The Payment Card Industry Data Security Standard (PCI DSS) was created by the major credit card companies to serve as a guide for merchants who save, process, and transmit credit card data towards initiating more sophisticated security measures.
The payment card industry data security standard (PCI DSS) has a large security baseline that it requires for all financial institutions to comply with. Some financial institutions process a small amount of credit card transactions per year and some process larger amounts of more than 6 million.
The financial institutions that process large amounts like issuing banks are obligated to fulfill the requirements of the PCI-DSS ranging from technological and environmental resources required to safeguard client’s information.
In technological terms for issuing banks, a secure infrastructure with encryption capabilities will be the greatest asset in this regard.
The PCI DSS 12 requirements:
1. Install and maintain a firewall configuration to protect cardholder data:
The PCI DSS Requirement 1 requires the installation of a firewall among other necessities. A simple firewall does not cut it as it needs to be configured for inward and outward traffic. The firewall needs to be set up within different wireless networks.
2. Do not use vendor-supplied defaults for system passwords and other security parameters:
Phishers often access vendor-supplied default passwords and to extract sensitive information. Hackers can easily decipher the password patterns as they are common. It is recommended to change the default password to a more sophisticated password or delete the account to prevent the hackers from accessing the account with the default password.
3. Protect stored cardholder data.
The requirement 3 of the PCI DSS stipulates that stored cardholder data should be protected by all means. Protection methods to be considered include encryption, hashing, truncation, and masking. Stronger protective measures should be also be employed by identifying all systems including servers, laptops, databases that include cardholder data and encrypt any information available. Requirement 3.5 states that an organization dealing with clients’ funds should protect any keys used for encryption of cardholder data from disclosure and misuse.
4. Encrypt transmission of cardholder data across open, public networks:
Requirement 4 of the Payment Card Industry Data Security Standard addresses safe transmission of cardholder data from sender to receiver, across open networks. Encryption and authentication protocols should be sophisticated enough and wireless networks should be configured properly as hackers can maneuver and gain access to the Cardholder Data Environment (CDE)
5. Use and regularly update antivirus software:
Malware and viruses like Trojans, worms, the rootkit can easily penetrate an organizational network with simple organizational functions such as internet usage, employee emails, storage hardware, etc. Anti-virus software must be installed on every system to protect it against malware threats. Regular updates must also be made to protect against new threats as viruses are created daily.
6. Develop and maintain secure systems and applications:
The requirement 6 of the PCI DSS focuses on applications that store, process or transmit cardholder data. The compliance with this requirement, therefore, is mainly the responsibility of software developers and the availability of relevant IT services.
7. Restrict access to cardholder data by business need-to-know:
This requirement postulates that the fewer the number of individuals with direct access to the cardholder data, the lesser the probability of a PCI DSS violation. It is therefore important to limit access to only people who have a strong reason for accessing the cardholder data. Ensuring these measures are taken will prevent deliberate or reckless handling of cardholder data.
8. Assign a unique ID to each person with computer access:
When a unique ID is assigned to every individual, it aids accountability in the event of a data breach. For compliance to requirement 8; all assigned employed should be assigned a unique ID number. A strong system should be developed to manage additions, modification or deletion of existing IDs.
9. Restrict physical access to cardholder data:
The PCI DSS Requirement 9 stipulates that physical access should be restricted for all onsite personnel, visitors and media personnel. Onsite personnel include all individuals who work as employees of the company in any capacity. If physical access to devices and systems that hold cardholder data is not restricted, it can lead to data theft and data loss.
10. Track and monitor all access to network resources and cardholder data:
The PCI DSS requirement 10 stipulates that the organization should develop a system to keep a track of all activities on the network so that in case of breach of information the activity logs can trace the cause of the security breach. A strong and reliable system should be able to generate report of every log and interpret the report for further processing.
11. Regularly test security systems and processes:
To ensure that your organization is compliant to the PCI DSS, it is important to update the organization’s security system regularly. This is the best way to achieve PCI DSS compliance. It confirms the needed level of network protection in your system and ensures that no loopholes are unattended to during routine operations and information security procedures.
12. Maintain a policy that addresses information security:
Any information security policy must be in accordance with the PCI DSS but in the same breath, it is important to create a comprehensive policy that tackles other regulatory compliance and organizational requirements. Organizations that have an information security policy only specific to PCI compliance will find it hard to maintain multiple policies and might risk themselves in having policies that align with business processes.
HSM devices and certification requirement
For a bank to fulfill these requirements especially 3.5 for protection of encryption keys, it is imperative to implement hardware security modules (HSM). These cryptographic modules differ in nature and use such that some are as small as removable flash drives, and some can be placed in the PCI slot on the motherboard while some are large external devices that must be installed in the data center.
HSM devices must meet the certification requirements of the federal information processing standards (FIPS 140-2) regulation.
Banks must procure a certified device that has gone through the cryptographic module validation program (CMVP) to gain assurance that the technologies claimed by the manufacturer in the device can perform specific cryptographic functions as approved by the federal government.
HSM devices provide a critical function in playing a third-party role independent for key production and management. A master key is produced and kept safely away from other networks and this will, in turn, be used to encrypt the data keys that will be used in production creating a bastion host security to the keys.
HSM will play the role of decrypting the keys and checking in its database if the keys originated from itself. The network firewall devices were designed to mainly focus on verifying and defending against layer 3(network) attacks and they can get compromised at times and made to believe that illegitimate traffic or request if coming from a trusted source. To circumvent this effect, HSM was introduced to play a role of independently verifying origins of keys and certificates, and to decrypt them since it would have created them.
Blog post by Dr. Ulrich Scholten