This is the third post in a series of articles on understanding the Payment Card Industry Data Security Standard – PCI DSS. We want to show how PCI DSS affects small, medium, and large businesses that are going through the compliance process using the PCI SAQ’s (Self Assessment Questionnaires). In the previous articles we have written about PCI, we covered requirements 1 and 2:
- Requirement 1: Build and Maintain a Secure Network – Install and maintain a firewall configuration to protect cardholder data.
- Requirement 2: Build and Maintain a Secure Network – Do not use vendor-supplied defaults for system passwords or other security parameters.
As we move into the next sections, “Secure cardholder data”, we’ll talk about Requirements 3 and 4:
Requirement 3: Secure cardholder data – Protect stored cardholder data
One recommendation is that you pre-encrypt cardholder data prior to uploading files to your environment. There are various ways to do this, which can include an automated encrypting storage mechanism to lessen the workload.
It’s also just as important to enact strong company policies that will enforce proper security practices when it comes to stored data. These policies can include discouraging your team from keeping this type of data on personal hard drives, USBs, or other external or mobile media (including your mobile phone).
Here are a few key tips to help address Requirement 3 that you and your team can work on developing:
- 1- Keep cardholder data only for as long as you absolutely need it – Regularly clear data that is no longer needed.
- 2 – Avoid writing cardholder data down – Input the data directly into your payment gateway instead.
- 3- Never transmit cardholder data without encryption – especially if there’s a need to communicate via email, consider encryption methods like PGP.
- 4- Change default payment system passwords – Continuing to focus on what we have been saying in terms of taking the basic steps to enforce strong password practices.
In addition to the proper storage of cardholder data, we also have to be sure that we’re properly encrypting the delivery of this data to meet the next requirement:
Requirement 4: Secure cardholder data – Encrypt transmission of cardholder data across open, public networks
The most effective way of fulfilling Requirement 4 is by installing an SSL certificate which will ensure that cardholder data is not exposed across networks.
There are some key things to look out for to remain a trusted online presence if you decide to install your own SSL certificate. It includes the following:
Avoid Self-Signed Certificates
While self-signed SSL Certificates would encrypt cardholder data (other PII), they prompt most web servers to display a security alert because the certificate is likely not verified by a trusted Certificate Authority (CA), such as:
Verify if Your Host Offers SSL Options
Some hosts offer free SSL, including one-click SSL, while other hosts offer paid SSL and will implement the certificates for you (i.e. GoDaddy). Regardless of the type of certificate you choose, the encryption and level of security is the same.
Any Alignment with the Impending GDPR Standard?
One of the interesting things about these requirements is their alignment with General Data Protection Regulation – GDPR. Similarly, it will demand that some elements of personal data be unidentifiable, i.e. encryption. Therefore, meeting these PCI requirements is an aligned step towards GDPR compliance, as well.