By Tommi-Lee Hine-Dickinson, Published Monday, 13th July 2020
At Datcom we help many of our clients achieve PCI DSS compliance each year. I’d like to share a few thoughts on what needs to be considered by organisations who are required to be PCI DSS compliant.
What is PCI DSS compliance and why do I need this?
First off, a little history lesson. Back in 2004, the major card payment providers, including Visa, Mastercard, and American Express, worked together to create version 1.0 of the Payment Card Industry Data Security Standard (PCI DSS). This was intended to provide a base standard for how cardholder data should be stored, processed and transmitted. Now in version 3.2.1, the standards of this latest version have evolved as technology has become more complex and older versions become less secure and easier targets for hackers.This is not to say that everyone needs the latest and greatest technology to become PCI DSS compliant. The standards are built around technologies that are deemed to be difficult to attack and have no major security flaws. For example, it’s perfectly fine to use Windows 8.1 or Windows Server 2012 operating systems, as these are still supported by Microsoft (until 2023), so will be updated with security patches should any vulnerabilities be discovered.For merchants to be able to process card payments, they must comply with PCI DSS standards. How they are audited depends on how many card transactions they process each year. Audits range from a Self-Assessment Questionnaire (SAQ) to an assessment conducted by an external auditor with quarterly internal and external vulnerability scans of the network in question.
How can I tell what is included in the audit?
The scope of the PCI DSS audit includes the network in which the cardholder data is stored, processed, or transmitted. If, for example, there is a card machine on your main network, then all devices connected to this network are in scope of the audit, including workstations, servers, wireless devices, etc.The best way to minimise the scope of the PCI DSS audit is to segregate the cardholder data into its own network, called a Cardholder Data Environment (CDE). This can be easily achieved using technology called Virtual Local Area Networks (VLAN) along with restricting access only to individuals that need it. Most modern business grade network equipment can support these features, so it’s worth investing in managed devices over consumer/home-grade network equipment to aid in shrinking the PCI DSS scope of your organisation. Datcom can assist with making sure you purchase the right devices to suit these requirements. Any software or hardware in use within the CDE must be supported by the vendor, have updates applied regularly, and be replaced when it is deemed no longer compliant with PCI DSS.Along with the cardholder data itself, PCI DSS also brings into scope the organisation’s internet connection, as this is the main entry point to corporate networks. There will be a vulnerability scan performed against the router/firewall (edge device) that connects your organisation to the internet. This scan will effectively prod and poke at the configuration applied to the edge device to see if there is any way for attackers to gain access to the network. If there are any holes or weaknesses discovered, these are reported back to the organisation by the auditor and will require mitigation before the PCI DSS certification is granted.
With cybersecurity becoming an increasingly important consideration for organisations globally, and the number of vulnerabilities found in the past 3 years dwarfing the previous trends, we can expect the PCI DSS standards to become stricter in the coming years. At Datcom we can help you to stay compliant and recommend ways for your organisation to stay ahead of the changing security requirements for not only PCI DSS, but other accreditations such as Cyber Essentials. We’ll assist your organisation in making the best choices going forward, so there are fewer security surprises later down the road.
By Tommi-Lee Hine-Dickinson