until the last minute. If you have questions on the fail, or you believe it’s a false positive, call your ASV company.

“Your ASV company will have a process in place to assess false positives, ask for evidence, and then amend the report. Unfortunately, your QSA can’t complete this step for you. The QSA simply views a pass as a pass and a fail as a fail.”

— Marc Punzirudu, Your Quick Guide to PCI Scanning Success, PCI Compliance Guide; Twitter: @PCISSC

46. Implement strong access control features.

“At the start of any technology deployment, common sense dictates an audit of current access policies to see if they are aligned with the needs of the business. In response to a host of factors, many organizations are rethinking their access policies and finding that they are way more open than the needs of the business dictate. As a result, they are recalibrating to both the letter and spirit of PCI DSS requirement 7.2: Deny all unless specially allowed. They’re also taking it further to make sure that those who are allowed are closely monitored. This ‘zero trust’ access model allows organizations to adhere to PCI mandates, even when dealing with users (such as vendors, outsourced personnel, and other third parties) who access systems from unmanaged endpoints.”

— Dave Olander, How to Implement Secure, PCI-Compliant Access Controls, eWeek; Twitter: @eWEEKNews

47. Develop an incident response plan.

“If you don’t have an IRP in place, gather together your organization’s key stakeholders to develop one. This plan should seek to identify the risks your company and its data may face, and put in place specific procedures to be followed in the event that one of those risks becomes a reality.”

— Jeff Wilder, The 2019 PCI Compliance Annual Plan, PCI Compliance Guide; Twitter: @PCISSC

48. Use access controls to mitigate risk.

“The access control requirements of PCI DSS call for careful management of the people who have access to resources in your business. To comply with PCI DSS, your business should restrict access rights to sensitive data using the fewest privileges necessary for each user’s specific job function. You must also document these access controls via written policies, including the specific privileges you’re granting to users.”

— What you need to know about PCI DSS Compliance, PayPal; Twitter: @PayPal

49. Use data tokenization.

“Data tokenization secures customers’ sensitive credit card information in a secure, web-based portal, rather than your local servers. Not only does this keep your customer data safer, it also reduces your liability in the event of a data breach.”

— Anna Johansson, What Does It Take to Become PCI Compliant?, HuffPost; Twitter: @HuffPost

50. Utilize the DSE (Data Security Essentials) Questionnaire.

“When a merchant completes the DSE Questionnaire, they are considered PCI compliant. Keep in mind, however, that this Questionnaire is only available to merchants who are approved by their Merchant Bank to use the DSE to validate compliance. Plus, the merchant may still be obligated to pass regular ASV scans.

“Increased participation and success with PCI compliance translates to reduced portfolio risk for ISOs and acquirers. Payment facilitators will realize these same benefits when they enroll sub-merchants in a PCI program that incorporates DSE.”

— Tim Thomas, PCI Data Security Essentials: The “PCI Shortcut” Small Merchants Have Been Waiting For, PCI Compliance Guide; Twitter: @PCISSC

The post 50 Valuable PCI Compliance Tips appeared first on Threat Stack.