This is the third and final part of the article, “A Beginner’s Guide to PCI DSS.”
Goal #5: Regularly Monitor and Test Networks
Requirement #10: Track and monitor all access to network resources and cardholder data
PCI DSS requires you to set up a logging system that allows you to monitor and document everything important that goes on in your cardholder data environment.
It requires you to log important events such as:
User access to cardholder data
All actions performed by users with root or administrative privileges
User access to logs
Starting, stopping, or pausing of the logging system
Failed login attempts
Any changes to any authentication system
Each of these log entries should include in the following information:
Type of event
Data and time
Whether the event succeeded or failed
The affected “data, system component, or resource”
You have to review all logs for “all system components related to security functions” (such as your firewall or centralized antivirus management solution) at least every day. You also have to protect all of your logs from unauthorized access and retain them for at least a year.
Many operating systems and applications have built-in logging features. You can also deploy a type of solution called log management software to make it easier to review and protect your logs.
Requirement #11: Regularly test security systems and processes
PCI DSS requires you to run internal and external network vulnerability scans and search for unauthorized access points at least every four months, and to perform external and internal penetration tests at least every year. The quarterly external network vulnerability scans should be performed by an Approved Scanning Vendor (ASV). PCI DSS also requires you to implement intrusion detection and prevention systems (IDS/IPS) and change detection software, which will alert you whenever important files (such as configuration and log files) are changed.
Goal #6: Maintain an Information Security Policy
Requirement #12: Maintain a policy that addresses information security for all personnel
PCI DSS requires you to implement a PCI DSS-compliant security policy, which is a document that lays out your company’s approach to information security. It should include all of the security measures you want to implement; how you want them to be configured, monitored, and maintained; security rules for employees to follow; and the permissions and information security roles and responsibilities of everyone at the company. You need to make sure that all of your employees and contractors are familiar with the security policies that apply to them. You also need to review and update your security policy at least once per year.
PCI DSS also requires you to implement an incident response plan, which is a document that lays out how your company will respond to a security breach. This document should include lists of the actions that need to be performed in response to a breach and of everyone at the company’s roles and responsibilities in the incident response process.
Finally, PCI DSS requires you to keep a list of all of the third-party service providers (including IT hosting providers and payment processing companies) that you provide with access to your payment card data, to maintain written agreements with these providers in which they acknowledge their responsibility for protecting this data and complying with PCI DSS, and to verify the providers’ compliance with PCI DSS at least once per year.
How to Verify Your PCI DSS Compliance with the Payment Card Brands
You have to confirm your PCI DSS compliance with each payment card brand separately. The process of confirming compliance can vary from one payment card brand and acquiring bank to another and can depend on how many transactions you perform each year per brand and whether you have ever suffered a security breach. Discover, MasterCard, and Visa require you to send your forms confirming your compliance with PCI DSS to your acquiring bank, while American Express requires you to send it to a compliance vendor called Trustwave.
All businesses that qualify as Level 1 merchants (which American Express defines as businesses that perform 2.5 million or more American Express Card transactions per year, and which Discover, MasterCard, and Visa define as businesses that perform 6 million or more transactions using their respective cards) must have a Report on Compliance (ROC) completed by either a Qualified Security Assessor (QSA) or an internal auditor, and submit an Attestation of Compliance (AOC) every year. If your ROC is completed by an internal auditor, Discover and MasterCard require the auditor to be a certified Internal Security Assessor (ISA); American Express and Visa do not. Depending on the payment card brand or your acquiring bank, you may also be required to submit your ROC every year and an Approved Scanning Vendor Attestation of Scan Compliance (AOSC) (see Appendix A of this document) or an “executive summary” of the AOSC every four months.
Any business that perform less yearly transactions than a Level 1 merchant will only have to perform a Self-Assessment Questionnaire (SAQ) instead of a longer, more detailed ROC. There are currently eight different SAQ forms available for merchants. Any merchant that stores payment card data electronically has to fill out the longest version, SAQ D. Merchants that don’t store any payment electronically, though, may be able to fill out one of the shorter SAQ forms if it corresponds to how their business handles payment cards. SAQ A, for example, can be filled out by e-commerce, mail-order, and telephone-order companies that completely outsource the processing and storage of their customers’ payment cards.
Merchants that are required to fill out an SAQ must submit the respective SAQ’s Attestation of Compliance every year. Like Level 1 merchants, these merchants may also be required to submit an Approved Scanning Vendor Attestation of Scan Compliance or an “executive summary” of the AOSC every four months.