PCI DSS Compliance Requirements Guide & Checklist

4PCI Requirement 4: Encrypt Transmission of Cardholder Data

Requirement 4 of the PCI-DSS states that you must encrypt transmission of cardholder data across open, public networks.

SSL/TLS is the technology used for securing and encrypting sensitive data as it travels between two systems. While technically different protocols, the term “SSL” is commonly used to refer to any encrypted HTTP connection, including TLS. When using an SSL certificate, the website can be accessed over HTTPS rather than HTTP.

As a website that accepts payments, using TLS v1.1 and higher is mandatory for PCI compliance.

Encrypting sensitive data like credit card numbers, card holder information, and passwords protects your customers and prevents fraudulent transactions and data breaches.

The use of TLS prevents man-in-the-middle attacks (MITM), which occur when bad actors secretly intercept and possibly modify sensitive user data and credentials via insecure networks.

SSL certificates are also good for establishing and maintaining trust. This allows the green padlock icon to be visible in the browser address bar.

Using SSL can also improve your SEO rankings. Search authorities like Google have encouraged webmasters to secure their websites by ranking sites with HTTPS higher than those without certificates.

Many hosting providers offer free and paid SSL certificates. They may even help implement certificates for you. If you’re a Sucuri Firewall user, we offer free LetsEncrypt SSL certificates by default.

5PCI Requirement 5: Maintain a Vulnerability Management Program

Under most circumstances, bad actors don’t manually hand-pick websites to attack since this is very time consuming. The majority of attacks against websites are automated and performed by bots who are looking for websites with known vulnerabilities.

PCI DSS Requirement 5 states that you must protect all systems against malware and regularly update antivirus programs.

In order to comply with PCI Requirement 5, we suggest the following:

• Deploy antivirus software on all systems commonly affected by malicious software (particularly personal computers and servers).
• Ensure that all antivirus mechanisms are maintained.
• Ensure that antivirus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.
• Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.

Solutions like Sucuri can help mitigate malware threats at the site and server levels, but you’ll need to employ an antivirus on the computers of anyone who accesses the site and its data. You’ll also need to protect against attack vectors outside of the site directory, including access via SSH and FTP.

More Details

6PCI Requirement 6: Develop and Maintain Secure Systems and Applications

PCI Requirement 6 states that website owners must ensure system components are protected from known vulnerabilities and common coding vulnerabilities must be addressed.

It doesn’t matter if you’re just starting out and your website is small with very little traffic. If you have a vulnerable CMS, extension, plugin, or theme on your website you will likely be identified by a malicious bot at some point in the future.

By keeping your website software and system components patched and up to date, you are not only mitigating the risk of automated attacks, but also ensuring PCI compliance.

If you are unable to update a vulnerable theme or plugin for your CMS, you can still mitigate exploitation attempts with a firewall that offers virtual patching to prevent the exploitation of known vulnerabilities.

We recommend that you take a look at our PCI compliant firewall features and how you can utilize one to secure your website, protect your CDE, and maintain compliance.

More Details

PCI Requirements 7, 8, and 9 of the PCI DSS share a common goal of implementing strong access control measures. These access control measures exist to ensure that your customer data is protected against bad actors and only accessible by authorized individuals.

7PCI Requirement 7: Restrict Access to Cardholder Data by Business Need to Know

PCI Requirement 7 states that you must restrict access to cardholder data by business need-to-know. This means configuring your systems so that they’re only accessible to authorized individuals.

In order to comply with Requirement 7 and stay PCI compliant::

• Limit access to only those individuals whose job requires such access.
• Examine written policy for access control and explain its importance.
• Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.

8PCI Requirement 8: Identify and Authenticate Access to System Components

Requirement 8 states that you assign a unique ID to each person with access to system components so you can limit their access and monitor their activities.

Here are some ideas to help comply with Requirement 8:

• Create and document policies and procedures to ensure only specific individuals have access to cardholder data. This can be done by assigning unique and secure IDs.
• Implement two-factor authentication for both employees and third-party vendors.
• Do not use group, shared, or generic IDs, passwords, or other similar authentication methods.
• All access to any database containing cardholder data should be restricted.
• Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties.

9PCI Requirement 9: Implement Strong Access Control Measures

PCI Requirement 9 states that you must restrict physical access to cardholder data. This is especially important for vendors that have onsite personnel or staff, and physically store all of their cardholder data without a third party.

• Physical access can refer to:
• devices;
• data;
• systems of payment card data;
• hardcopies of payment card data and other.

Maintaining strict controls can help identify individuals who physically access areas storing cardholder data. This is also important for protecting personally identifiable information, especially if you need to comply with the requirements of the General Data Protection Regulation (GDPR).

Here are some key restrictions to continue minimizing risk:

Network Jacks: Restricting access to network jacks will prevent bad actors from plugging into readily available inputs that may allow them into your network. Consider turning off network jacks while not in use and reactivating them only when needed. Also, be sure to create private networks for internal use and a public one for visitors to limit exposure to protected information.

Visitors & Unauthorized Personnel: Visitor controls are important to restrict certain areas and ensure they are identifiable as visitors. It makes it easier to spot unusual activity. This may even include employees who have no reason to approach sensitive access points. For example, the social media manager shouldn’t need access to a storage facility where cardholder data is readily available. A log that tracks information about the visitor will be useful in the event of a data breach investigation. Keeping a log can help identify which visitors have physical access to a room and who has potential access to cardholder data. Consider logs at the entry to facilities and especially designated areas where that data resides.

Monitor Cardholder / Personal Data: If a visitor made their way through an authorized sequence of doors within your facility, cardholder data is still susceptible to unauthorized viewing, copying, or scanning if it is unprotected. It can even be accidental if authorized employees are not well informed. A startling number of businesses have cardholder data on portable media, hard drives, sticky notes, or printed hard copies on someone’s desk. This is especially problematic with orders taken by phone, fax, or email. Without proper visibility or protection, data can be stolen and used for fraudulent purposes. It’s important to ensure the data remains hidden/encrypted if not immediately needed. The development of an approved process for handling sensitive data will help in complying with Requirement 9.6: Maintain strict control over the internal or external distribution of any kind of media.

Physical Removal of Data:

• 9.10 Destroy media containing cardholder data when it is no longer needed for business or legal reasons as follows:
• 9.10.1 Shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed.
• 9.10.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.

Steps must be taken to destroy cardholder information contained on electronic devices. Dispose of hard copies via paper shredding. Failure to do so can result in a major data breach, leading to a negative reputation and expensive fines after an investigation.

One thing to consider is “dumpster diving”. This is where bad actors search through trash and recycle bins to search for devices that may contain data. If they happen to find a tossed, unencrypted USB drive that wasn’t wiped prior to disposal or a paper that wasn’t shredded finely enough; the consequences can be major.

Having a process for properly destroying media with cardholder data, including proper storage prior to disposal will help with Requirement 9.8: Destroy media when it is no longer needed for business or legal reasons.

Using strong, unique passwords on your website, restricting the privileges available to users through assigned roles, and enabling two-step or multi-factor authentication is mandatory for PCI compliance. This reduces the risk of a website compromise or data breach by a bad actor.

If you own a website and collaborate with others, the principle of least privilege is a very solid principle to adhere to. This computer science principle has applications and benefits to strengthen your website security posture.

We recommend that you take a look at our blog post on the Principle of Least Privilege.

10Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data

PCI Requirement 10 is one of the most important requirements for PCI compliance. This requirement explicitly states that you must implement audit trails and review logs to monitor your web assets and identify a compromise or data breach.

The intent of PCI Requirement 10 is to essentially determine the “who, what, where, and when” of users accessing your data processing resources and website environments. Knowing this information is critical in the event that sensitive information (like credit card data) goes missing.

If you fail to properly log all internal and external users, you may be unable to pinpoint a breach timeline or identify who is responsible for a compromise.

Integrity monitoring systems verify the files on your website and alert you of any suspicious changes to DNS settings, SSL certificates, or modifications of core files.

A number of different monitoring solutions also look for indicators of compromise (IoC), which can include malware, obfuscated JavaScript injections, cross-site scripting, phishing, backdoors, drive-by-downloads, spam SEO, defacement, malicious redirects, or conditional malware.

11PCI Requirement 11: Regularly Test Security Systems and Processes

PCI Requirement 11 states that you must regularly test security systems and processes. This includes scanning and reporting on potential vulnerabilities in your network both externally and internally.

Bad actors and researchers alike continue to uncover vulnerabilities, especially with the introduction of new software. For example, recently WordPress published a near-immediate patch after Gutenberg’s official debut.

We recommend the following to help comply with PCI Requirement 11:

• Run vulnerability scans every few months and after any big changes.
• Implement a system for website penetration testing.
• Use detection and prevention techniques to safeguard against hackers.
• Monitor any changes to system, configuration, or content files.
• Ensure that security policies and procedures are documented and followed.

To account for this, you should take full advantage of a Web Application Firewall (WAF) that can also function as a virtual patching tool.

12PCI Requirement 12: Maintain an Information Security Policy

PCI Requirement 12 is to maintain a policy that addresses security for all personnel. This policy must be reviewed annually (at least) and include a risk assessment process, incident response plan, and usage policies.

This requirement is broken into several sub-requirements:

• Establish, document, maintain, and follow an information security policy.
• Implement a risk-assessment process and assign security responsibilities.
• Develop usage policies for critical technologies and define proper use of these technologies (such as third-party script and libraries for your website).
• Ensure that the security policies and procedures clearly define what you expect and the responsibilities of any of your employees. Additionally, make them aware of the importance of protecting customers data.
• Screen new hires and any third-party service providers with access to cardholder data to minimize the risk of attacks from internal sources. They should agree to protect cardholder data in writing.
• Implement an incident response plan. Be prepared to respond immediately to a system breach. It can happen to anyone.

If you’re using WordPress, you can use Sucuri’s free WordPress security plugin to monitor file changes, review audit trails, apply hardening features, and detect malware.