This is the second part of the article, “A Beginner’s Guide to PCI DSS.”
Goal #3: Maintain a Vulnerability Management Program
Requirement #5: Protect all systems against malware and regularly update anti-virus software or programs
PCI DSS requires you to install antivirus software on all of your PCs, servers, and other devices in the cardholder data environment that are “commonly affected by” malware. It requires you to keep this software up-to-date; and to ensure that the software performs scans on a regular basis, that the software is generating audit logs, and that the software can’t be disabled or changed in any way by end-users. You can either install, configure, and manage this software on each device individually, or (if you can afford it) you can configure and manage the antivirus software on all of your devices using a centralized, enterprise-level AV software management solution.
Requirement #6: Develop and maintain secure systems and applications
PCI DSS requires you to remove all of the vulnerabilities in your cardholder data environment that you’re aware of as soon as possible. It requires you to set up a process for looking for and identifying vulnerabilities, which can include regularly scanning your CDE for vulnerabilities with vulnerability scanning tools and regularly checking for updates for all of the software in the CDE. It requires you to assign a “risk ranking” to any vulnerability that you find (for example: high, medium, and low). It also requires you to install any updates that are available for the software in your CDE. “Critical security patches” you have to install within a month of their releases.
PCI DSS also requires businesses that develop their own software and use it in their CDE to ensure that these internally-developed applications comply with all PCI DSS requirements. It also requires them to follow software development security and change control best practices, and to regularly search for and remove vulnerabilities in their own software.
Finally, PCI DSS requires you to use only Payment Application Data Security Standard (PA DSS)-compliant payment applications. The PCI SSC has a searchable list of PA DSS-compliant payment applications on its website.
Goal #4: Implement Strong Access Control Measures
Requirement #7: Restrict access to cardholder data by business need to know
PCI DSS requires you to limit access to cardholder data and the CDE as much as possible using access control systems. Workers should only be given access to cardholder data or the CDE if their job requires it. In addition, they should only be given as much access to these assets as they need to be able to do their jobs. For example, a janitor at a department store doesn’t need to be given electronic access to the CDE be able to do his or her job, though he or she will probably need to be given physical access the PoS systems (i.e., the cash registers) and the server room in order to clean them. A cashier would need to be given physical and electronic access to a PoS system in order to conduct sales or returns, but would not require physical access to the store’s server room or electronic access to any stored payment card data.
Requirement #8: Assign a unique ID to each person with computer access
PCI DSS requires you to assign a unique username to each worker that you give access to cardholder data or the CDE. Each of these users should use a valid authentication method, such as a password, smart card, security token, or fingerprint scanner, to log in to their account. You have to encrypt any passwords that you store, as well as when you transmit them over any network. PCI DSS also requires anyone that accesses the CDE from a device that isn’t part of the CDE to log in with two-factor authentication.
PCI DSS Requirement #8 has many sub-requirements, including:
You should immediately revoke the access of any user that has left the company
Any user account that hasn’t been active within the last 90 days should be removed or disabled
Your authentication system should give users no more than six attempt to log in before locking them out for at least 30 minutes
You should require users to re-authenticate if they have been idle for more than 15 minutes
Your users’ passwords must be at least seven characters in length and contain both numeric and alphabetic characters
Your users need to change their passwords at least every 90 days, and the password they select cannot be the same as any of their last four passwords they have used
Requirement #9: Restrict physical access to cardholder data
PCI DSS requires you to monitor and restrict access to any of the hardware in the cardholder data environment and any paper documents with cardholder data on them. It requires you to install video cameras or “access control mechanisms” (such as ID card scanners) in areas containing CDE hardware or sensitive paper documents, periodically check the videotape or access control mechanisms to ensure that only authorized individuals are accessing the area, and maintain the videotape and access control mechanism data for at least three months. It also requires you to restrict physical access to networking hardware, cables, and jacks.
Further, it requires you to strictly control and log all access to these areas by short-term visitors, to protect electronic storage media (including hard drives, tape drives, and optical disks) and paper documents from unauthorized access, to securely dispose of these sensitive assets when they’re no longer needed (by shredding them, for example), and to protect payment card readers/scanners from tampering.
We’ll summarize PCI DSS requirements 10 through 12, explain how to verify your compliance with PCI DSS with the payment card brands, and wrap up our discussion of PCI DSS in the third and final part of this article.