In the previous articles, we discussed the first seven PCI DSS requirements and how to go above what is required in order to increase security. In this article, we talk about the last five PCI DSS requirements.
Requirement 8: Identify and authenticate access to system components
As we suggested in requirement 7, each employee must have a unique ID so you can provide the appropriate access level and be able to monitor their activity. Also, this approach should go hand in hand with a secure authentication method.
Equally important is to provide proper computer security education for all employees, so that they understand the most common social engineering techniques, how to safely use social media, the principles of multi-factor authentication, mobile devices security, and more. Keep in mind that in 2019, phishing attacks were responsible for 33% of data breaches. Strong policies and properly trained staff are mandatory to increase the security of an organization.
Requirement 9: Restrict physical access to cardholder data
All policies so far have mainly focused on internet security, but equally important is physical security. What’s the point of having sophisticated software-based security products if anyone can walk in to your datacenter and physically access everything?
In order to go beyond this requirement, you should consider the following practices:
- Lock up the data center - The data center or server room has devices and data that all need to be protected from theft, unauthorized access, or physical damage. Thus, it must be locked and the access should be provided only for authorized personnel after identity verification. Also, you can use rack servers bolted to the floor to make them difficult to steal.
- Use badges - A badge or a smart card (magnetic strips, RFID, etc.) should be used for verifying if a person is an employee or visitor. Additionally, you can implement smart card door locks, but don’t forget to monitor all check-in/out activities. In addition, employees need to make sure that no one “tail gates” (e.g. have someone walk in behind them without badging in).
- Use intrusion detection alarms and motion detectors
- Setup CCTV - Try to place cameras in a place that makes it difficult to tamper with or disable. Also, make sure that the place has enough light for the camera to capture decent video quality.
- Don’t forget the workstations - You should disconnect all workstations that are not currently in use. For in-use workstations, set the auto logout time to no longer than 1-2 minutes.
Requirement 10: Track and monitor all access to network resources and cardholder data
This requirement is often overlooked, but it can be a valuable tool in tracing a data breach. However, logging everything is not enough to counteract on-going attacks. Log files are incredibly useful especially after a data breach. They can help the investigation team understand how an attacker gained unauthorized access. But in order to block on-going attacks, monitoring mechanisms need to be implemented. The purpose of monitoring is to process log files in real-time and identify anomalies or unusual events. Also, security personnel need to manually check alerts generated by monitoring technologies and take adequate actions in case of a cyber-security attack.
A great monitoring tool is Nagios. It is capable of “managing and monitoring security logs, system logs, application logs, log files, and syslog data, and alerting you when a log pattern is detected”.
If you want to do more than monitor security events but also the performance of your infrastructure, you can use FCAPS (Fault-management, Configuration, Accounting, Performance, and Security), a common methodology for network management widely used in enterprises. FCAPS guidelines can help a company to achieve its objectives related to security and network management.
Requirement 11: Regularly test security systems and processes.
This requirement says that you must regularly perform penetration testing audits on your application/infrastructure. However, do not limit the tests to basic security checks such as ensuring services are up-to-date, checking firewalls, or the SSL certificate. Try to go in-depth and perform threat modeling, social engineering attacks, insider attacks, and even simulations of critical infrastructure attack.
Regarding the frequency of the tests, they should be performed every few months. Keep in mind that new vulnerabilities are uncovered by security researches every day, thus a penetration test performed today may find vulnerabilities that didn’t exist one month before.
Requirement 12: Maintain a policy that addresses information security for all personnel.
An Information Security Policy is a set of rules that define the policies and procedures that must be followed by all personnel to protect the organization against threats. Policies are necessary to minimize the impact of a security incident and ensure business continuity.
Information security policies should cover the physical parameters, sensitive information protection, access control, human resources, hardware devices, third party software, communication encryption, a risk assessment process, and an incident response plan. Moreover, the responsibilities or personnel should be clearly defined. Everyone should be aware of the polices and know their responsibilities in protecting customers’ data.
Having strong policies and employees educated on them can significantly reduce the impact of a security incident, so it worth to be prepared.
PCI compliance can be an expensive, time-consuming process, and difficult to achieve. However, the cost of not being compliant and the cost of a data breach are much higher.
Focusing on the security of the entire business, rather than considering PCI compliance as the destination can help companies manage risks in a prioritized manner, respond to security incidents more efficiently, and protect both cardholder data as well as the company infrastructure. By adopting a defense in depth approach, a business can make PCI compliance an intrinsic outcome of the security efforts instead of a separately funded and managed function.
In this series we covered:
- PCI is not an annual check, but a continuous process
- Being compliant is not enough to protect your organization; PCI is just a minimum standard to meet
- Implement strong Access Control policies and monitor everything
- Security Awareness training for your employees and Secure Coding training for your developers is crucial
- Plan for the worst