What Is PCI DSS Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that apply to any organization that processes, accepts, stores, or transmits credit card payments. The PCI DSS was established by the Payment Card Industry Security Standards Council (PCI SSC), a group of payment card companies, to ensure that all companies that handle credit card information do so securely and responsibly.

The PCI DSS includes requirements for protecting cardholder data, maintaining a secure network, maintaining an effective vulnerability management strategy, implementing strong access controls, and regularly monitoring and testing networks.

Organizations that handle credit card payments must be PCI DSS compliant to accept payments from customers. This may involve periodic assessments and audits to ensure that the organization follows security practices and procedures.

Failure to comply with the PCI DSS can result in financial penalties, damage to the organization’s reputation, and loss of customers. Thus, it is important for any organization that handles credit card payments to be familiar with the PCI DSS and maintain compliance with its requirements.

PCI DSS Cybersecurity Requirements

The PCI DSS includes several requirements related to cybersecurity, which are designed to help ensure that organizations that handle credit card payments are protecting cardholder data and maintaining a secure network.

Install and Maintain a Firewall

The PCI DSS requires organizations to maintain a network firewall to protect cardholder data and maintain a secure network.

A firewall is a security mechanism that controls both incoming and outgoing network traffic according to predetermined security policies. It is designed to prevent unauthorized access to or from a network while permitting authorized communication to pass through.

To comply with the PCI DSS requirement to install and maintain a firewall, a covered entity must implement correct firewall configurations to protect all cardholder data. This may involve setting up firewall rules that control access to systems that store or process cardholder data and configuring the firewall to block unauthorized attempts to access the network.

In addition to installing a firewall, the PCI DSS requires organizations to maintain the firewall to ensure it is functioning correctly and is up to date with the newest security patches. This may involve regularly checking the firewall configuration, testing it to ensure that it is working properly, and updating the firewall with the latest security patches.

Encrypt Transmission of Payment Card Data Across Public and Open Networks

The PCI DSS requires organizations to encrypt the transmission of cardholder data across public networks.

Encrypting data involves converting it into a coded format that only someone with the appropriate decryption key can access. This helps to prevent data from being accessed by unauthorized entities while it is being transmitted over a network.

Complying with the PCI DSS requirement to encrypt the transmission of cardholder data over public networks may involve implementing secure protocols such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt data as it is transmitted.

In addition to encrypting cardholder data in transit, the PCI DSS also requires organizations to protect the security of any encryption keys used to decrypt the data. This may involve implementing strong access controls that block unauthorized access to the keys and regularly rotating and updating them to ensure they remain secure.

Develop and Maintain Secure Applications and Systems

An organization must implement measures to ensure that its systems and applications are designed and developed with security in mind. This may involve following secure coding practices, such as input validation and sanitization, to prevent vulnerabilities from being introduced into the code and regularly testing and patching systems and applications to address any identified vulnerabilities.

In addition to creating secure proprietary systems and applications, the PCI DSS also requires organizations to implement measures to protect against vulnerabilities in third-party applications. This may involve regularly reviewing and testing third-party applications for vulnerabilities, mapping application dependencies, and implementing measures to address identified vulnerabilities.

Use Up-to-Date Antivirus Software

The PCI DSS requires organizations to use and regularly update antivirus software.

Anti-virus software is a type of software that is designed to detect and remove malicious software, such as viruses and malware, from a computer or network. It helps to protect against threats such as ransomware, which can encrypt data and hold it hostage until a ransom is paid, and spyware, which can steal sensitive information. An essential complement to antivirus is cloud backup solutions which can help recover data in case of a successful ransomware attack.

To comply with the PCI DSS requirement to use and regularly update antivirus software, an organization must implement measures to ensure that anti-virus software is installed and running on every system that stores or processes cardholder data. This may involve installing antivirus software on all servers, workstations, and other devices connected to the network.

In addition to installing an AV, the PCI DSS requires organizations to regularly update the software to ensure it can detect and remove the latest threats. This may involve setting up automatic updates to ensure that the software is always up to date or regularly checking for updates and installing them manually.

Assign User Access Identification

The PCI DSS requires organizations to assign user access identification.

An organization must implement measures to ensure that each user who accesses systems that store or process cardholder data has a unique user identifier, such as a username or employee number. This helps to ensure that each user’s activity can be traced and monitored and that unauthorized access to corporate systems can be detected and prevented.

In addition to assigning unique user identifiers, the PCI DSS requires organizations to implement strong access controls to prevent unauthorized access to systems that store or process cardholder data. This may involve requiring users to authenticate themselves using passwords and other authentication forms and implementing measures such as two-factor authentication to increase the security of the login process.

Track and Monitor Network Access

The PCI DSS requires organizations to track and monitor network access and keep an audit trail of network activity for a minimum of one year.

An organization must implement measures to track and monitor access to its network and systems that store or process cardholder data. This may involve implementing logging and monitoring systems that track user activity, such as logins, file access, and data changes.

In addition to tracking and monitoring access, the PCI DSS requires organizations to review log files regularly to identify any unusual or suspicious activity. This may involve setting up alerts to notify administrators of potential security threats or conducting regular reviews of log files to identify security issues.

Ongoing Systems and Process Testing

The PCI DSS requires organizations to function with ongoing systems and process testing.

An organization must implement measures to regularly test its systems and processes to identify and address any vulnerabilities. This may involve conducting regular vulnerability scans and penetration tests to identify potential security weaknesses and implementing measures to address any identified vulnerabilities. External IPs and domains may need to be scanned by a PCI-approved scanning vendor (ASV).

In addition to testing systems and processes, the PCI DSS also requires organizations to regularly review and update their security policies and procedures to ensure that they are still practical and relevant. This may involve reviewing and updating policies and procedures in response to changes in the organization’s operations or the threat landscape.

Conclusion

In conclusion, the PCI DSS is a security standard that applies to organizations that accept, process, store, or transmit credit card payments. The PCI DSS includes several requirements related to cybersecurity, including installing and maintaining a firewall, encrypting the transmission of cardholder data, using and regularly updating antivirus software, developing and maintaining secure systems and applications, assigning user access identification, tracking, and monitoring network access, and conducting ongoing systems and process testing.

Compliance with the PCI DSS is essential for protecting customers’ sensitive financial information and maintaining stakeholders’ trust. It is crucial for organizations that handle credit card payments to be aware of the PCI DSS requirements and to have systems in place to ensure that they are in compliance. By following the PCI DSS requirements, organizations can help to ensure that they are protecting cardholder data and maintaining a secure network. They can help to reduce the risk of a data breach or other security incident.

How can Atlantic.Net help? Atlantic.Net provides PCI-ready hosting services and solutions. We maintain multiple processes to provide the best protection, such as a risk assessment and monitoring user access to Payment Data.

PCI-Compliant Hosting Requirements: 12-Point Checklist

PCI DSS is a global program that businesses and organizations around the world must uphold if they want to accept payment cards, such as credit cards or debit cards. PCI compliance is critical for many businesses, so we have created a list of the principal PCI-compliant requirements that every PCI DSS-compliant web host should meet. Its purpose is to create and maintain a security standard known as the PCI DSS (Payment Card Industry Data Security Standard) which each merchant must abide by.

How do I protect the network for PCI compliance?

Install and maintain a firewall configuration to protect cardholder data

The firewall is the front door to a network that must be adequately protected from internal or externally routed traffic over trusted and untrusted networks. All layers of the network are in scope,
such as the open internet, VPN connectivity, wirelessnetworking, and corporate networks.

The network security design must be documented and amendments must be managed by change control in dev, test, and production configurations. Importantly, the flow of card data around the
network must be known and documented. Other key areas to consider are the roles and responsibilities must be defined in terms of who will manage the network (typically a network engineering team), all unused switch ports must be down and closed, all undefined traffic must be denied by default, and any discovered vulnerabilities in the network hardware must be patched.

How can Atlantic.Net help? Thanks to the robust training provided to our employees for our HIPAA-ready hosting services, all Atlantic.Net employees are already trained to PCI standards for a PCI-compliant hosting provider. We maintain multiple processes to provide the best protection, such as a risk assessment and monitoring user access to payment data.

to meet PCI-DSS standards?

Do not use vendor-supplied defaults for system passwords and other security parameters

It is very easy for a malicious user to compromise a system if the vendor passwords have not been amended from their defaults. Default passwords are documented all over the
Internet, so it is recommended to disable the accounts and create unique accounts. Any wireless network must be protected with strong encryption (minimum WPA2) and complex passwords.

PCI-DSS also requires configuration standards being met for server builds to include security and server hardening to close off security vulnerabilities, operating system patching, application updates, and more. You must also only have one primary function per server; a single server must not do every task required by the business. Often front-end, DMZ, mid-tier, and backend services are divided to create a secured hierarchy, and the technical teams must be aware of the security policies put in place to protect these systems.

How can Atlantic.Net help?
All our systems are already hardened to provide the best level of security and compliance. If you use our Managed Services you will automatically inherit this best practice from our audited environment. Our support teams and consultancy services can advise on patching schedules, security best practices, and more.

How do I protect stored cardholder data?

Credit card data should only be stored when necessary. If your organization does store permanent account numbers, or PANs (in this case payment card numbers), they should be encrypted. When
displayed, the PAN should be masked and truncated; one-way hash functions based on strong cryptography can be used to render cardholder data unreadable.

The storage of full-track data, PINs and validation codes is prohibited, andthere are strict rules on data retention – Remember, if you don’t need it, don’t store it!

How can Atlantic.Net help? Atlantic.Net systems use AES encryption as standard, and our teams are highly trained in security best practices when handling sensitive data, as with PCI-compliant web hosting. All employees are vetted before employment and we conduct regular training for the team. Ask about our SOC audits as well! They are a critical part of PCI-DSS.

How do I secure cardholder data transmission?

Encrypt transmission of cardholder data across open, public networks

When you accept credit card payments for secure processing on your company’s web server or share cardholder data across networks, sensitive data must be encrypted during transmission over the Internet, WiFi, private networks, and site-to-site connections. All websites must be secured with TLS (HTTPS), and there are strict rules on how PAN data can be transmitted. Always ensure
this is done in a secure environment; never transmit over email, SMS, or mobile apps, as this data is easily intercepted and should be routinely monitored.

How can Atlantic.Net help?
We can provide secure point-to-point VPN connectivity into our data centers, and our managed services teams can assist with key management and website certificates.

How do I meet PCI-DSS vulnerability protection requirements?

Develop and maintain secure systems and applications

Vulnerability scanning will identify all the known vulnerabilities affecting the infrastructure. This landscape rapidly changes, and it is important to stay one step ahead. The majority of vulnerabilities have already been identified by the manufacturers and patches are available rapidly.

Any custom applications must be built to PCI DSS compliance standards regarding access to and encryption of source code. Never hard-code security information into source code, and never
publish to public repos like GitHub. Databases require special attention to prevent Buffer Overflow and SQL injection weaknesses.

How can Atlantic.Net help?

We already invest heavily in threat reduction and are continuously monitoring our platforms for weaknesses. Our teams manage the security of the Cloud Infrastructure and our managed services teams are available to advise on patching schedules and system maintenance.

Should access to cardholder data be restricted?

Restrict access to cardholder data by business need-to-know

Employee roles and business need-to-know should guide the development of access controls so that unauthorized use does not occur. The basic idea of need-to-know is that you only give the extent of privileges and amount of data to a user that is necessary to conduct their tasks. Zero Trust should be integrated into your access control system, as indicated by the PCI Councilā€™s instructions to ā€œā€˜deny allā€™ unless specifically allowed.ā€

How can Atlantic.Net help?
Our PCI-compliant hosting consultancy team can help assign the least privileges to employees and introduce technical safeguards to restrict access to cardholder data. All Atlantic.Net employees who have access to these systems are trained on the security requirements of PCI-DSS.

How can I know who is accessing my systems?

Identify and authenticate access to system components

To meet PCI compliance standards, you need to know who is doing what within the system, and you want all activities to be easily trackable so that you can monitor and verify. Do not give
anyone access to critical systems or data unless you have first given them a unique user ID. A password, passphrase, or multi-factor authentication (MFA) should be standard. MFA should be
used for remote access. Virtual private networks, tokenization, or authentication, and dial-in should be implemented for remote use.

How can Atlantic.Net help?
Our managed services teams can process and create users and computers to meet the required security parameters and enforce the correct password policy and key rotation requirements. We can configure automated alerts to identify when user accounts are not used on X days. In addition to our PCI-Compliant Hosting services, we also offer a managed Multi-Factor Authentication service.

How secure are the Atlantic.Net data centers?

Restrict physical access to cardholder data

Data is, of course, stored on real systems, and any access to physical systems presents the opportunity for theft. To achieve PCI-compliant hosting requirements, the providerā€™s data center
should restrict physical access. Facility entry controls should be used. Before any outsider enters a space in which cardholder data is present or is being processed, they should receive a
physical token that they give back before departure.

How can Atlantic.Net help?
In our multiple data center locations, security is paramount. We employ a permanent security presence, and our buildings are protected by CCTV, door access controls, and access control lists. Only authorized users are allowed in the data center and all cabinets are locked. All unused network ports are closed throughout the data center and strict visitor controls are in place.

Is it possible to monitor all activity for PCI-DSS?

Track and monitor all access to network resources and cardholder data

Being able to track exactly what a given user is doing by logging all steps they take allows you to perform vulnerability management and forensics in an organized fashion. Logs allow you to
analyze something much more specifically and efficiently so that if any issues arise, you can understand how hacking or other improper use occurs. To meet PCI standards, you want automated audit trails in place so that you can review any activities.

How can Atlantic.Net help?
Atlantic.Net maintains detailed audit logs of all access on our systems. We use machine learning to predict unexpected access, and alerts are automatically generated to our support personnel.

Who is responsible for pen-testing?

Regularly test security systems and processes

Security gaps are often revealed through hacking. Testing security protocols, hardware, and software will keep you secure long-term. Check to see what wireless devices are being used with
a wireless analyzer at least quarterly. Alternatively, use a wireless intrusion prevention service (IPS). Network vulnerability scans should be performed once each quarter and also following major adjustments within the network. Perform penetration testing annually at a minimum.

How can Atlantic.Net help?
We perform quarterly vulnerability scanning for our PCI-compliant hosting customers, and identified threats are responded to quickly and under change control. Annual penetration tests are conducted to test our infrastructure is in the best shape possible for our clients.

Who needs to understand the rules of PCI compliance? My staff, or just my PCI-compliant hosting provider?

Maintain a policy that addresses information security for all personnel

Beyond PCI-compliant server requirements, you also need personnel interacting with the systems to be well-equipped. Everyone on staff should know their PCI compliance responsibilities for
safeguarding sensitive data. Create, update, and distribute a PCI compliance information security policy that lets your employees know about PCI DSS rules. For internal environments, create usage policies to shape expectations for employees and contractors.

How can Atlantic.Net help?
All Atlantic.Net employees are trained to PCI standards for a PCI-compliant hosting provider. We maintain multiple processes to provide the best protection, such as a risk assessment, monitoring user access to Payment Data

12 Requirements

Read More About PCI Compliant Hosting