PCI Compliance Checklist

In this modern day and age it is more important than ever that all sensitive information is properly secure and protected. To that end, this checklist will take you through the steps to ensuring your complete compliance with Payment Card Industry Data Security Standards (PCI DSS).

Although the official PCI DSS requires an annual review and submission of proof, it is recommended that you run this checklist at least quarterly (or after any changes in your system relating to cardholder data) to keep up to date on security.

Follow this PCI compliance checklist to ensure complete compliance and avoid any legal trouble.

Continue to tackle the first part of the process: Assessing.

(Source: pcisecuritystandards.org)

According to Search Security, level 1 merchants must have their compliance assessed by a Qualified Security Assessor (QSA). The PCI Security Standards Council (PSISSC) has compiled a list of companies that can do it for you, available here.

While this is necessary for level 1 merchants, merchants at levels 2-4 can also call in the help of a QSA if they want to avoid extra work.

(Source: pcicomplianceguide.org)

According to Braintree, "any business that processes, handles or stores credit card data on behalf of a merchant is required to be PCI DSS Compliant."

Compliance Guide adds:

"PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply."

How to determine your assessment level, along with the latest assessment forms, can be found in the document below:

There are nine kinds of Self-Assessment Questionnaire (SAQ). The kind that applies to you dictates the level of compliance you need to meet. This table will tell you which SAQ classification you are:

When you move onto the next section, select the task appropriate to your SAQ level.

While the Remediate section of PCI Compliance contains general steps applicable to all merchants, the different SAQ levels might need you to have extra security measures in place.

If you meet the requirements for SAQ A, as laid out in the previous task, this is the compliance form you must fill in.

If you meet the requirements for SAQ A-EP, as laid out in task 4, this is the compliance form you must fill in.

If you meet the requirements for SAQ B, as laid out in task 4, this is the compliance form you must fill in.

If you meet the requirements for SAQ B-IP, as laid out in task 4, this is the compliance form you must fill in.

If you meet the requirements for SAQ C-VT, as laid out in task 4, this is the compliance form you must fill in.

If you meet the requirements for SAQ C, as laid out in task 4, this is the compliance form you must fill in.

If you meet the requirements for SAQ D-Merchant, as laid out in task 4, this is the compliance form you must fill in.

If you meet the requirements for SAQ D-Service Provider, as laid out in task 4, this is the compliance form you must fill in.

Depending on the results of your self-assessment, you may have to carry out some or all of the below tasks before you are fully compliant with PCI requirements.

If you are a level 1 merchant, you must use a certified QSA company and cannot carry out the steps yourself. A list of certified QSA firms can be found here.

If you prefer you can call in a QSA firm regardless of your merchant level, but know you don't have to.

For each of the following tasks you must write and maintain documentation that explains the steps taken to comply. The documentation must be available to all relevant staff.

Depending on the card brand you use, compliance procedures will be slightly different. See the links below for different company's policies on data security.

• American Express: www.americanexpress.com/datasecurity
• Discover Financial Services: http://www.discovernetwork.com/merchants/fraud-protection
• JCB International: http://partner.jcbcard.com/security/jcbprogram/index.html
• MasterCard: http://www.mastercard.com/sdp
• Visa Inc: http://www.visa.com/cisp
• Visa Europe: http://www.visaeurope.com/ais

Firewalls are devices that control computer traffic allowed in and out of an organization’s network, along with sensitive areas in its internal network. Firewalls can also appear in other system components.

All your networking devices that transmit or receive cardholder details should be tested. The steps to do so are as follows.

1.   Establish and implement firewall and router configuration standards that:

• Formalize testing whenever configurations change
• Identify all connections between the cardholder data environment and other networks (including wireless) with documentation and diagrams
• Document business justification and various technical settings for each implementation
• Diagram all cardholder data flows across systems and networks
• Stipulate a review of configuration rule sets at least every six months

2.   Build firewall and router configurations that restrict all traffic, inbound and outbound, from “untrusted” networks (including wireless) and hosts, and specifically deny all other traffic except for protocols necessary for the cardholder data environment.

3.   Prohibit direct public access between the Internet and any system component in the cardholder data environment.

4.   Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network, and which are also used to access the network.

An approved method for installing PCI-compliant firewalls is available below.

The first thing a hacker would use when trying to get into your system is known default credentials. These include:

• [none]
• [name of product / vendor]
• 1234 or 4321
• access
• admin
• anonymous
• database
• guest
• manager
• pass
• password
• root
• sa
• secret
• sysadmin
• user

To ensure you don't overlook this, follow the guidelines below:

• Immediately change all credentials for every account and disable any default accounts (such as 'admin')
• Keep a list of all systems that can be accessed using login credentials
• Keep system configurations updated in line with new vulnerabilities
• Encrypt all non-console admin access points (such as browser-based management tools)

To account for as many vulnerabilities as possible, don't store any more cardholder data than is absolutely necessary.

• Review the necessity to keep data (at least quarterly) and purge anything you don't need for legal/compliance/business reasons.
• Never store authentication data. It should be purged directly after authentication (PIN codes for example).
• Ensure Primary Account Number (PAN) is unreadable anywhere it is stored. For this you can use one-way hash functions, truncation, index tokens or strong cryptography. 
• Protect encryption keys.

When transmitting cardholder data over open public networks (internet, satellite, wireless networks, cellular networks), you need to to employ strong cryptography such as TLS, SSH or IPSec. 

As added security measures, remember to:

• Never send unprotected PANs via SMS, email or instant message.
• Document all security procedures regarding the above and make them available to only the relevant people.

On systems generally affected by viruses and malware (PCs and servers) you need to install or update anti-virus software that has the ability to scan and generate logs. The logs must then be retained as part of the PCI compliance process.

Remember to:

• Ensure the anti-virus can't be disabled without review on a case-by-case basis
• Check that any systems not commonly effected by viruses (usually all but Microsoft Windows) still don't need anti-virus.

As new methods to compromise security are developed, the creators of security software release patches to protect systems against new threats. This is only the only way to update your security however, and you must run the following guidelines in full:

• Use a methodology to identify vulnerabilities and apply risk rankings.
   
• Ensure all patches are up to date for all software, installing them within one month of release.
• Develop internal and external software applications (including web-based administrative access to applications) in accordance with PCI DSS and based on industry best practices. Incorporate information security throughout the software development life cycle. This applies to all software developed internally as well as bespoke or custom software developed by a third party.
   
• Follow change control processes and procedures for all changes to system components.
   
• Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines – including how sensitive data is handled in memory.
   
• Ensure all public-facing web apps are protected against known attacks by performing application vulnerability assessments at least annually or after any changes. Alternatively you can install an automated technical solution that detects and prevents web-based attacks (for example, a web-app firewall) to continually check all traffic.

To further minimize the risk of vulnerabilities you need to keep cardholder detail access on as few systems as possible. One of the best ways to do this is to limit the access to staff whose job directly requires the information.

Set a default 'deny all' security on access and only allow specific staff through.

Every user with access to the Cardholder Data Environment must have a unique ID. This allows a business to trace every action to a specific individual should something breach security. Coupled with the unique ID, ensure every user has a strong unique password for authentication.

See here for guidelines and tools for creating strong passwords.

Don't overlook the possibility of physical theft of documents and hard disks. This is just as vital to the PCI Compliance process as safeguarding the digital side of the company, and needs to be addressed by:

• Checking facility entry controls. Ensure the use of keycards and identity cards to prevent unauthorized entry.
• Strictly controlling the distribution of physical copies of backup discs, receipts and other financial documents. Only give these when absolutely necessary.
• Destroy media (sensitive or not) when no longer needed.
• Keep data storage areas tightly locked and secure.

If your system is compromised it will be extremely difficult to find the cause without data logs. Your software should automatically produce logs for you to audit in case of a security breach. If it does not, acquire software which serves this function; widely available software such as Avast! Anti-Virus automatically writes logs, you just need to check custom software for this feature.

Remember to:

• Ensure all logs are read-only.
• Implement audit trails to link all access to individual users.
• Keep logs for at least one year.
• Securely store all logs.

Whilst you should regularly test your security systems, a definitive test should always be carried out for the PCI Compliance process. This test should include aspects such as:

• Checking for wireless access points (on a quarterly basis).
• Running internal and external vulnerability scans (quarterly).
• Carrying out penetration testing (annually).
• Employing a network intrusion system.
• The presence of a change detection mechanism to alert employees of unauthorized modifications.

This test is marked according to the Common Vulnerability Scoring System (CVSS), on which more information can be found here.

The method of putting an information security policy into place is up to you, but it needs to be implemented and should fulfill the following criteria:

• Come under annual review.
• Include a risk assessment policy.
• Define security responsibilities of each staff member.
• Enact a formal security awareness program regarding cardholder information.
• Screen potential new staff prior to hiring.
• Manage the sharing of cardholder data.
• Define an incident response plan. 

If you choose to do a self-assessment you have to submit a report to the PCI Security Standards Council after addressing any remedial issues outlined above. 

The report is to be sent to the merchant's acquiring bank. 

Download the template below:

PCI Security Standards Council - How to Be Compliant

Margaret Rouse - PCI Assessment Definition

PCI Compliance Guide - PCI FAQs

Braintree - Who Needs to be PCI Compliant?