A recent Nilson Report shows that payment card fraud losses reached $28.65 billion worldwide in 2019, with the US topping the list of most fraud-prone countries. We’ve also seen explosive growth in card fraud activity throughout the coronavirus pandemic as businesses move toward reducing their physical footprint and ramp up their businesses online.
Despite this, only 30%, or less, of organizations are PCI compliant. Why is this? What makes the PCI DSS framework so elusive to online stores?
This article will work to demystify the framework, making it more consumable to a) understand it and b) leverage it as a way to establish an appropriate security program for your online store.
With six goals and 12 requirements at the heart of the framework, compliance with PCI DSS ensures protection to payment card data. It does this by establishing technical and operational requirements for all supporting systems, and personnel, responsible for processing, storing or transmitting any element of the cardholders data. Yes, this means all merchants, regardless of size have a compliance obligation.
Failure to align all elements associated with your payment card operations with the applicable PCI DSS controls increases the potential risk for malicious or accidental actions leading to a breach or loss of your customer’s payment card information (this includes sensitive data that is printed on a card, chip data, etc..).
The 6 Goals (Objectives)
We will begin by outlining PCI DSS’s central goals, objectives, before moving into an overview of the different requirements. We always start by looking at the objectives because they provide a blueprint of what the framework is trying achieve, and in the case of PCI DSS it provides an outline from which the requirements will be structured from.
It helps better digest the requirements as it groups them according to the desired end-state. This makes it consumable to organizations, and provides a a sensible framework that can be used to establish an organizational security program that extends well beyond the online store.
6 PCI DSS GOALS
|Build and Maintain a Secure Network||Establish and maintain a secure network and system in order to ensure that payment transactions are processed in a robustly secure network. To achieve this, firewalls must be established to protect cardholder data and these firewalls must be effective without causing inconvenience, such as slow processing times, to cardholders.|
|Protect Cardholder Data||Protection of stored cardholder data with the needed steps taken to secure against hacking including securely encrypting data that is transmitted through public networks.|
|Maintain a Vulnerability Management Program||Establishing a vulnerability management program which includes frequently updating anti-virus software, anti-spy software, and other anti-malware solutions in order to protect against malicious hackers.|
|Implement Strong Access Control Measures||Restrict and control access to system information and operations. Cardholder data should not be provided unless it is required to effectively carry out a transaction and each person who uses a computer in the system must be assigned a unique and confidential identification name or number. This includes protecting physical cardholder data as well as data submitted electronically.|
|Regularly Monitor and Test Networks||Constantly and consistently monitor and test to ensure that all security measures are in place and working effectively.|
|Maintain an Information Security Policy||Maintain a policy that addresses information security for all personnel.|
You will notice in the table below that all requirements are aligned appropriately with their corresponding goal. This makes it especially clear to the organization why they are being asked to do something. The PCI SSC goes on to highlight the importance of incorporating these requirements into “business-as-usual” (BAU) activities as part of an organizations security program.
The reality is that for most online stores, this is most probably the only security program that exists within the organization. The good news is the same objectives, and some of the corresponding requirements, can be broaden beyond the scope of your online store and leveraged to build a more comprehensive program (more on this in a different article).
The 12 PCI DSS Requirements and Their Relationship to the Goals
|Goal||PCI DSS Requirements|
|Build and Maintain a Secure Network||1. Install and maintain a firewall configuration to protect cardholder data|
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|Protect Cardholder Data||3. Protect stored cardholder data|
4. Encrypt transmission of cardholder data across open, public networks
|Maintain a Vulnerability Management Program||5. Use and regularly update anti-virus software or programs|
6. Develop and maintain secure systems and applications
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need-to-know|
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data|
11. Regularly test security systems and processes
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security for employees and contractors|
The thing to remember about these requirements is that they don’t “all” always apply, it’s ok to identify those things that are not-applicable, and it’s also ok to introduce compensating controls where applicable.
We also like to place emphasis on the goal itself, and while we might ensure each requirement is addressed, we always go back to the intent and ask ourselves – “What does this not address as it pertains to my environment?” We find this to be especially helpful, breaks us from the “checklist” mentality and ensures that we’re being honest with ourselves and the environment being secured.
In this article we stay broad, intentionally. The topic of PCI DSS is a mile wide and mile deep. But, we did want to take a minute to start with the basics before diving deeper into each area and how they apply to the online commerce world.
We encourage all readers to familiarize themselves with the specific controls that support their particular requirement by visiting the PCI SSC website www.pcisecuritystandards.org/. Although the expected release of PCI-DSS 4.0 is for mid-2021, the core goals and requirements will remain unchanged.