In posts one, two and three in this four-part series, we discussed the first seven PCI DSS requirements and how to go above what is required in order to increase security. In this final article, we cover the last five PCI DSS requirements.
Requirement 8: Identify and authenticate access to system components
As we suggested in requirement 7, each employee must have a unique ID so you can provide the appropriate access level and monitor their activity. Also, this approach should go hand in hand with a secure authentication method.
Equally important is to provide proper computer security education for all employees, so that they understand the most common social engineering techniques to steal personal data, how to safely use social media, the principles of multi-factor authentication, mobile devices security, and more.
Strong policies and properly trained staff are mandatory to increase the security of an organization.
Requirement 9: Restrict physical access to cardholder data
All policies so far have focused on internet security, but equally important is physical security. What’s the point of having sophisticated software-based security products if anyone can walk in to your datacenter and physically access everything?
In order to go beyond this requirement, you should consider the following practices:
- Lock up the data center - The data center or server room has devices and data that must be protected from theft, unauthorized access, or physical damage. Thus, it must be locked and the access should be provided only for authorized personnel after identity verification. You should also bolt rack servers to the floor to make them difficult to steal.
- Use badges - A badge or a smart card (magnetic strips, RFID, etc.) should be used for verifying if a person is an employee or visitor. Additionally, you can implement smart card door locks, but don’t forget to monitor all check-in/out activities. In addition, employees need to make sure that no one “tail gates” (e.g. have someone walk in behind them without badging in).
- Use intrusion detection alarms and motion detectors - this added layer of security may be old school, but it works and should be part of every physical security plan.
- Setup CCTV - Try to place cameras in a place that makes it difficult to tamper with or disable. Also, make sure that the area has enough light for the camera to capture decent video quality.
- Don’t forget workstations - Make it a practice to disconnect all workstations that are not currently in use. For in-use workstations, set the auto logout time to no longer than 1-2 minutes.
Requirement 10: Track and monitor all access to network resources and cardholder data
This requirement is often overlooked, but it can be a valuable tool in tracing a data breach. While logging everything is not enough to counteract on-going attacks, the log files are incredibly useful evidence after a data breach. They can help the investigation team understand how an attacker gained unauthorized access.
In order to block on-going attacks, monitoring mechanisms must also be implemented. The purpose of monitoring is to process log files in real-time and identify anomalies or unusual events. Security personnel also must manually check alerts generated by monitoring technologies and take adequate actions in case of a cyber attack.
A great monitoring tool is Nagios. It is capable of “managing and monitoring security logs, system logs, application logs, log files, and syslog data, and alerting you when a log pattern is detected”.
If you want to monitor security events and also the performance of your infrastructure, you can use FCAPS (Fault-management, Configuration, Accounting, Performance, and Security), a common methodology for network management widely used in enterprises. FCAPS guidelines can help a company to achieve its objectives related to security and network management.
Requirement 11: Regularly test security systems and processes
This requirement says you must regularly perform penetration testing audits on your application/infrastructure. However, do not limit the tests to basic security checks such as ensuring services are up-to-date, checking firewalls, or the SSL certificate. Go in-depth and perform threat modeling, social engineering attacks, insider attacks, and even simulations of critical infrastructure attack.
These tests should be performed every few months. Keep in mind that new vulnerabilities are uncovered by security researches every day, thus a penetration test performed today may find vulnerabilities that didn’t exist one month before.
Requirement 12: Maintain a policy that addresses information security for all personnel
An Information Security Policy is a set of rules that define the policies and procedures that must be followed by all personnel to protect the organization against threats. Policies are necessary to minimize the impact of a security incident and ensure business continuity.
Information security policies should cover the physical parameters, sensitive information protection, access control, human resources, hardware devices, third party software, communication encryption, a risk assessment process, and an incident response plan. Moreover, the responsibilities or personnel should be clearly defined. Everyone should be aware of the polices and know their responsibilities in protecting customers’ data.
Having strong policies and employees educated on them can significantly reduce the impact of a security incident, so it worth to be prepared.
PCI compliance can seem like an expensive, time-consuming process. Yet the cost of non-compliance in terms of fines and penalties and, even more damaging, the tangible and intangible cost of a data breach to your organization are much higher.
Offering your development teams PCI training online, in a programmatic approach with bite-size lessons to speed up knowledge gain, is one way to streamline upskilling on application security. It helps learners increase their knowledge in a manageable way, while still keeping up with their day-to-day responsibilities.
Treating PCI compliance as a starting point rather than a final destination helps your organization manage risks in a prioritized manner, respond to security incidents more efficiently, and protect both cardholder data as well as the company infrastructure.