Even with the abundance of documentation available to your organization, PCI DSS compliance may seem like a tall mountain to climb. At nGuard, we often see clients of all sizes struggle to obtain compliance for a variety of reasons. Both clients with a mature or immature security posture often struggle deciding which actions to take, policies and procedures to implement, and infrastructure changes to make when attempting to become compliant with PCI. Here are a few tips to consider when PCI compliance is mandatory for your organization.
1. Limit or Reduce Scope
The first tip we always advise customers to do is limit or reduce scope and this can be done in multiple different ways.
- Segment your network to separate your infrastructure that handles any processing, transmitting, or storing of payment card data away from general business-related systems. By implementing segmentation and isolating devices that are used to process payment card data, you reduce the overall scope in play for PCI. This in turn limits the time and money your organization will spend when attempting to become compliant.
- Outsource any handling of payment card data to PCI compliant third parties. By transferring the responsibility of card holder data to a PCI compliant third party, you can check the box on multiple PCI DSS requirements while making fewer internal changes to IT infrastructure and processes.
2. Use Point-to-Point Encryption
Point-to-point encryption (P2PE) encrypts the cardholder data the moment a card is swiped or inserted, with a point of interaction (POI) device. PCI has many approved P2PE solutions that meet their standards. PCI DSS approved P2PE solutions transfer the data from the POI to the destination where processing occurs without interacting with systems between the source and destination. This is different than end-to-end encryption (E2EE) as that process often interacts with systems in between the source and destination. Using a P2PE solution will completely transfer any and all accountability of PCI compliance onto the P2PE provider. As a merchant, when it comes time to fill out your annual PCI Self-Assessment Questionnaire (SAQ), the P2PE SAQ requires only four sections and 35 questions to be answered. This is significantly less than covering all twelve categories and hundreds of questions when completing other SAQ types.
3. Create a PCI Compliant Password Policy
At nGuard we often deal with clients who are not PCI compliant due to their organization’s password policy. While there are many variations of password best practices between security frameworks, when it comes to PCI compliance be sure your organization has a written policy that, at a minimum, meets PCI DSS requirements. The password requirements to meet PCI compliance are:
- Be a minimum of seven characters long
- Include numeric and alphabetic characters
- Expire within ninety days
- Not be identical to the previous four passwords
4. Conduct Regular Security Testing
Of the eight different SAQ types, many require various levels of penetration testing be completed at different intervals throughout the year. Based on your SAQ type you may be required to conduct annual external and internal penetration tests, web application penetration testing, quarterly Approved Scanning Vendor (ASV) vulnerability scans, annual or semi-annual segmentation validation, etc. Conducting these types of tests is not only going to align your organization with PCI compliance, but also limits the amount of vulnerabilities present in your environment after remediation. When it comes to security, you can never test or scan your infrastructure too much.
5. Speak to a PCI DSS Expert
As stated in the beginning, PCI compliance can be a lengthy, complicated, and time-consuming process for your organization’s resources. When in doubt, speak to a PCI Qualified Security Assessor (QSA) and have them answer your questions and walk you through the PCI standards. The PCI QSA can make the process of determining your scope for PCI, the type of SAQ to fill out, and deciding what requirements need to be met a quick and easy process. This all can be done in a matter of days rather than a matter of months.
nGuard is staffed with several PCI Qualified Security Assessors and is ready to work with you and your organization to assist in the uphill battle that is PCI DSS compliance.