Download our FREE whitepaper on data loss prevention best practices. Download Now

5 Best Practices for PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that helps businesses protect their payment systems from breaches, fraud, and theft of cardholder data. Developed by the PCI Security Standards Council, PCI DSS compliance is required for all companies that process, store or transmit credit card information from the world’s biggest card schemes: American Express, Discover, JCB, MasterCard, and Visa.

While not a legal requirement, PCI DSS was adopted as a general standard by financial institutions the world over, which means that merchants will need to comply with it in order to be allowed by banks to accept card payments, whether in person, over the phone or online.

Noncompliance comes with dire consequences: not only do organizations face fines of up to $100,000/month and increased transaction fees, but they might also find their relationship with their bank terminated or, worse, wind up on the dreaded MATCH (Merchant Alert to Control High-Risk) list which will ensure they are never allowed to process card payments again.

Best practices for PCI DSS compliance

PCI DSS has twelve requirements that range from basic security measures such as installing firewalls and antivirus software to more complex requirements such as developing and maintaining secure systems and applications. How can organizations achieve compliance? Here are our five best practices:

1. Data transparency

In the age of compliance, not only of PCI DSS but also data protection regulations such as the EU General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), knowing exactly where your data is and where it’s going are two fundamental requirements. After all, a company cannot protect something it has no knowledge of.

Requirement 3 of PCI-DSS states that data should only be stored in specific, known locations with limited access to protect credit card information. Organizations must therefore map their data flow and regularly conduct network scans to ensure credit card information has not been saved or forgotten in unpermitted locations by careless employees.

This can be done through Data Loss Prevention solutions such as Endpoint Protector which offer data discovery tools that can automatically or manually scan networks for credit card information and encrypt or delete it when it is found on unauthorized users’ computers.

2. Securing your data on the move

The two main ways data can be protected on the move are tokenization and encryption. Tokenization generates an alternate ID for a card number which can then be used for transactions, reducing the risk of the actual card information being exposed during transmission.

When it comes to encryption, as of 30 June 2018, SSL/early TLS are no longer considered secure forms of encryption and are therefore not enough for PCI DSS compliance. Organizations that want to use encryption to protect card data must use TLS v1.2 or higher.

Data’s mobility can also be checked through DLP tools that allow admins to not only monitor credit card information transfers through predefined policies but also block its transfer altogether through exit points deemed insecure such as file-sharing services or instant messaging applications.

3. Restrict access rights

Under requirement 7 of PCI DSS, access to data must be restricted to authorized personnel only. Companies must evaluate which of their employees need access to card data to fulfill their job responsibilities and then use the proper tools and processes to limit access based on business needs.

To achieve this, organizations must first and foremost implement unique ID credentials for every employee to track which users take actions on credit card information and to prevent concurrent logins. Access rights can then be set according to an employee’s job scope using appropriate Access Rights Management (ARM) software.

4. Employee training

The weakest link in any security strategy is often the human one: employees are behind over 27% of data breaches, according to a survey conducted by the Ponemon Institute. Therefore, it is essential that companies do not neglect the human element in PCI DSS compliance. Software, whether DLP, ARM, or antivirus, while it can increase security greatly, is much more effective when employees understand its need.

An informed workforce is less likely to look for ways to bypass security measures when they know their purpose. Companies must therefore invest in industry-specific employee training, ensuring that they comprehend the importance of PCI DSS and the risks and consequences of noncompliance.

5. Document and log everything

Part of requirement 12 of PCI DSS compliance, document everything underlines the need for organizations to keep records of all its security policies and procedures, risk assessments, and security incidents. Strong documentation helps CIOs and security professionals make informed decisions concerning future security measures and allows companies prove compliance.

Logs and log monitoring are found under requirement 10 of PCI DSS and include logs of all security events, servers, and critical system components. Companies should ensure that their antivirus solution provides logs of security incidents. They can also generate logs of attempted unauthorized transfers and the users responsible for them through DLP solutions.

Looking for a PCI compliance scanner? Check our DLP solution.

Frequently Asked Questions

What are the 12 requirements of PCI DSS Compliance?
  • Install and maintain a firewall configuration
  • Configure passwords and settings
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
  • Use and regularly update anti-virus software or programs
  • Regularly update and patch systems
  • Restrict access to cardholder data by business need to know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
  • Implement logging and log management
  • Conduct vulnerability scans and penetration tests regularly
  • Documentation and risk assessments

Find out how to ensure PCI DSS compliance during remote work

What qualifies as PCI data?
The PCI Security Council's founding members include card brands such as American Express, MasterCard Worldwide, JCB International, Visa Inc., and Discover Financial Services. Cardholder data refers to any information contained on a customer’s payment card: primary account number (PAN) in conjunction with cardholder name, credit card expiration date, service code. The data is printed on either side of the card and is provided in a digital format on the magnetic stripe embedded in the backside of the card.

Check out our advanced PCI compliance scanner.

Why is PCI compliance important?
Without the regulation of PCI, sensitive data such as Personally Identifiable Information (PII) and Personally Identifiable Financial Information (PIFI) would be unprotected, exposed, and vulnerable to theft. PCI DSS protects client and business data, boosts customer confidence, provides a baseline of security requirements, and helps avoid fines and lawsuits.

Read why PCI compliance is a must.

How DLP Helps with PCI DSS Compliance?
Data Loss Prevention (DLP) solutions are some of the most useful tools for PCI DSS compliance. By deploying a DLP solution, companies can ensure that cardholder information is identified, logged, and controlled in order to meet PCI DSS requirements, including the following:
  • Protecting stored cardholder data
  • Restricting access to cardholder data by business need-to-know
  • Tracking and monitoring all access to network resources and cardholder data
  • Regularly testing security systems and processes

Learn more about how DLP helps with PCI DSS compliance.

explainer-c_compliant-industry

Download our free ebook on
GDPR compliance

A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.

In this article:

    Request Demo
    check mark

    Your request for Endpoint Protector was sent!
    One of our representatives will contact you shortly to schedule a demo.

    * Your privacy is important to us. Check out our Privacy Policy for more information.