This blog is intended for small to medium sized-merchant businesses and attempts to answer common PCI DSS questions.
For small to medium businesses, wearing multiple hats is often the name of the game. And while making sure both your company and your customer’s sensitive data are protected from attackers, the details of doing so can get overwhelming. Worrying about cybersecurity, payment information, and compliance can sometimes feel like a necessary evil, or worse, an unnecessary annoyance.
One central piece of running a secure company involves being compliant with the PCI DSS (Payment Card Industry Data Security Standard), a standard created by the PCI SSC (Payment Card Industry Security Standards Council) to ensure organizations that accept payments, do so securely. The card brands all support and adopt the PCI DSS for merchants processing their cards. Following the requirements in the PCI DSS will help defend your business against attacks and provides you with a framework to safely manage any sensitive info.
Unfortunately, businesses often focus on them once it’s too late; after an attack or breach has occurred. We’ve created this blog, to answer some of the fundamental questions that small businesses might have regarding the PCI DSS including: where to start, what each requirement means, and what is vital for my business’s (and customers’) safety.
Before we begin, I always start any PCI DSS Q&A by stating that almost every question about the PCI DSS can be answered with one answer, “it depends.” That’s because every situation and business is different and the PCI DSS has caveats and carve outs for just about every scenario.
This blog is intended for small to medium sized merchant businesses and attempts to answer these questions in a way that should be sufficient to a majority of those businesses. If you are a large-sized merchant, service provider, issuer, or just find yourself having further questions, consider reaching out for consultation.
Let’s jump in!
To guide you through your PCI compliance journey, the first place to start is by determining which SAQ (Self-Assessment Questionnaire) you qualify for and filling it out. An SAQ is a detailed series of questions that will help you know exactly what is required of you when it comes to keeping any cardholder data (CHD) and your business’ systems secure.
There are ten SAQs:
The SAQ you need to fill out will change depending on what kind of business you operate and how you process payment info and other customer data.
There is a definitive list (see page 4) provided by the PCI Security Standards Council that outlines the criteria for each SAQ. You will need to analyze your business to determine which SAQ you qualify for. You can also reference this great blog article for additional information on SAQs.
PCI DSS version 4 came with some changes to the terminology used. One of these changes was the change from referring to firewalls to NSCs or network security controls.
Think of an NSC as a security guard that monitors and approves/denies web traffic into and out of your business’ network. An NSC can be a firewall, security group, switch ACL, or any other network control where traffic is managed.
Different businesses will use different NSCs. A business with a physical presence will generally use a firewall to secure their business’ network from outside threats. Businesses with their networks in the cloud often use security groups to perform the same task as the firewalls at a physical business location. If your SAQ has requirements for an NSC, you will need to select the appropriate technology for your business’ environment in order to control the inbound and outbound traffic that flows through your network.
The intent of the NSC is to filter unauthorized access to your cardholder data environment (CDE) to ensure that all CHD remains secure.
The firewall you need will depend on your business and the SAQ you qualify for. There are two types of firewalls you will need to consider when it comes to PCI DSS compliance: network firewalls and personal firewalls.
A network firewall is typically installed on the edge of your organization's network to protect your internal systems from untrusted connections that come from the Internet. Many routers come with basic firewall technology built in.
The PCI DSS requires that an NSC, or firewall, be placed between trusted and untrusted networks. This typically means it is placed on the edge of the network and between any internal-wired network and wireless environments. If your business has a DMZ (demilitarized zone) for publicly accessible web servers, an NSC (i.e., firewall) should be present to secure these publicly accessible servers from the systems on the internal network.
A personal firewall can protect a single device from outside threats, including those from other devices that share the same network. The PCI DSS requires personal firewalls to be installed on devices that connect to both untrusted and trusted networks. This typically refers to laptops and other mobile devices that connect to wireless or cellular networks. Many operating systems have built in firewalls that can be configured to assist you in meeting these requirements.
System hardening is a broad term used to describe the process of reducing vulnerabilities and improving cyber security across your business.
It can include changing system defaults that can lead to a compromise. This includes things like disabling and/or removing the built-in user accounts, changing the default passwords for the system, and removing insecure services (like telnet).
Hardening also includes a number of other things like having more secure passwords, using multi-factor authentication, setting up firewalls, configuring automatic software patches, and limiting any unnecessary process or apps that could open you up to an attack.
Hardening your systems is a proactive approach to security that minimizes your chances of a breach and discourages attackers from targeting you.
Security configurations will depend on your business’s network and what kind of data you’re storing.
As a rule of thumb, change all default passwords, usernames, and other security settings that come preset on every device within your organization.
Choosing not to change default settings makes it easier for an attacker to access and steal your data.
Default user accounts, guest accounts, preset usernames, and simple passwords are a hacker’s dream because they don’t even need to guess what the password is. The default username and password is typically the first attempt a hacker would use to gain access to a system.
Here are some important configuration settings that should be addressed throughout your organization:
My first answer to this question is, don’t.
Seriously. Stop here and consider if you need to store credit card information or not.
If you decide not to store cardholder data, then you won’t have to worry about Requirement 3. For many small businesses, this is the right choice.
If, after considering your business needs, you decide to store cardholder data and have a good justification for doing so, you will need to store that data with secure and strong encryption. Any sensitive customer data that you store should be encrypted, especially PAN (Personal Account Number) data.
Here are steps to help you know the most secure and effective ways of storing customer information:
If you are storing PANs on paper records, be sure to securely store them. Many businesses will store these in a safe or in a secure office location in a locked file cabinet. Controlling who has access to the storage location (e.g., keys, badge readers) and tracking the access are important security factors to consider when storing PANs in this manner.
When you store sensitive data like credit card info, encryption makes that data unreadable to those who aren’t supposed to read it, keeping you and your clients’ information secure.
Basically, encryption scrambles important information to keep it safe from attackers.
It’s vital to encrypt any sensitive data that’s sent over the Internet, especially if it's being sent over public networks. Where and how you are sending sensitive data will also help you determine what you need to encrypt during transmission.
In general, there are two phases in which you might be storing CHD: Pre-Authorization and Post-Authorization. The difference between these two phases is that you are allowed to store some necessary Sensitive Authentication Data (SAD) during the Pre-Authorization phase that you normally can’t after Post-Authorization.
Authorization is just the step of the payment transaction where the card has either been approved or declined. This step typically occurs quickly as part of the payment process. If you are using a physical credit card terminal, authorization typically occurs once the card has been removed from the chip reader (transaction completion). For online payments through a virtual terminal payment website, the authorization occurs once you have clicked the “submit” button and received the accepted or declined payment page on the next screen.
For Pre-Authorization data, you are allowed to store all parts of the cardholder data. Once the payment has been authorized.
For Post-Authorization data, you can store:
You cannot store the following Post-Authorization:
Remember, only store data that’s necessary for your business. If you don’t absolutely need to store the data, then don’t do it.
Your IT security team should work closely with your executive and legal teams to decide what data you store, why you need it, how long you'll store it, and how you will securely delete it.
There are a few methods for encrypting the sensitive data your process and store. The method you select will be determined by the nature of your business.
For businesses that handle in-person transactions, one of the most effective and simple means for businesses to encrypt PAN is use a P2PE device. Not only is this both simple and secure, but if this is the only method in which you interact with cardholder data, then you likely qualify for the SAQ P2PE. This SAQ has a significant scope reduction from the full PCI DSS.
P2PE (Point-to-Point Encryption) terminals encrypt credit card data at the moment of card insertion, swiping, or tapping. The card data remains encrypted until it arrives at the payment processor. While it may require more upfront cost, P2PE is most often the simplest and most secure way for a business to process CHD.
For businesses that handle payments online, using HTTPS with TLS 1.2 or higher will be required. You will need to select secure cipher suites in addition to using TLS 1.2 in order to ensure the payment information transmitted to your site is properly encrypted.
If you would like to test your web server, you can use the Qualys SSL Labs or Immuniweb testing tools. (I recommend clicking the “hide results” or “do not show results” tick boxes if privacy is a concern.) Each of these tools can test the connection security of your site for secure configurations and cipher suites.
Malware is any form of software that attackers use to damage, disrupt, or gain unauthorized access to your systems and your sensitive data.
Malware can come in all kinds of forms, including:
Malware can be spread by emails, texts, websites, ads, and files with a devastating impact to your business’s system and the devices on it.
There are several great choices you can make when deciding which anti-malware to get. There are plenty of great blogs and websites that thoroughly compare and outline which would be best for your business needs.
There are two main types of anti-malware solutions out there: traditional anti-malware scanning solutions and continuous behavior analysis solutions.
Traditional anti-malware solutions rely on updating the scanning agent on each device and performing regular scans in order to detect malware.
If you select this type of solution, you will need to determine and configure your scan and update frequency.
Continuous behavior analysis anti-malware solutions function as if they are always on and always scanning. This type of anti-malware gathers and collects system behavior in the form of logs and sends these logs to the anti-malware server for analysis. Since all the analysis is performed in the cloud, the installed software on the computer won’t need to update as often as traditional anti-malware does. Since this type of anti-malware doesn’t rely on scans, you won’t have to determine scan frequency, configure scans, or configure signature updates.
Malware comes in many forms, causing all kinds of fear and stress. But with the right prevention software and regular maintenance, you can rest assured that you’re protected.
Malware can spread on virtually any device connected to the internet including computers, phones, and tablets. If anti-malware software is available for your system, it’s susceptible to malware.
Ensure your anti-malware software has you covered across every device on your entire network, including any device you or your employees use to conduct business. You are more susceptible than you might think.
See also: Get my free SecurityMetrics PCI Guide
Apply security updates and patches as soon as possible, but at least within 30 days after their release to the public.
Security updates keep your systems safe and functional, ensuring your systems remain reliable. Out-of-date software can make it easier for attackers to exploit and gain access to your sensitive info.
Once you learn about a new update, make sure you patch all critical systems you’re using, like:
• Internet browsers
• Firewalls
• Application software
• Databases
• Point-of-sale terminals
• Operating systems
If you don't, your system may be vulnerable to malware and other security issues, allowing an attacker to target or gain access to a system containing sensitive cardholder data.
The best policy is to limit access to the CDE or exposure to cardholder data only to those employees whose jobs require it.
Simply put, don't give people access to any sensitive data or the card data environment if they don't need it.
The more people who have access to cardholder data, the greater the risk.
A role-based access control list or system grants access to card data and systems only to individuals and groups on a need-to-know basis.
Make sure to regularly define and update roles with access to the card data environment.
This access list should include:
All users must fit into one of the roles you outline.
Keep in mind that your role-based access control system isn't limited to your normal office staff. It applies to anyone who needs access to your systems in the area behind the desk.
When determining your password strength, there are few things to keep in mind.
Make sure you aren’t using generic accounts or passwords, shared group passwords, or passwords used for different services.
Instead, set different, complex passwords for every service that you use.
Your passwords should also be at least 12 characters long.
An easy way to remember complex passwords is by using passphrases.
Passphrases are groups of words, which might include spaces and punctuation, (if your system allows), as well as numbers and special characters. Here’s an example passphrase:
“We Never Drove to Vancouver in 84 BUT in 88?” Long? Yes, but secure? Very.
You also need to establish automatic account lock-outs, where after a set number of failed login attempts, the system administrator has to unlock that account.
For example, an account could be locked after six consecutive failed login attempts within a 30-minute period.
If attackers only have six chances to guess your password, they’ll likely fail.
One tool that I always recommend is a password manager. Password managers can assist you in generating complex passwords/passphrases and securely storing them. We live in a world where just about every site you visit requires a username and password. The number of passwords required for us to remember only goes up. Remembering over a hundred unique and complex passwords/passphrases can become impossible for the average person. Password managers enable personnel to truly use unique and complex authentication credentials for each account they have without having to rely on the fallible human memory.
If you do choose to use a password manager, be mindful of the solution you select. Be sure to research the available password managers for your desired security features and reputation. A breach to a password management system could be catastrophic.
For cardholder data environment access, multi-factor authentication needs to be used. Multi-factor authentication means you’re including at least two of the following factors:
This is a pretty common standard for most apps and software these days. For example, an employee trying to access your cardholder data environment needs to enter their username and password, and then must enter a one-time PIN from an app on their phone (e.g. Google Authenticator).
Most of the time, focus is rightly placed on safeguarding digital assets, systems, and software. Unfortunately, that often means that businesses spend little to no time considering how to properly protect their physical environment from theft or breach.
It’s vital that you protect any stored media, which includes paper documents, electronic files, or devices that contain cardholder data. For merchants, this can mean paper receipts or copies.
The best way to control a physical security threat is by having and following a physical security policy that covers your business’s security protocol.
For example, if you keep confidential information, products, or equipment in the workplace, keep these items in a secure, locked area.
Physical security isn’t only about securely storing paper media. It also includes physically securing your digital systems. One example of this is restricting access to network jacks, which will help prevent malicious individuals from plugging into your internal network and gaining access.
Control and limit employee access to sensitive areas and removable devices, making sure that only those employees that need access are allowed access. This can be done through a variety of methods, though most often businesses use some combination of badge readers, physical keys, and camera systems.
Audit trails or logs keep track of the who, what, and when around accessing sensitive data within your organization by logging and monitoring users and their actions.
Having a reliable breadcrumb trail back to any action that’s taken place in your business will save you a lot of time and frustration if you have a breach.
It’s important for your business to track all actions on network and system resources and cardholder data.
Most systems and software generate logs including: operating systems, Internet browsers, POS systems, workstations, anti-malware, firewalls, and IDS/IPS.
Some systems with logging capabilities do not automatically enable logging, so it’s important to ensure all systems create and collect logs. Another requirement in the PCI DSS requires that you have your logs forwarded to a centralized log management system.
Be aware of your system capabilities and install third-party log monitoring and management software as needed.
Within your organization, an anomaly is any activity that differs from standard behavior across systems, software, and devices.
Organizations should establish a baseline of “normal” traffic to help better identify anomalies or suspicious behavior, then review their logs daily to search for errors, anomalies, or suspicious activities that deviate from the norm.
Log alerts act as red flags that tell you when something malicious may be happening.
Given the large amount of log data generated by systems and networking devices, you need to have an automated tool that can perform audit log reviews.
Think of penetration testers as friendly, ethical hackers. Real people that analyze networks and systems, identify potential vulnerabilities, misconfigurations, or coding errors, and try to exploit them in order to point out weaknesses so you can protect your organization.
Having a trusted expert try and break into your system is incredibly eye opening, as it makes your vulnerabilities immediately visible for repair. Taking quick corrective action will help ensure your environment is protected, hopefully before attackers get the chance to exploit them.
These tests can be designed to secure you from outside attackers and internal attackers. Some SAQs only require that you perform segmentation testing; a form of penetration test that checks to ensure the in-scope network segments are properly secured and segmented from the out-of-scope network segments.
Depending on how your business is required to validate PCI compliance, PCI DSS Requirement 11 may call for annual internal, segmentation, and external penetration testing.
In addition to annual penetration tests, it’s smart to perform a penetration test whenever significant infrastructure changes occur to check if these changes introduced new vulnerabilities.
Bear in mind that while any organization can benefit by using a penetration test to measure the security of a system, application, or an entire network environment, most small businesses don’t need to worry about penetration testing.
A vulnerability scan is a high-level test that looks for and reports potential vulnerabilities in systems and applications.
The PCI DSS requires two types of vulnerability scanning: internal and external ASV (authorized scanning vendor) vulnerability scans.
Think of your environment as a house. External vulnerability scanning is like checking to see if doors and windows are locked, while internal vulnerability scanning is like testing to see if the safe and prescription medicine have locks that would prevent an intruder from taking the sensitive items once they have gained access to the house.
This means that if a high-risk vulnerability is discovered during a scan or, in the case of an ASV scan failure, you must work to resolve the issue, and then re-scan the affected system to show it was fixed.
This requirement could be confusing or frustrating for merchants that have never needed to scan previously. Getting help with setting up scans will reduce their chance of failing their first time. Scan reports typically include details on the identified vulnerability as well as methods in which you can remediate the vulnerability. Most often, these failures can be resolved with a patch or closing an unnecessary network port.
For PCI compliance, performing quarterly vulnerability scans is a must. The results of these scans should include four quarters of passing external ASV scans while internal scans should have all high and critical vulnerabilities resolved (and rescanned for confirmation) during each quarter.
If penetration testing is required by the SAQ you qualify for, they should be performed annually. The results of the penetration test should contain no exploitable vulnerabilities. It’s also smart (and required) to perform a penetration test whenever significant infrastructure/architectural changes occur to check if these changes introduced new vulnerabilities.
Businesses need security policies and security programs to be physically documented and implemented. Policies should be easily accessible to all employees.
Documents you may include as part of your security program:
When employees know, understand, and follow the company’s information security policies, they will become an asset to maintaining a secure company. Employees that don’t know or understand the information security policies, or employees that don’t follow the policy (whether they know it or not) can be security vulnerabilities that increase the risk to the organization’s security. 30% of breaches in 2023 occurred through phishing and another 30% of breaches occurred from compromised (stolen) credentials (according to IBM’s X-Force Threat Intelligence Index 2024). Properly informed and trained employees should be a priority, as they are your first line of defense in protecting your business from cyber attacks.
A security awareness program that includes regular training (e.g., brief monthly training or communications) will remind them of the importance of security, especially keeping them up to date with current security policies and practices.
Here are some tips to help employees protect your sensitive data:
Covering all the 12 requirements can be overwhelming and take time, but doing so thoroughly can mean the difference between a safe, successful business and one you read about in the news experiencing a breach with millions of customers' sensitive info leaked.
As you begin your PCI journey, experts like SecurityMetrics can help you know where to start, how to save time and money, and how to defend against attackers. If you’d like the tools and resources to complete your PCI requirements, visit securitymetrics.com.
.svg)
