Your Helpful PCI-DSS Audit Checklist

Your-Helpful-PCI-DSS-Audit-Checklist

In 2019, global retail sales grew by 3.4% from the previous year to hit $21 trillion. Global eCommerce accounted for 16.4% of total retail sales at $3.46 billion. Ecommerce sales continue to grow, thanks to globalization and the internet. 

This growth also comes with a few challenges, among which is payment card fraud. In 2018, payment card fraud amounted to $27.85 billion and was expected to hit $35.67 billion in the next five years.

If you intend to pursue the e-commerce route, you’ll need to consider a few things, one of which is the payment method. How many payment alternatives will you offer your customers? Are the payment methods secure?

Your customers will offer you their financial data on a silver plate; they expect that it’s secure and confidential. To guarantee this, you need to prove that you’re PCI-DSS compliant.

What is PCI-DSS?

This is a set of standards formulated by the PCI Security Standards Council. This council is made up of major credit card companies who joined forces to create security standards that protect credit card data.

As a merchant, your compliance guidelines are dictated by the number of annual transactions. Merchants are grouped into four levels:

  • Level 1

This covers merchants who handle over 6 million transactions every year or have experienced a data breach.

  •  Level 2

Merchants who handle 1-6 million transactions annually.

  •  Level 3

Merchants with less than a million transactions but more than 20,000 annual transactions.

  •  Level 4

Merchants with less than 20,000 annual transactions.

Each of these levels has different compliance requirements. The more the transactions you process every year, the tougher the compliance requirements become.

PCI DSS Compliance Checklist

PCI has six control objectives that constitute twelve compliance requirements. These requirements are not subject to merchant levels; thus, all merchants are required to adhere to the compliance requirements regardless of transaction volume.

These control objectives include:

  1. Secure Network and Systems

This control objective has two requirements:

  • Protect cardholder data by installing and maintaining a firewall

Firewalls are barriers that protect your network by preventing security threats from accessing or spreading through your network. Firewalls act as filters that determine whether information passing from one computer to another is safe or not.

  • Limit the use of vendor-supplied passwords

Every system comes with security parameters, among which are passwords. These passwords are often easy to hack; thus, you should change them before you deploy the systems. Ensure that you update system configurations and security measures as you identify new threats.

  1. Protect Cardholder Data

Cardholder data refers to personally identifiable information that’s associated with a credit or debit cardholder. According to PCI DSS, cardholder data includes PAN, which is the unique payment card number used to identify the cardholder’s account and the issuer. The standards require that merchants encrypt the transmission of cardholder data and protect stored cardholder data as stipulated in the guidelines.

  1. Implement vulnerability protection programs 

Create a program to help you identify weaknesses in your payment card infrastructure system. Hackers will exploit these vulnerabilities to access your cardholder which you can mitigate by:

  • Implementing measures to protect your systems against cyberattacks such as malware.
  • Maintain secure systems
  1. Access control measures

Limit access to cardholder data by vetting everyone who needs access to this data. This is achieved by:

  • Restricting access to cardholder data

Only authorized personnel should have access to this data. Limit the privileges of everyone to a need-to-know basis and deny all other access unless authorized.

  • Authenticate access

Employees that have access to cardholder data should be assigned unique identification. They will use these identifications to access the data, thus making it easy to track how data is handled. Do not use group IDs; every member with access needs unique identification.

  • Restrict physical access to the data

Your onsite systems are also vulnerable to attacks or internal leaks; thus, you need to put measures in place to limit physical access to cardholder data.

  1. Monitoring and testing networks

Monitor your physical and wireless networks to identify vulnerabilities that cybercriminals can exploit to gain unauthorized access to your systems and data. To prevent cybercriminals from exploiting these vulnerabilities, you are required to:

  • Thoroughly track, analyze, and monitor cardholder environments in search of weakness.
  • Frequently test your system components, processes, etc. to ensure that you maintain security over time. 
  1. Information security

Your business needs a strong security policy that details the responsibilities of your employees towards protecting cardholder data.

Conclusion

PCI compliance isn’t a guarantee that your systems and data are safe; hundreds of companies have experienced data breaches despite being PCI-DSS compliant. Achieving compliance is merely a baseline. You need to meet the requirements as stipulated by the governing body and implement extra measures that protect your systems from emerging threats. You can never be too sure when dealing with cybersecurity, going the extra mile helps prevent cyber attacks.

Your Helpful PCI-DSS Audit Checklist, PayTabsAbout the author

Jordan MacAvoy is the Vice President of Marketing at Reciprocity Labs and manages the company’s go-to-market strategy and execution. Prior to joining Reciprocity, Mr. MacAvoy served in executive roles at Fundbox, a Forbes Next Billion Dollar Company, and Intuit, via their acquisition of the SaaS marketing and communications solution, Demandforce.