PCI Compliance: 12 Steps for Security, Even If You Never Touch A Credit Card
If you think that your organization is lucky enough to not hold the burden of compliance such as PCI compliance, HIPAA compliance, SOX, or others; think again. Compliance may be the best thing for your organization, even if you aren’t required to comply. PCI compliance is a shining example of a set of compliance standards that could prove to be paramount in achieving cyber-resiliency.
Let’s break it down
The Payment Card Industry Data Security Standard (PCI DSS) is a set of policies and procedures that are intended to heighten the state of security for credit, debit, and other card transactions. The foundation of this standard is predicated upon protection of sensitive payment information. However, some organizations are changing the foundation to meet their own sensitive data requirements, even when no payment card data is present. This is not a new concept but has been used widely across different industry sectors for entities seeking a roadmap to a stronger cybersecurity posture.
Swapping the Foundation
Organizations can supplement their sensitive or proprietary data for the payment card data within PCI DSS. For example, an organization may have proprietary information such as trade secrets, formulas, competitive advantages, protected processes/methodologies, or any data of value and treat this information as if it were payment card data. The way that PCI DSS classifies systems that are either in-scope or out of scope is broken down as follows:
- System components that store, process, or transmit cardholder data or sensitive authentication data.
- System components that are on the same network segment as systems that store, process, or transmit cardholder data.
- System components directly connected to cardholder data environment.
- System components indirectly connected to cardholder data environment.
- System components that impact configuration or security of cardholder data environment.
- System components that provide security services to the cardholder data environment.
- System components that segment cardholder data environment systems from out-of-scope systems and networks.
- System components that support PCI DSS requirements.
- System component does not store, process, or transmit cardholder data or sensitive authentication data.
- System components that are NOT on the same network segment as systems that store, process, or transmit cardholder data.
- System components that cannot connect to any systems in the cardholder data environment.
- System components do NOT meet any criteria described for connected-to or security-impacting systems.
In organizations that do not store, process, or transmit any cardholder data or payment information but do wish to adequately protect their sensitive information, they may switch the scoping requirements to match their unique data. For example, cardholder data may be replaced with sensitive company information. By implementing this exchange, the entity would then be identifying and classifying the systems that pose the most risk to the organization if breached.
The 12 Steps to Success
PCI DSS has 12 main goals and over 260 granular sub-controls that guide organizations in implementing security controls across their sensitive data environments. By performing the same swapping exercise of cardholder data to sensitive company information, organizations can effectively leverage and implement a structured cybersecurity governance and protection program. The 12 PCI DSS goals are as follows:
Goal: Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters Goal: Protect Cardholder Data
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks. Goal: Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications Goal: Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data Goal: Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes Goal: Maintain and Information Security Policy
- Maintain a policy that addresses information security for employees and contractors.
From Macro to Micro
Stemming from the above top-level goals, there are over 260 sub-controls that can also be leveraged to provide guidance on protecting sensitive or valuable information other than payment card data. An example of one PCI sub-control that can be used for any situation is shown below:
Control 12.10: Implement an incident response plan. Be prepared to respond immediately to a system breach.
This is a shining example of one particular control that every organization should be able to achieve. With the exponentially increasing epidemic of data breaches that are plaguing every industry sector, this example should be a requirement for every organization.
Reinforcing Best Practices
The current threat landscape is growing, and organizations are being targeted, regardless of their industry sector or business area. Organizations that fall under such requirements as PCI DSS, HIPAA, SOX, or other regulatory requirements have an obligation to comply with such regulations. However, these obligations come equipped with a roadmap to enhancing security postures. Unfortunately, no national requirements exist that give a common set of standards to organizations to achieve such cyber-resilience. Therefore, entities should consider using one or more of the current regulatory standards such as PCI DSS to protect themselves.
Implementing effective cybersecurity programs begins with a framework or roadmap. Without this crucial first step, organizations often find themselves navigating the treacherous waters of cybersecurity without a fully-developed plan of action. Using standards such as PCI DSS for organizations that do not have cardholder data is a step in the right direction. In a recent report by the ID Theft Center, it was found that data breaches rose over 44.7% from 2016 (Idtheftcenter.org). The numbers are staggering, and cyber threat actors are not only targeting large multinational enterprises and governments. They are targeting all types of businesses, regardless of size and market segment. Protecting your critical data should start today with a strong foundational choice of a well-known and comprehensive set of standards that are based on industry trusted best practices, formulated and accepted by cybersecurity subject matter experts.