Use the number 1 provider of PCI DSS Consulting in Australia
Vectra is widely known for providing the most concise and thorough PCI DSS assessments. We have the most experience and the best Qualified Security Assessors (QSA) in the industry. This is why more than 80% of Australia’s top companies, trust Vectra with their PCI DSS assessments.
Vectra specialises in all aspects of Payment Card Industry Data Security Standard (PCI DSS) compliance including assessments, penetration testing and requirement validation for all types of businesses. We conduct our PCI DSS consulting services throughout Australia in Sydney, Melbourne, Adelaide, Perth, and Brisbane.
We launched our payment card related security compliance services in 2004 through programs with Visa and MasterCard. We then became the first Australian company to be certified as a QSA Company (QSAC) by the PCI Security Standards Council when it was formed in 2006. Since that time we’ve assisted thousands of organisations of all sizes in sectors including retail, financial services, insurance, transport, banking, credit unions, building societies, utilities, gaming and third party hosting and service providers.
What is PCI DSS Compliance?
Every organisation that stores, processes or handles payment card data is required to be Payment Card Industry Data Security Standard compliant (PCI DSS). This standard was designed to increase cardholder data protection to dramatically reduce credit card fraud.
Every company that accepts credit cards, anywhere in the world, needs to comply with the Payment Card Industry Data Security Standard (PCI DSS). It doesn’t matter how few transactions you have. It doesn’t matter if all your payments are handled by third-party payment processors. It doesn’t matter if the credit card is never stored on your servers.
Payment Card Industry Data Security Standard (PCI DSS) compliance is, at its core, a contractual agreement between a company and the financial institution that handles the payments.
How do you comply with PCI DSS?
Compliance reporting for small merchants can be as simple as completing a Self-Assessment Questionnaire (SAQ) while for larger merchants and third party service providers, annual assessments must be conducted by a QSA Company. If you have internet facing IP addresses you must conduct network vulnerability scanning utilising an Approved Scanning Vendor (ASV) certified by the PCI Security Standards Council.
How often does compliance need to be validated?
To meet merchant agreements and avoid penalties, acquiring banks will seek PCI DSS compliance reporting on an annual basis and in some cases, on a quarterly basis.
What are the 12 requirements of PCI DSS?
- Protect your system with firewalls
- Configure passwords and settings
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software
- Regularly update and patch systems
- Restrict access to cardholder data to business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to workplace and cardholder data
- Implement logging and log management
- Conduct vulnerability scans and penetration tests
- Documentation and risk assessments
Before diving into the Payment Card Industry Data Security Standard (PCI DSS) requirements, you will also want to find out which SAQ applies to your business. While most requirements will stay the same, there are some differences in the work you’ll need to do based on your SAQ.
The first requirement of the PCI DSS is to protect your system with firewalls. Properly configured firewalls protect your card data environment. Firewalls restrict incoming and outgoing network traffic through rules and criteria configured by your organization.
You’ll want to install both hardware firewalls and software firewalls. Both provide a first line of defence for your network. Hardware firewalls are the more robust security option. They can protect an entire network and segment its internal areas. Hardware firewalls are typically more expensive, take time to properly configure, and need to be maintained and reviewed regularly.
Software firewalls are cheaper and easier to maintain. They are meant to protect a single host from internal threats—commonly those from employees’ mobile devices, which can move in and out of the secure environment. If an employee clicks on a link in a phishing email, a software firewall should prevent malware infection.
You shouldn’t keep vendor-supplied defaults around. Out-of-the-box devices, such as routers or POS systems, come with factory settings like default usernames and passwords. Defaults make device installation and support easier, but they also mean that every model originates with the same username and password. Default passwords are simple to guess, and most are even published on the Internet.
The problem is that third parties sometimes install hardware or software and leave merchants unaware that their entire system is protected by an easy-to-find/crack password. Vendors might also purposely leave weak or default passwords to make service easier. But that’s like leaving your front door unlocked just to make life more convenient.
Fulfilling requirement 2 involves inventorying and then properly configuring all security settings on all systems and devices. You will need to assign someone to compile and review this information.
The point of the 12 requirements of PCI DSS is to protect and secure stored cardholder data and prevent data breaches. And according to requirement 3, stored card data must be encrypted using industry-accepted algorithms (e.g., AES-256). The problem is many merchants don’t know they store unencrypted primary account numbers (PAN).
Not only must card data be encrypted, but the encryption keys themselves must also be protected. For example, using a solid PCI DSS encryption key management process will help keep you from storing the key in the “lock” itself.
To fulfil this requirement, you need to create and document a current cardholder data (CHD) flow diagram for all card data flows in your organization. A CHD flow diagram is a graphical representation of how card data moves through an organization (see example). As you define your environment, it’s important to ask all organizations and departments if they receive cardholder information, and then document how their answers may change card data flows.
You should regularly run a data discovery tool like PANscan or PIIscan. These tools help identify the location of unencrypted PAN and other sensitive information, so you can securely delete or encrypt it.
For requirement 4, you need to know where you send cardholder data. Here are common places where primary account numbers (PAN) are sent:
- Backup servers
- Third parties that store or handle PAN
- Outsourced management of systems or infrastructure
- Corporate offices
You then need to use encryption and have security policies in place when you transmit this cardholder data over open, public networks.
A note about SSL and early TLS web encryption: based on vulnerabilities in web encryption, the PCI Security Standards Council has released a policy stating that you need to transition from SSL and early TLS to secure versions of TLS by June 30, 2018.
Anti-virus software needs to be installed on all systems commonly affected by malware. Make sure anti-virus or anti-malware programs are updated on a regular basis to detect known malware. Maintaining an up-to-date anti-malware program will prevent known malware from infecting systems.
Be sure you or your POS vendor are regularly running your software’s anti-virus scans.
You should also keep up to date on current and existing malware threats. Using outside sources, such as vendor/anti-virus threat feeds, merchants can find out about emerging malware and attacks on systems. Then you can configure systems to alert and report on suspicious activity, such as new files added to known malware directories or unauthorized access attempts.
Applications will never be perfect, which is why manufacturers frequently release updates to patch security holes. These patch updates can also be time sensitive. Once a hacker knows they can get through a security hole, they pass that knowledge on to the hacker community, which will then exploit the weakness until the patch has been updated.
Quickly implementing security updates is crucial to your security posture. Patch all critical components in the card flow pathway, including:
- Internet browsers
- Application software
- POS terminals
- Operating systems
Be vigilant and consistently update the software associated with your system. Requirement 6.2 states merchants must “install critical patches within a month of release” to maintain compliance. Don’t forget to update critical software installations like credit card payment applications and mobile devices. To stay updated, ask your software vendors to put you on their patch/upgrade notification list.
To fulfil requirement 7, you need a role-based access control (RBAC) system, which grants access to card data and systems on a need-to-know basis. Configure administrator and user accounts to prevent exposure of sensitive data to those who don’t need this information.
PCI DSS 3.2 requires a defined and up-to-date list of the roles (employees) with access to the card data environment. On this list, you should include each role, the definition of each role, access to data resources, current privilege level, and what privilege level is necessary for each person to perform normal business responsibilities. Authorized users must fit into one of the roles you outline.
According to PCI DSS requirement 8, user IDs and passwords need to be sufficiently complex and unique. You should not use group or shared passwords.
However, your system security should not be based solely on the complexity of a single password. No password should be considered “uncrackable,” which is why, as of February 1, 2018, all non-console administrative access (remote access) to in-scope systems requires multi-factor authentication.
Employees may think physical security only applies after hours. However, most data thefts (e.g., social engineering attacks) occur in the middle of the day, when staff is often too busy with their various assignments to notice someone walking out of the office with a server, company laptop, phone, etc.
You are not allowed to store sensitive information like payment card data out in the open. For example, many hotels keep binders full of credit card numbers behind the front desk or piled on the fax machine, for easy reservation access. Unfortunately, this collection of files not only makes life easier for employees but gives criminals easy access to this information.
Requirement 9 states that you must physically limit access to areas with cardholder data, as well as document the following:
- Who has access to secure environments and why they need this access?
- What, when, where, and why devices are used
- A list of authorized device users
- Locations where the device is and is not allowed
- What applications can be accessed on the device
You will also need to implement automated lockout/timeout controls on workstations, periodically inspect all devices, and most importantly—train your staff regularly about physical security, policies and procedures, and social engineering.
We found that in 2017, non-compliance with requirement 10 was the most common contributor to data breaches. Logs are only useful if they are reviewed.
System event logs are recorded tidbits of information regarding actions taken on computer systems like firewalls, office computers, or printers. To fulfil requirement 10, you must review logs at least daily to search for errors, anomalies, and suspicious activities that deviate from the norm. You’re also required to have a process in place to respond to these anomalies and exceptions.
Log monitoring systems, like Security Information and Event Monitoring tools (SIEM), can help you oversee network activity, inspect system events, alert of suspicious activity, and store user actions that occur inside your systems.
Your data could be left vulnerable due to defects in web servers, web browsers, email clients, POS software, operating systems, and server interfaces. Yes, fulfilling requirement 6 (installing security updates and patches) can help correct many of these defects and vulnerabilities before attackers have the opportunity to leverage them. But in order to be sure you’ve successfully patched these vulnerabilities; you need to be able to find them and test them. For that, you need to perform regular vulnerability scanning and penetration testing.
A vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities. All external IPs and domains exposed in the CDE are required to be scanned by a PCI Approved Scanning Vendor (ASV) at least quarterly.
A penetration test is an exhaustive, live examination designed to exploit weaknesses in your system. Just like a hacker, penetration testers analyse network environments, identify potential vulnerabilities, and try to exploit those vulnerabilities (or coding errors). Basically, these analysts attempt to break into your company’s network.
Requirements for frequency and type of penetration test will vary depending on your SAQ, business size, environment, systems, etc.
The final requirement for PCI DSS compliance is to keep documentation, policies, procedures, and evidence relating to your company’s security practices.
If you perform a PCI DSS audit, you’ll quickly pick up on the fact that there’s a big emphasis on your documented security policies and procedures. During an assessment, QSAs will typically verify that specific requirements are defined in company policies and procedures. Then, they’ll follow predefined testing procedures to verify that those controls are implemented in accordance with the PCI Data Security Standard and with written company policies.
You will need to include the following information in your documentation:
- Employee manuals
- Policies and procedures
- Third-party vendor agreements
- Incident response plans
The second part of requirement 12 is to perform an annual, formal risk assessment that identifies critical assets, threats, and vulnerabilities. This requirement will help you identify, prioritize, and manage your information security risks.
Vectra PCI DSS Compliance and PCI DSS Assessment Services
PCI DSS Gap Assessment
Payment card industry merchants can prepare for Payment Card Industry Data Security Standard (PCI DSS) compliance by undertaking a PCI DSS gap assessment. This type of assessment helps to identify, analyse and document any areas of non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) so that the merchant can remediate any issues prior to applying for a PCI DSS compliance assessment.
ASV Scanning Services
ASV (Approved Scanning Vendor) Vulnerability Scanning is a quarterly requirement for many organisations as part of the requirements to maintain their Payment Card Industry Data Security Standard (PCI DSS) Compliance. Vectra provides a web based portal that can be easily configured to automate the scanning process as required by PCI DSS, or can allow scans to be run on an ad-hoc basis when required.