Digital payments are more prevalent than ever in all sectors of business. When it comes to PCI DSS compliance, merchants and service organizations alike are going to find it more critical than ever to ensure the privacy and security of their client’s data.
The PCI DSS requirements are a framework meant to protect the payment chain at all levels. It impact how cardholder data is stored, processed, and accessed. If you are looking to start your own PCI DSS compliance initiative, we have some advice to help you get started on the right foot. While there is no checklist that can replace an experienced QSAC like Auditwerx, these ideas will help spur thinking on your businesses’ compliance initiatives.
PCI DSS Compliance Preparation Checklist
The first step towards organizational compliance is installing and maintaining a firewall. Seems simple, right? Firewalls are your first line of defense against cybersecurity threats. You will need to ensure proper configuration to protect your payment card data environment. It’s important that you set your routers to determine appropriate sources of traffic.
You should never rely on default settings. Period! This goes for any software applications, servers, network devices, Wi-Fi routers, firewalls and anything in between. Default security settings are often not enough to meet the PCI DSS requirements. You also won’t be able to rely on vendor defaults for passwords. Make sure to maintain documentation on your security hardening procedures for your assessment team.
Do you know where your cardholder data is going, where it’s stored, and for how long? You should! This is one of the most important aspects of PCI DSS compliance. PCI DSS also accounts for how payment card numbers should be displayed.
Did you know that cyber criminals often target data during transmission? You’ll need to make sure that you know where your cardholder data is going, and where it’s coming from. Make sure to encrypt cardholder data to reduce any risk the data may face during transmission.
Be sure to update or patch your antivirus software regularly to guard against malware and viruses. Antivirus software needs to be kept up to date throughout the entirety of your data environment. It’s important for this to be done in a timely manner.
You will have to define processes in order to classify risk to your data for the objective of technology deployment. You’ll have to work through a risk assessment in order to properly ensure deployment.
Who needs access to cardholder data in your organization? It’s important to stay on top of any rules or permissions necessary and only allow access to private data on a need-to-know or essential basis. This step also includes the physical security of your system. This addressed your control access policies and procedures. Keep up-to-date documentation of all users with access to sensitive cardholder data.
For those essential users who may need to access card holder data, they will each need unique usernames and passwords to access the data. They should also all be complex. This ensures that activity can be traced appropriately should the need arise. You’ll also need to ensure that your systems utilize two-factor authentication (2FA).
Whether it’s workstations, paper files, server rooms, or the like – these physical assets are just as important as your digital assets. Access for employees and visitors should be differentiated and you’ll need to make sure that your organization has a way to monitor these physical assets.
Your network systems should be monitored and protected at all times. You should keep a history of activity in a centralized area and ensure that they are reviewed daily. These records will need to be kept for at least 1 year.
This is where penetration testing comes into play. You’ll need to ensure periodic tests to identify unauthorized access points. Thorough penetration testing should occur annually.
If you don’t have one, it’s time to create an implement an InfoSec policy. This is an Information Security policy that covers all employees of your organization. You’ll need to ensure appropriate training and recognition of the policy to ensure the correct users are accessing sensitive data.
Want to Learn More About PCI Compliance?
Our downloadable PDF “PCI DSS: What You Need to Know” offers additional information on the PCI DSS reporting process. Learn how a PCI DSS certification can help you gain a competitive edge and stand out from the crowd.