How to Address PCI DSS Requirements

 Do you accept, store or process credit card information on your website?

The Payment Card Industry Data Security Standard (PCI DSS), is a set of security guidelines applicable to all organizations that accept, store, and process credit card information.

It is not dictated by the volume of transactions or restricted solely to storage, transmission, and processing; it applies to any business that allows credit card payments.

Even if you leverage third-party services like Stripe, Recurly, PayPal, or another secure payment option, you have an obligation to follow the requirements as set forth by PCI DSS.

Do You Conduct PCI Scans Regularly?

If you’re not having regular scans, your business may be out of PCI compliance and you may experience a data security breach. A breach means that someone has compromised your system and gotten a hold on of your customer data. You can lose a ton of money – or worse – your whole business.

Is your website protected with a Web Application Firewall? 

A Website Application Firewall is a major part to becoming PCI compliant.

You’re Responsible for Your Website’s Compliance

If your website is found to be non-compliant with PCI standards, your company will be the one incurring the financial penalties because of it. Your web developer or web hosting company will not be fined.

Not doing so could open your business up to being sued by customers if there is a security breach, and/or being fined by your credit card processor.

What are the requirements?

The current version of the PCI DSS is 3.2.1, published in May 2018. While the PCI DSS has only 12 major requirements, each one can have a dozen or more sub-requirements.

Here is an overview of the requirements:

PCI DSS Requirement 1: Protect your system with firewalls

The first requirement of the PCI DSS is to protect your system with firewalls.

PCI DSS Requirement 2: Configure passwords and settings

PCI Requirement 2 states that you should not use vendor-supplied defaults for system passwords and other security parameters.

PCI DSS Requirement 3: Protect stored cardholder data

According to requirement 3, stored card data must be encrypted using industry-accepted algorithms. The best way to meet this requirement is to use a trusted payment gateway and not store credit card details. By only maintaining customer IDs and successful payment confirmations, you significantly reduce the impact of a compromise.

PCI DSS Requirement 4: Encrypt Transmission of Cardholder Data

Requirement 4 of the PCI-DSS states that you must encrypt transmission of cardholder data across open, public networks.

PCI DSS Requirement 5. Protect all systems against malware and regularly update anti-virus software or programs

Under most circumstances, bad actors don’t manually hand-pick websites to attack since this is very time consuming. The majority of attacks against websites are automated and performed by bots who are looking for websites with known vulnerabilities.

 

PCI DSS Requirement 6: Develop and Maintain Secure Systems and Applications

PCI Requirement 6 states that website owners must ensure system components are protected from known vulnerabilities and common coding vulnerabilities must be addressed.

It doesn’t matter if you’re just starting out and your website is small with very little traffic. If you have a vulnerable CMS, extension, plugin, or theme on your website you will likely be identified by a malicious bot at some point in the future.

PCI DSS Requirement 7: Restrict access to cardholder data by business need-to-know

PCI Requirement 7 states that you must restrict access to cardholder data by business need-to-know. This means configuring your systems so that they’re only accessible to authorized individuals.

PCI Requirement 8 states: Identify and authenticate access to system components

Requirement 8 states that you assign a unique ID to each person with access to system components so you can limit their access and monitor their activities.

PCI DSS Requirement 9: Restrict physical access to workplace and cardholder data

PCI Requirement 9 states that you must restrict physical access to cardholder data. You are not allowed to store sensitive information like payment card data out in the open.

PCI DSS Requirement 10: Implement logging and log management

PCI Requirement 10 is one of the most important requirements for PCI compliance. This requirement explicitly states that you must implement audit trails and review logs to monitor your web assets and identify a compromise or data breach.

PCI DSS Requirement 11: Conduct vulnerability scans and penetration tests

PCI Requirement 11 states that you must regularly test security systems and processes. This includes scanning and reporting on potential vulnerabilities on your website.

PCI DSS Requirement 12: Documentation and risk assessments

The final requirement for PCI compliance is to keep documentation, policies, procedures, and evidence relating to your company’s security practices.

 

How we can help

PCI has 12 core requirements, divided into hundreds of items that you must follow. For many businesses, the concept of becoming PCI DSS compliant can be overwhelming.

The security solution of ReconByte will help you achieve many of them by providing a cloud-based Web Application Firewall (WAF) & Intrusion Detection System for your websites. With our solution you get:

 

  • Fully managed and updated Web Application Firewall
  • Protection against OWASP Top 10 threats
  • Application security monitoring and virtual patching
  • Real time alerting, incident handling and response
  • Continuous analysis of WAF and environment logs

Choose the right plan for your business

Cloud-based solution - No hardware or software to install. No changes needed to your website. No change of host. We do a simple 2 minutes DNS change to ensure all traffic to your site is routed through and protected by our solution.