Being hacked and having sensitive data exposed is many organisations’ worst nightmare. At the same time, today’s society demands constant data access. Can we have both – high security and data access at our fingertips? The answer is: Yes. Let’s take a closer look at the safest security standard in the market – and the people whose mission it is to protect it.
The payment card industry has the world’s toughest standard for data security. It is called PCI DSS (Payment Card Industry Data Security Standard) and reaches beyond the world of payment cards. The standard is designed to protect card companies’ customers against hackers and other unauthorized users so that they can’t steal valuable card data that these businesses often store. This security standard is becoming increasingly important as societies become more digitized, and consumers are abandoning cash payments.
PCI DSS covers everything from how a merchant should verify the identity of the person who is to change the payment terminal itself, what kind of encryption should be used for card data, to what companies handling card data should demand of their datacenters.
PCI DSS has 12 requirements, which in turn are divided into over 250 controls. Which requirements a particular company has to meet is based on industry and transaction volume, meaning that the e-commerce site with thousands of daily transactions have stricter requirements than the company selling one product per month.
The 12 requirements of PCI DSS
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update antivirus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
Becoming PCI DSS certified puts high demands on a company’s knowledge of data security, and often poses a great challenge for those who try to manage it on their own. Many companies cannot reach PCI DSS compliance without external help. For this reason it can be advantageous to purchase IT operations in a PCI DSS certified environment.
Once you have reached compliance and become PCI DSS certified it, of course, becomes important to continue to meet the requirements of the standard. To maintain status after a certification process, the company goes through an annual audit. The audit is performed by a Qualified Security Assessor, QSA. A QSA is one of the Knights of the payment card world, whose mission it is to protect those who use payment cards against criminals. These highly trained IT-security experts, are certified by the PCI SSC (PCI Security Standards Council).
A QSA validates companies’ compliance with PCI DSS. They compile a Report on Compliance (RoC) during the validation process, which confirms that the company meets the requirements of the standard. A RoC can be several hundred pages long, and will have comments for each control under each requirement.
The first and according to some most important part of the certification process is to define what is ‘’in scope’’, i.e. what will be the scope of the audit. PCI DSS concerns card data, so it is important to isolate this into segmented networks. Once the scope has been defined the QSA will do a gap analysis.
A PCI DSS gap analysis is an evaluation of the company’s current position in relation to the security standard. It identifies the changes and/or actions that are required to obtain a PCI DSS certification. The company in question will then have to address and fix what was identified before the QSA can do a penetration test. During the pentest, servers and external services are tested to identify vulnerabilities and security gaps from an infrastructure perspective. One can describe a penetration test as a realistic cyber-attack that discovers possible security flaws and deficiencies in systems. Once the penetration test has been completed, it is time to fix the vulnerabilities before final validation and the designated QSA delivers a RoC. With the delivery of the RoC, the threat is minimized and the Knight can move on to securing others.
