Last updated on May 20, 2022
The Complete PCI Compliance Checklist: Are You Compliant?
It may be a while before we become a truly cashless society. But the use of payment cards as an alternative to traditional currency has increased significantly over the years. The PCI DSS, or the Payment Card Industry Data Security Standard, is a set of rules and regulations developed by the PCI Council to ensure that all businesses accepting payment cards from customers do so in a safe and secure environment.
Read our PCI compliance checklist to make sure that your organization is PCI compliant. Understand the effort and costs required.
What is PCI Compliance?
On September 7, 2006, the Payment Card Industry Security Standards Council (PCI SSC) was established to oversee the continued advancement of Payment Card Industry (PCI) security standards, emphasizing strengthening payment account security all the way through the transaction process. The PCI DSS is governed and controlled by the PCI Security Standards Council (www.pcisecuritystandards.org), an independent organization founded by the major payment card companies (Visa, MasterCard, American Express, Discover, and JCB.). It’s worth noting that payment brands and acquirers, not the PCI council, ensure compliance.
PCI Compliance Checklist Items
By default, an average customer will trust you with their payment card information. But as much as a single security incident is enough to shake that trust and impact your company’s bottom line. If your organization is dealing with cardholders’ personal and authentication data or leveraging a third-party payment solution, you must ensure PCI compliance to maintain a secure payment card environment.
Here’s a PCI compliance checklist that will help you establish your current position in the PCI compliance journey, and you can keep referring to the checklist until all requirements are met:
1. Configure Firewalls to Protect Your Network
Firewalls are your first line of defense against malicious traffic trying to make it to your internal network. Instead of relying on a single firewall type, it is better to opt for a combination of hardware and software firewalls. While hardware firewalls can protect your entire cardholder data environment from unauthorized outsider access, software firewalls on individual devices can control data access and misuse by insiders.
The key is to configure the firewalls properly and maintain them on an ongoing basis. New firewall configurations must always be tested to ensure efficacy according to the PCI rules.
2. Change Default Passwords and Security Settings on All Systems and Devices
New software and hardware devices often come with default usernames, passwords, and configurations. These factory settings are meant to be revised before the device or program becomes a part of the internal system. But often, companies and vendors keep using those easy-to-exploit defaults just for convenience, jeopardizing their entire payment card ecosystem. PCI standards necessitate that vendor-supplied defaults and other security parameters must be changed before a new device becomes operational.
It can be hard to keep track of all usernames, passwords, and other security parameters for each device in your company’s environment. To overcome this issue, you can maintain an inventory of all such settings and have someone maintain and review it regularly.
3. Protect Stored Cardholder Data
Firstly, you must never store and retain cardholder data beyond what’s imperative for transactions and business operations. But when you must store this data, it is your organization’s responsibility to secure it and prevent unauthorized access. This can be done through encryption, truncating, hashing, and other methods. Whatever algorithm you choose, make sure it is acceptable, and encryption keys are also well-protected as per the PCI standards.
Protecting stored cardholder data requires complete visibility into your organization’s data flows and storage points. You can also leverage data discovery tools to ensure that your systems do not store unencrypted, sensitive cardholder data anywhere.
4. Encrypt Cardholder Data When Transmitting over Open, Public Networks
It may be difficult for bad actors to enter your well-protected private network. But cardholder data is the most vulnerable while it’s in transit over a public network like the internet. According to the PCI requirements, cardholder data such as primary account numbers (PANs), personal identification numbers (PINs), and security codes must be encrypted in storage as well as in transit by industry-recognized encryption algorithms.
This requirement also necessitates switching from Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) encryption to the new version of TLS and implementing other wireless standards.
5. Use Anti-Virus Software and Programs, and Update Them Regularly
To become PCI compliant, your company must have a vulnerability management plan in place. Anti-virus software is your strongest aid in protecting your systems against known types of malware. You must run virus scanners on all local and remote endpoint devices, file and email servers, and internet borders as well.
The threat landscape is always evolving. So it is crucial to keep your anti-virus programs up-to-date with the latest threat intelligence. Also, train your employees to keep the anti-virus programs activated and updated on any and all devices that they use to access your payment card systems.
6. Secure Systems and Applications by Installing Updates and Security Patches Frequently
Another important aspect of a comprehensive vulnerability management plan is staying ahead of the updates and security patches that software publishers release. Regardless of how reliable your software provider may be, there is always room for vulnerabilities that bad actors can exploit. Vendors release security patches as soon as their applications detect a vulnerability.
PCI makes it essential to install security patches within a month of their release for all third-party software and systems that comprise your payment card environment. Additionally, if your vendor introduces code changes and new functionalities, they must be assessed and tested thoroughly for weak points and vulnerabilities.
7. Restrict Access to Cardholder Data Depending on Business Requirements
User negligence and insider threats are some of the leading causes of data breaches. RBAC, or role-based access control, can limit the number of users authorized to access sensitive cardholder data. But defining roles and access privileges is not enough as per the PCI DSS regulations. PCI rules govern that your payment card systems can allow access only on a need-to-know basis.
Your access control policy must take into account the current scenario, in addition to user privilege. To become PCI compliant, even authorized users should be able to access only that part of data that they absolutely need for a particular operation.
8. Assign Unique Credentials to All Users Accessing Your System
In addition to limiting access to certain users on a need-to-know basis, assigning unique credentials to each user that accesses your organization’s systems is also recommended. Unique usernames and passwords offer better control and traceability. This will allow you to trace all access attempts and activity carried out on the payment card systems back to individual users.
This PCI DSS rule can protect your systems against insider threats to a great extent. PCI also recommends implementing MFA (multi-factor authentication).
9. Restrict Physical Access to Cardholder Data
The PCI compliance checklist has already covered access control requirements for digital access to stored cardholder data. However, the PCI council also emphasizes the importance of restricting physical access to systems and devices carrying that sensitive data. To ensure unauthorized people cannot access cardholder data physically, your company must document storage points and users who have access to each location.
To ensure PCI compliance, you must store hard copies of sensitive data in a safe and secure environment with limited access. The devices carrying such data must also be equipped with security features such as automatic lock screens.
10. Store and Monitor System Event Logs
One of the most critical PCI requirements is keeping and reviewing audit logs to track all access attempts and actions taken on cardholder data. Any deviations in expected user behavior, such as unauthorized login attempts or trying to access internal networks from an unusual location, should raise a red flag. The logs should have all the information required to identify the user, time of the event, location, and the impacted system or device.
But event logs are useful only if they are reviewed frequently. To become PCI compliant, your event logs must be evaluated daily for anomalies and stored for a minimum of one year. Security information and event management (SIEM) tools can collect, consolidate and analyze logs from firewalls, servers, and more. Integrated reporting and incident response features can take your organization a step closer to being PCI compliant.
11. Test Implemented Security Systems and Processes Regularly
In the cybersecurity space, new threats are always emerging with the discovery of new system and application vulnerabilities. PCI rules require carrying out internal and external vulnerability scans through PCI-approved scanning vendors (ASV) every four months. Any major changes to the network or systems also necessitate additional scans. You must also invest in a change-detection tool to detect unauthorized changes made to sensitive data.
According to the PCI standards, organizations must perform penetration tests periodically to identify potential vulnerabilities and assess the extent to which they can be exploited. This ensures that all security mechanisms are in place and fully functional.
12. Document and Enforce a Company-Wide Security Policy
The final requirement for PCI DSS is a well-documented security and compliance policy. All employees, customers and third-party service providers must be aware of your company’s security policy and must act accordingly. This will ensure that your employees and partners know what is expected of them for protecting cardholder data. And your customers will know that you take the security of their sensitive data seriously.
As a part of this requirement, an annual employee security awareness training must be conducted to make sure that the employees are up-to-date and well-equipped to handle emerging threats. The security policy must also include a written incident response plan that your company can revert to if it identifies a data breach.
Who Can Self-Validate, and Who Needs to Have a Third-Party Validation?
PCI DSS comprises quite a few major credit card companies. Each defines its compliance levels. But essentially, there are four merchant levels based on the number of transactions processed. Depending on which level your business falls under, you may or may not need an external PCI compliance validation:
- Level 1 Merchants: Processing more than six million transactions annually.
- Level 2 Merchants: Processing one to six million transactions annually.
- Level 3 Merchants: Processing 20,000 to one million transactions annually.
- Level 4 Merchants: Processing less than 20,000 transactions annually.
Level 1 merchants need to hire a QSA (Qualified Security Assessor) to perform an onsite security audit. The same goes for Level 1 service providers serving merchants and processing more than 300,000 transactions annually. Many Level 2 and Level 3 merchants are also big enough to find it hard to validate compliance by themselves. Although not necessary, it is advisable to schedule an external audit to ensure PCI compliance if you’re processing a million or so transactions annually.
The cost of receiving a security audit by a QSA may not be justifiable if you are a small merchant operating at the lower end of the Level 3 or Level 4 categories. A qualified staff member within your organization can perform an internal assessment by filling out a self-assessment questionnaire (SAQ) available on the PCI website.
An SAQ is a self-validation tool that organizations can use to check if they are compliant with PCI DSS and to formulate remediation plans if they are not. It comprises a questionnaire with “Yes” or “No” questions to the requirements of PCI DSS. “No” answers need an attached remediation plan which must describe the actions that the organization will take to remedy the requirement. SAQ also requires an Attestation of Compliance along with the answers to the questionnaire.
What Is the Cost of PCI Compliance?
The cost of PCI compliance depends on various factors such as your business type, merchant level, and whether or not you have a dedicated PCI compliance team. Organizations with security as a top priority will allocate a better budget to data security. Similarly, large organizations with large volumes of cardholder data, many computers, and complex business operations will have greater PCI compliance costs. It also depends on the design of internal networks and technologies used. Finally, enterprises that need to conduct external audits will also have to pay hefty amounts to third-party assessors.
To give you a rough estimate, a small organization performing a self-assessment will need to buy the SAQ, with costs ranging from $50 to $200. It will also need to invest in employee training which can cost around $70 per employee. Vulnerability scanning and remediation will incur separate costs. The cost of PCI compliance for enterprises can cross $70,000 easily. External auditing may cost up to $40,000, and other costs will include employee training, vulnerability scans, penetration testing, and remediation.
The Benefits of PCI Compliance
Compliance has several advantages, including a lower risk of data breaches and the protection of cardholder data, which eliminates the possibility of identity theft. Compliance is smart business practice since it decreases data breach fines, improves a firm’s brand reputation, keeps consumers satisfied and confident that they are doing business with a responsible company, and leads to brand loyalty.
Simplify PCI Compliance with Parallels RAS
Parallels® Remote Application Server (RAS) enables organizations to build a secure private cloud and deliver applications and virtual desktops from a centralized platform. Users access applications and data through clients, so sensitive resources never leave your data center.
All communications occur between the secure private network and Parallels RAS clients, thus enhancing network security. Parallels RAS can be integrated with several MFA solutions and comes with a comprehensive set of policies to allow or restrict access. Users access data over an encrypted channel, and the data always stays in your private cloud. These features make it extremely convenient for organizations to comply with the PCI standards.
Learn more about how Parallels RAS can help you in setting up a PCI DSS compliant infrastructure!
