Guide

PCI DSS Compliance: Safeguarding Your Payment Card Data

This is part of a series on data compliance.

Table of Contents

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive set of security standards designed to protect cardholder data. It is mandated by the major credit card brands (Visa, Mastercard, American Express, Discover, and JCB) for any organization that handles, stores, or transmits cardholder data.

Why is PCI DSS Compliance Important?

  • Protect Your Business: Non-compliance can result in hefty fines, loss of customer trust, and potential business closure.
  • Safeguard Customer Data: PCI DSS helps prevent data breaches and identity theft.
  • Maintain Industry Relationships: Compliance demonstrates your commitment to security and fosters strong relationships with payment processors.

Key Requirements of PCI DSS

The PCI DSS outlines 12 key requirements:

  1. Install and maintain a firewall configuration to protect cardholder data: This requirement mandates the implementation of a firewall to create a secure network perimeter, preventing unauthorized access to cardholder data systems.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters: It's crucial to change default passwords and security settings provided by vendors to strengthen security and prevent unauthorized access.
  3. Protect stored cardholder data: Cardholder data must be encrypted when stored. Only necessary data should be stored, and access to it should be restricted to authorized personnel.
  4. Encrypt transmission of cardholder data across open, public networks: Cardholder data must be encrypted while in transit over public networks using protocols like TLS or SSL to protect it from interception.
  5. Use and regularly update anti-virus software or programs: Anti-virus software helps protect systems from malware that can steal or damage cardholder data. It's crucial to keep anti-virus software up to date.
  6. Develop and maintain secure systems and applications: Organizations must design and develop systems and applications with security in mind, following secure coding practices and regularly testing for vulnerabilities.
  7. Restrict access to cardholder data by business need to know: Only authorized personnel who require access to cardholder data for their job duties should be granted access. Implementing role-based access controls is essential.
  8. Assign a unique ID to each person with computer access: Tracking user activity is crucial for security. Assigning unique IDs to individuals helps monitor access to systems and data.
  9. Restrict physical access to cardholder data: Physical security measures, such as locked doors, surveillance cameras, and restricted access to data centers, are essential to protect cardholder data from theft.
  10. Track and monitor all access to network and cardholder data: Organizations must implement systems to monitor and audit network and cardholder data access to identify potential security incidents.
  11. Regularly test security systems and processes: Conducting regular vulnerability scans, penetration tests, and other security assessments helps identify and address weaknesses in systems and processes.
  12. Maintain an information security policy: Documenting security policies and procedures helps ensure that employees understand their responsibilities and how to protect cardholder data.

A closer look at Requirement 3, Protect stored cardholder data

PCI DSS defines a “Cardholder Data Environment” (CDE) as

The system components, people, and processes that store, process, or transmit cardholder data or sensitive authentication data and/or System components that may not store, process, or transmit CHD/SAD but have unrestricted connectivity to system components that store, process, or transmit CHD/SAD.

The CDE is anywhere payment card data is located and can be physical (paper) or electronic. The electronic CDE is generally firewalled off (Requirement 1) and the PCI audit happens within this firewalled network. The point of Requirement 3 is that even within the CDE, all cardholder data is to be protected at-rest (while it is stored) and in-use (in the database and applications).

PCI DSS Requirement 3.5.1 says “PAN (credit card data) is rendered unreadable anywhere it is stored” … and then provides several methods. Encryption is one of those methods and the most common implementation is Transparent Data Encryption (TDE). The database software encrypts the data before it is saved to disk. This sounds great but keep in mind that the data is only protected from physical theft of the hard drive. This is not what keeps CISOs up at night in modern data centers.

Requirement 3.5.1.2 goes further and says, “If disk-level or partition-level encryption… is used to render PAN unreadable … PAN is also rendered unreadable via another mechanism that meets Requirement 3.5.1.” In other words, disk encryption is not sufficient. Disk encryption is generally done by the operating system (For example, BitLocker in Windows) instead of the database software.

It is hard to understand why TDE is sufficient, but disk encryption isn’t. They both only protect against physical theft of hard drives. In any case, data in-use is not addressed by either.

Requirement 3.4.1 says, “PAN is masked when displayed (the BIN and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the BIN and last four digits of the PAN.” The BIN is the first 6 digits of a credit card number and is used to identify the card provider (Visa, Master Card, etc) and issuing bank (Chase, Capital One, etc).

Requirement 3.4.1 is illuding to the concept of least privilege. The idea that employees should see the data they need to do their job and nothing else. Some employees need to see the BIN to route the payments to the proper location for processing. Some employees only need to see the last four digits to identify the customer. Only a select few need to see the entire credit card number to process the payment itself. This fine-grained control requires tools beyond the capabilities of any database.

Baffle implements encryption and masking in a proxy that is placed between the application and database.

Encryption and Masking in a Proxy

With one centralized tool, the credit card data can encrypt the database and provide least privilege access to the applications. The encrypted database not only protects data at-rest but protects the data in-use by blocking access to the DBA and the cloud administrator. The DBA can do their jobs without worrying about access to sensitive data. If the database is in the cloud, there are two issues. The first is the cloud administrators can do their jobs but still not have access. Additionally, any misconfigurations prevent anybody else with access to the database from accessing the sensitive data. According to the IBM Cost of Data Breach Report, 82% of breaches are in the cloud.

Steps to Achieve PCI DSS Compliance

  • Conduct a Gap Assessment: Identify areas where your organization falls short of PCI DSS requirements.
  • Develop a Remediation Plan: Outline steps to address identified vulnerabilities.
  • Implement Security Controls: Implement necessary security measures, such as firewalls, encryption, and access controls.
  • Employee Training: Educate employees about PCI DSS requirements and their role in protecting cardholder data.
  • Regular Monitoring and Testing: Continuously monitor your network and systems for vulnerabilities.
  • Documentation: Maintain detailed documentation of compliance efforts.

Tools and Resources

  • PCI Security Standards Council (SSC): Provides guidelines, resources, and assessments for PCI DSS compliance.
  • Qualified Security Assessors (QSAs): Independent security professionals who can assess your compliance.

Conclusion

PCI DSS compliance is essential for protecting your business and safeguarding customer data. By following the outlined steps and utilizing available resources, you can effectively implement the necessary security measures to meet PCI DSS requirements.

Additional Resources

Webinar

Webinar: Are you ready for PCI DSS 4.0?

Whitepaper

Supporting PCI DSS Privacy and Security Requirements

Schedule a Demo with the Baffle team

Meet with Baffle team to ask questions and find out how Baffle can protect your sensitive data.

Easy

No application code modification required

Secure

AES cryptographic protection

Fast

Deploy in hours not weeks

Control

Bring your own keys to protect your data in any cloud infrastructure

Protect PII

Anonymize all sensitive data and make data breaches irrelevant

Compliant

Easily conform with the latest requirements of  PCI, GDPR, CCPA, NIST, and more.