5 Simple Ways to Get PCI Compliant

Learn basic practices to get compliant with the PCI DSS 

Read the SecurityMetrics Guide to PCI DSS Compliance.

On October 31, 2016, PCI DSS 3.1 will be retired, and organizations are required use PCI 3.2 and to be compliant with PCI DSS version 3.2 by February 1, 2018. With the recent release of PCI DSS 3.2, many businesses are preparing to update their security and compliance efforts again. Other businesses still aren’t compliant with the previous version of the PCI DSS, which makes them vulnerable to attackers.

SEE ALSO: PCI DSS 3.2 Changes: What Your Business Needs to Know

Whether you’re new to PCI or a veteran, take time to review your past PCI compliance efforts and plan future PCI DSS 3.2 efforts.
Here are five basic practices to help you become PCI compliant.

1. Document everything

Documenting your policies and actions is important since it helps employees understand what has been done, what needs to be done, and where problems still exist in your business environment. It also helps keep your security efforts organized and legitimate.

Documentation simplifies the PCI process and provides a great baseline for security training materials. By writing your policies down, you solidify plans for implementing security and for training employees. Use your plan to educate employees on your policies and procedures.

Whenever you make changes in your business’s security, have your employees document the change.  It’s also good to review the documentation often (quarterly, if not monthly) to make sure no errors have been made.

If you document everything throughout your PCI DSS process, you’ll save time and be more secure.

2. Determine your scope 

It’s vital for businesses to determine what is ‘in-scope,’ which means if a particular person/process/technology/component stores, processes, or transmits payment card data. If they do, or are connected to systems that do, they must be PCI DSS compliant.
Some system components that may be in scope for your environment include:
  • Networking devices
  • Servers
  • Routers
  • Applications
  • Computing devices
You can’t protect what you don’t know. If you don’t know where your credit card data is, it’s impossible to secure it and get compliant. Create a cardholder data flow diagram for all in-scope networks. This will help you to properly understand the scope of your business by documenting where your card data is received, stored, and transmitted.

SEE ALSO: Finding and Reducing PCI Scope: How to Make Compliance Easier

3. Segment your network 

While network segmentation is not required by PCI DSS 3.2, it’s a good idea if you’re looking for the easiest way to reduce cost, effort, and time on getting compliant.

Network segmentation is done by physically or virtually separating environment systems that store, process, or transmit card data from those that don’t. This can be done through firewalls or physical gaps.

Segmentation can be very difficult, especially for those who don’t have a technical security background. If you do segmentation, you’ll want to have a security professional double check your work. Also remember that some SAQ types require you to do penetration testing on segmentation controls every six months and after any changes.

Need a penetration test? Talk to us! 

4. Spend money and time to train all staff

Did you know that employees and corporate partners are responsible for 60% of data breaches? Your employees are your weakest security link, yet many businesses don’t spend enough time to properly train their employees in security.

Create tailored security training for individual employee roles. For example, your IT director will require different training than your front desk manager. Train your employees monthly instead of yearly. Everyone learns best through repetition, and your employees will retain the training better through constant reminders.

Remember to require policy documentation signatures annually, and consistently enforce the policy with strict sanctions. By holding your employees accountable, you can protect your business and customers more effectively.

Get help with training your employees! 

5. Work with a security professional

Security experts and Qualified Security Assessors are resources that don’t get used enough. You should always consult a security professional with any update to the PCI DSS (e.g., PCI DSS 3.2).

QSAs go through very intense training to understand everything about PCI DSS and data security. They have the technical expertise to help you through the PCI process.

If you’re a small business, you likely won’t need a PCI DSS audit, but you should still talk to a PCI professional to make sure you’re on the right path to PCI compliance. While it does require money, it will save you in the long run.

Need help in getting compliant with PCI DSS 3.2? Let’s see what you need to do. 

Get compliant with PCI DSS 3.2

Getting compliant can be difficult, but if you take it one element at a time, you’ll soon be there. Start by creating and updating your PCI compliance program; don’t forget to add the new and revised requirements to your new/existing program.

Remember, you’re not only protecting your business, but also your customers, your employees, and your brand. The longer you wait, the longer your business could be vulnerable.

SecurityMetrics Guide to PCI DSS Compliance
The Importance of the PCI DSS: Why You Should Get Compliant

PCI DSS

Learn why getting PCI compliant should be important to you, your business, and your customers.

By: George Mateaki
With the rise in data breaches comes the rise in changes and rules to the PCI DSS. For many businesses, getting PCI compliant is considered an unnecessary chore, and the fines breached businesses are given for not being compliant seems to increase that resentment.

So what’s the point of the PCI DSS? Why should businesses be so concerned about getting PCI compliant? And is there any benefit to being compliant with the PCI DSS? We believe so.
Here are a few reasons why the PCI DSS is and should be important to your business.

Secures your business data

PCI DSS
It’s important to protect the data of your business and your employees. While you may be paying attention to physical security in your business, are you dedicating enough time to protect your information digitally? Between malware threats, remote-access attacks, and social engineering, it’s important to take the proper precautions to keep your computers, networks, and servers secure.

The whole purpose of the PCI DSS is to protect card data from hackers and thieves. By following this standard, you can keep your data secure, avoiding costly data breaches and protecting your employees and your customers.

SEE ALSO: 3 Data Security Best Practices

Boosts customer confidence

Would you go to a business if you knew it was likely your credit card information could get stolen? Probably not.

Customer confidence can really affect whether your fiscal year is profitable or not. People are less likely to take your business if they don’t feel confident in you keeping their data safe. Two-thirds of US adults wouldn’t return to a business after a data breach. Should you get breached, or if your customers aren’t confident in your security, you could lose business.

Getting PCI compliant and promoting that to your customers shows your clients that you are serious about security and you’re taking every precaution to keep their payment data safe. It gives them (and you) some peace of mind.

Protects your clients

Your clients trust you with their card data as they make transactions in your business. Should you get breached, you’re not the only one that suffers. Your clients card data needs to be protected by your business. You are responsible for keeping their data safe while it’s in your possession.

Remember that if you do fail to protect your customer’s data, you are liable to lawsuits and fines, especially if you falsely told them your business was secure.

Provides a security standard

The PCI DSS provides a baseline of security requirements that help businesses know what to do and where to start on their security program.

Many organizations we speak to simply don’t know where to begin with information security. Some may think simply locking the doors to their business is enough, others may not even see the need to secure their data. The goal is to reduce data breaches and following the 12 requirements provides a strong foundation.

The PCI DSS provides a standard that every business can and should follow. What’s helpful is the standard does have specific rules for different businesses, depending on size, type, methods of storing card data, etc.

Not sure if you’re compliant? Let’s talk about what you need to do.

Helps you avoid fines and lawsuits

Should you get breached, not only will you deal with the loss of data, but you may deal with fines and lawsuits from customers and other organizations.

A good example is the Wyndham Hotel breach. After they were breached three times, Wyndham Hotel was sued by the Federal Trade Commission because they had falsely said they were secure after each breach. This lawsuit ended in a settlement, but it shows what repercussions you could get in the event of a data breach.

Other fines can include customer lawsuits, third-party lawsuits, government fines, card brand fines, and more.

If you’re PCI compliant, you can reduce these fines and reduce the amount of lawsuits and liability your company may incur.

SEE ALSO: Computer Security and The FTC: Suing Hacked Companies

Reduces the cost of a data breach

Data breaches can cost you a lot in both money and customer confidence. There’s the cost of replacing credit cards, paying fines, and paying compensations for what the customers have lost, not to mention investigation costs and audits. It all adds up pretty quickly.

Remember the Target breach? What you may not remember is how much it cost the business, which was over $162 million in 2013 and 2014. That’s a pretty heavy price to pay for not being secure.

Here’s a list of average costs your business could sustain in a data breach
    pci compliance
  • Merchant processor compromise fine: $5,000 – $50,000
  • Card brand compromise fees: $5,000 – $500,000
  • Forensic investigation: $12,000 – $100,000
  • Onsite QSA assessments following the breach: $20,000 – $100,000
  • Free credit monitoring for affected individuals: $10 – 30/card
  • Card re-issuance penalties: $3 – $10 per card
  • Security updates: $15,000+
  • Lawyer fees: $5,000+
  • Breach notification costs: $1,000+
  • Technology repairs: $2,000+
  • Loss of customer confidence: businesses often lose 40% of customers after a breach. 
  • Forensic investigation cost: $10,000-$100,000
So the total cost of a data breach could range between $77,000 and $875,000.

For many businesses, a data breach could easily shut them down for good. Target was fortunate to have enough capital and income to cover the costs, but most businesses aren’t that lucky.

Getting compliant with the PCI DSS will help reduce cost by helping to prevent data breaches in the first place, but to also help prevent fines. If you can prove you were compliant, the fines won’t be as bad if you weren’t making the effort.

Get PCI compliant!  

While many businesses may not see the PCI DSS is necessary, it is important to both businesses and their customers that they follow the requirements. After all, they’re handling valuable information about their clients, and should that information get stolen, it has repercussions beyond just a simple theft.

Also keep in mind that the PCI DSS is the bare minimum you should do to safeguard against breaches that have occurred. You should be compliant with PCI DSS and build from there to address issues that could be specific to your industry or environment.

Every PCI DSS requirement is there because a breach could have been prevented by having that control in place.

Take the extra time and money to make sure your business is complying with the PCI DSS standard. By doing so, you’re protecting your business, your employees, your clients, and your brand.

Need help getting PCI compliant? Talk to us!

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.

SecurityMetrics Guide to PCI DSS Compliance
PCI Requirement 7: 5 Reasons You Should Limit Employee Access to Your Data

Learn why restricting employee access to data can save your business.  

Matt Glade, SecurityMetrics
By: Matt Glade
Do all of your employees have the same access to your card data? If so, you could be making things much easier for attackers to steal it. Or, what if a disgruntled employee decides to take revenge and sells your data? If you don’t use role-based access, your card data could be in real danger.

What is role-based-access?

role-based accessFrom a technical level, role-based access control or RBAC is an approach to restrict system access to authorized users. Put simply, it means each employee has a certain amount of data they can access, depending on their role in your business. By using role-based access, employees only have access to data and tasks deemed necessary by their job function and role.

The most common RBAC is Windows Active Directory. Lightweight Directory Access Protocol or LDAP is a popular Linux application protocol used to communicate with Active Directory, but we will focus on the basic configuration of Active Directory.

To configure Active Directory, you have to use a hierarchical, top-down approach. Take for example the domain name securitymetrics.com. In the world of Active Directory, the domain name securitymetrics.com would be a top-level domain. Under the top-level domain, Organization Units or OUs can be created such as Marketing, Operations, Finance, etc. Within the OUs, groups and users can be added.

Typically, system administrators apply group policies, which are the actual role-based permissions that control what a user is able to access on the OUs. Group policies can be applied to groups and individual users as well, but it’s easier for system administrators to manage role-based access controls at the OU level. Imagine a company with over 1000 users and the amount of time it would take to apply role-based access controls on each individual user. That’s a system administrator’s nightmare.
Many businesses aren't fully implementing role-based access controls, or are even doing it at all.
Here are five reasons why your business should implement role-based access control system.

1. It’s a requirement in the PCI DSS 

PCI Requirement 7 talks about how businesses should restrict employee access to sensitive data on a need-to-know basis. Businesses are required to have a role-based access control system.

PCI 3.2 also requires a defined and up-to-date list of the roles with access to card data. This means you need to have an updated list of employees that can access card data in your business.

In a nutshell, if you aren’t implementing role-based access, you’re not PCI compliant.

2. It limits social engineering attacks 

Social engineers like an easy target. If everybody has access to credit card data, how easy is it for a social engineer to steal one employee’s credentials and gain access to all the data? Easier than you think.
By limiting access to card data, you make the social engineer’s job harder and less likely to target your business.

Granted, a social engineer could find a way to steal the credentials to someone who has the authorized access to data, but with role based access, it would take more work for them.

While this doesn’t protect you from all social engineering attacks, it does help discourage them.

SEE ALSO: Social Engineering Training: What Your Employees Should Know

3. It keeps data safe from remote access attacks 

One of the biggest ways hackers steal card data is through non-secured remote access software. It’s best to restrict those who have remote access to only the data they can access. This will help keep your data secure from hackers.

While remote access software is convenient, it can easily lead to a data breach if you don’t secure it properly. Some ways to ensure secure remote access software are:
SEE ALSO: Configuring Your Remote Desktop Connection: What You’re Doing Wrong

role-based access control 4. It reduces data attacks

The less people there are logging into your credit data, the less openings hackers have into your card data environment. Restricting access is just one way to make sure your data isn’t vulnerable to attackers.

Remember that just restricting access isn’t going to keep your data completely safe from data attacks. Some additional actions to take include:
  • Segmenting networks: keeping your networks separate will help reduce potential data breaches. 
  • Installing and updating antivirus software: antivirus can help detect and get rid of malware. 
  • Configuring firewalls: many businesses don’t configure their firewalls correctly. Make sure yours is updated and working properly. 
  • Regularly updating and patching software: no software is perfect, and it’s critical to regularly patch vulnerable spots in your software.  
SEE ALSO: 3 Data Security Best Practices

5. It prevents confusion and streamlines responsibilities

By limiting access to employees based on roles, it helps give clarity to an employee’s responsibilities. This will help your business become more efficient in general. This way, you aren’t duplicating or overlapping responsibilities.

Confusion happens when employee’s roles aren’t clear. By using role-based access, you have to make clear your employee’s roles, what’s expected of them, and what information they need access to.

Ways to incorporate role-based access

One reason businesses haven’t used role-based access is they feel it’s difficult to incorporate. Here are some tips to implement role-based access accurately and efficiently into your business:
  • Assign levels of access to employees according to need: If you need to, make a diagram of the range of jobs that involve the most work with card data to the least.  For example, your accountant will need more access privileges than your janitor. 
  • Implement regular employee training: Employees should understand what level of access they have and what others have. This helps prevents social engineers from using stolen credentials to steal card data. 
  • Document everything: The best way to avoid confusion is to document which employees have access, how much information they can access, and whenever new employees are added or taken out. Remember to update these documents regularly.  
Businesses should remember that if an employee transfers from one department to another, they need to evaluate whether or not that employee’s previous RBAC permissions are required for the new role. If not, those permissions must be revoked.

By implementing role-based access in your business, you provide an extra layer of security for you and your clients. Keep your employees on a need-to-know basis and make sure your data can’t be accessed by just anyone.

Matt Glade (CISSP, QSA) is a Security Analyst at SecurityMetrics that focuses on PCI DSS and HIPAA assessments. He is a graduate from Westminster College and has worked within the IT sector for over 20 years.

SecurityMetrics Guide to PCI DSS Compliance
Perimeter Scan Vs. External Vulnerability Scan

See how Perimeter Scan simplifies the vulnerability scanning process for larger organizations. 

Perimeter ScanWhen it comes to finding security weaknesses in your business, vulnerability scanning is a great
place to start, and it’s required by both the PCI DSS and HIPAA. Vulnerability scans assess computers, systems, and networks for security weaknesses. These scans are usually automated, and give a first look at what weaknesses can be exploited in your organization.

External vulnerability scanning can take a lot of time, especially if your organization is large, or deals with a lot of IP addresses. For these kinds of companies, regular vulnerability scanning can get bogged down, take forever, and add to your management costs. This is why we created Perimeter Scan.

A question we often get is what’s the difference between SecurityMetrics External Vulnerability Scan and SecurityMetrics Perimeter Scan? We created this post to put those questions to rest.

What is Perimeter Scan?

Perimeter Scan is very similar to SecurityMetrics’ External Vulnerability Scan. Both scans can be used to meet compliance with financial (PCI DSS) and healthcare (HIPAA) mandates. The biggest difference between the two is Perimeter Scan is aimed specifically for larger organizations that have more complex network configurations and IP ranges that require a simplified form of scan management.

Adding/Removing IP Addresses

With the Vulnerability Scan, adding or removing IP addresses goes through our support team. This was because businesses paid for the Vulnerability Scan per IP address.
With Perimeter Scan, customers can add or remove IP addresses inside Perimeter Scan’s portal, instantly.
This feature is particularly helpful for organizations that have dynamic IP addresses that change a lot. It’s also helpful for growing businesses that are adding many IP addresses quickly.

Adding/Removing Target Groups

With Vulnerability Scan, users are limited to managing large quantities of IPs and groups of IPs to their own methods. If you wanted to scan all of your IP addresses, you had to manually turn on the scans for all those addresses. This can take a long time for a business with a long list of IP addresses.

With Perimeter Scan, you can add groups of IP addresses, labels and descriptions to the groups, and initiate or stop scans at the group level. Our scan management tool scans as many targets as you have included in your group. All you do is click the “scan now” button and the scans activate. No need to do it manually on an individual level.
vulnerability scanning

Payment Methods

Using our traditional service, you pay for the Vulnerability Scan per IP address. This works great for smaller businesses that only have a few addresses to scan, but can quickly get expensive and cumbersome for larger companies.

You pay for Perimeter Scan through credits. This gives you the ability to scan what you want on whatever schedule you want. You can choose which groups to use more credits on and scan more frequently, and leave others to scan less. For example, you may want to scan your networks that deal with card data daily more often than those that only deal with it occasionally. Using credits helps you customize your scanning schedule without having to pay for each individual IP address.

Perimeter Scan is a great way for large organizations to get the most out of external vulnerability scanning. It simplifies the process, by relieving the management work. With Perimeter Scan, vulnerability scanning is now easier, faster, and less of a headache.

Interested in Perimeter Scan? Get a quote from our experts!

SecurityMetrics Guide to PCI DSS
PA-DSS 3.2: The What, The Why, and The When

See what changes your payment application vendor should make.  

By: David Page
If you’re a payment application vendor, then you’re mandated to follow the PA-DSS. The PCI Security Council has released version 3.2 of the Payment Application Data Security Standard (PA-DSS).

Applications vendors are encouraged to review and incorporate these changes into their payment applications and implementation guides as soon as possible. Version 3.2 is effective June 1, 2016 and PA-DSS version 3.1 retires on August 31, 2016.

Most of the changes in PA DSS 3.2 will reflect the changes in PCI DSS 3.2.

PA-DSS 3.2 What is the PA-DSS?

The Payment Application Data Security Standard is similar to the PCI DSS, but it’s addressed to payment application vendors. Put simply, it’s the data security standard for vendors that sell POS machines and other payment applications.

PA-DSS version 3.2 includes a set of changes that all payment application vendors will be required to make.
Here is a list of the biggest changes to PA-DSS 3.2.

Multi-factor authentication is required

Similar to the PCI DSS, PA-DSS 3.2 now requires multi-factor authentication for all non-console access within and outside the network. Basically, if you use remote access, inside and outside your business’s network, you’re now required to use multi-factor authentication to access it. It’s now also clarified as multi-factor authentication instead of just two-factor authentication.

Changes to the Implementation Guide

Some changes have been made to requirements for the Implementation Guide. The guide must now include instructions that any debugging logs that include PAN data must be protected and securely deleted when no longer needed.

Testing procedures have also been updated to include the identification of all roles and default accounts in the payment application.

One final change to the guide is a new requirement has been added to include instructions to securely install patches and updates.

Other changes

A couple of additional changes include:
  • Training for developers must be up to date and occur at least annually
  • A legitimate business need is required for full PAN display
Whether you’re a payment application vendor or you work with one, make sure you or your third party vendors are up to date with the PA DSS.

If you don’t, you could be held liable should a data breach hit you or one of the businesses you work with.

Need a PA DSS audit? Talk to us!

David Page is a Qualified Security Assessor and has been working at SecurityMetrics for 2 and a half years. He has over 18 years experience in network and system engineering, design, and security.

SecurityMetrics Guide to PCI DSS Compliance