PCI-DSS Best Practices
This is the only way an organisation can remain compliant as this is the most effective way to protect customers’ cardholder data from a breach.
By implementing the PCI-DSS best practices listed below, you’ll ensure that your business remains compliant with all the necessary requirements.
Identify and classify cardholder information
Your organisation should know exactly what cardholder information you store during the transactional process and where it is located. Essentially, if you don’t know where the data is kept – how can you keep it secure? This can be solved by implementing a data classification system that will scan your repositories for PCI and classify the data found accordingly.
Encrypt cardholder data both at rest and in transit
PCI-DSS best practices state that cardholder data should be encrypted both at rest and in transit. The encryption used needs to be TLS v1.2 or higher, as previous versions are now out-of-date and not secure enough. Many companies encrypt card numbers by replacing them with a random token that renders them unreadable to anyone unauthorised to view them. A point-to-point encryption (P2PE) solution is useful for data in transit as it ensures that the information can’t be intercepted by attackers. Your business should also regularly scan your repositories to ensure all PCI is encrypted.
Do not use default passwords
When you install a new network device – including routers, servers, and POS systems – you will see that it will probably come with a default password. This will need to be changed as soon as the network is up and running.
Your business should ensure that you have a watertight password policy in place, and it’s important to keep a regularly updated inventory of all devices and passwords so that these can be updated regularly.
Keep access on a need-to-know basis
A PCI-DSS best practice your business must adhere to is ensuring that access to cardholder data is only available to those who have a genuine business need to have access to it.
Any users, roles, and applications that have access to your customer cardholder data must be meticulously tracked, monitored, and updated whenever necessary.
Restrict physical access to cardholder data
If you store cardholder data physically – for example, keeping paper copies – these documents will need to be secured according to data retention requirements. The room the documentation is kept in should be protected by alarms and cameras, and authorised employees should use an ID to enter. Additionally, you should also use these measures to protect the actual servers and other devices where the PCI is kept.
Assign a unique ID to authorised employees
Any authorised employees to view cardholder data will need to have a unique ID assigned to them, as opposed to shared credentials. This allows for accountability if there is a data breach and would also make it less likely that a disgruntled employee would misuse the data.
Use firewalls and anti-virus solutions
The importance of intrusion prevention solutions cannot be understated when it comes to PCI-DSS best practices. Your business should ensure that the latest firewalls and anti-virus solutions are installed on all your networks and devices that store cardholder data. This includes POS devices. All software and hardware that stores PCI should also be regularly updated and protected from unauthorised parties accessing them.
Monitor who has access to the data
Due to the sensitivity of the cardholder data involved, your organisation must always monitor access to the PCI data stored. This isn’t just best practice – this is mandatory. Whenever the cardholder data is accessed, moved, edited, or removed, an administrator will need to confirm that this has been done by an authorised party.
Monitor for vulnerabilities
Your business will need to carry out regular scans and assessments to discover any vulnerabilities within your systems and networks. You should also conduct penetration tests where required by PCI-DSS. This allows you to identify and act on threats quickly and effectively.
Give your employees security awareness training
Employees can be a huge risk to your security compliance, regardless of whether this is through negligence or malicious intent. This is why you must ensure your team has received thorough security awareness training. The training will teach your employees to spot suspicious events and any other activity that is out of the ordinary, such as a potential attack. Security awareness training is also useful to ensure they understand the PCI-DSS compliance requirements and the consequences that come with failing to comply.
Document all your findings
Documentation is key when it comes to ensuring that you’re following PCI-DSS best practices. This includes all policies and procedures, as well as an inventory of all network devices and applications that have access to cardholder data. Risk assessments also need to be documented in full, as well as any security incidents – no matter how minor they may seem.
Hicomply can help with PCI-DSS best practices
Following all the recommended PCI-DSS best practices guarantees that your business and consumers are protected from data breaches. However, this may seem quite intimidating – especially with the amount of information you’ll need to document and retain.
At Hicomply, we want to make the process as simple as possible for businesses. Our ISMS dashboard is designed to help you manage all your documents with ease - giving you compliance while you work.
Get in touch today for a demo.