More and more shops integrate online payments into their apps and accept money from debit and credit cards. It is very convenient because payments are handled automatically, and users can pay right off the bat. To work with electronic money, a merchant must guarantee secure electronic transactions. For that, they have to meet the demands of the PCI–DSS standard. This applies to firms of all sizes – from small sellers to big retailers. This post will discuss the topic and clarify what needs to be done to comply with the directive.
Table of Contents
What Is the PCI-DSS Standard?
PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of rules to guarantee the cardholders’ data is treated securely in organizations’ information systems. The provisions of the document were developed by the special Council, based on international payment systems (IPS).
There is a false notion that the PCI DSS certification is a mere formality. It is not so. The get the approval, a company should run a holistic approach to protecting the payment information. It should implement a secure mechanism to obtain, store, and pass card details through its infrastructure. For that, the PCI DSS rules insist that firms take the following steps:
✅Construct a safe network;
✅Control the payment system access;
✅Monitor app performance ;
✅Create a security policy.
Who Should Follow PCI DSS Requirements?
The PCI DSS standard addresses online sellers, banks, service providers, call centers, payment gateways, and other companies involved in the processing, passage, and storage of payment details. That is if your company performs one of the above operations at least once a year, it must meet the PCI DSS guidelines. If for some reason you do not undergo annual certification, the authorized bodies will impose a fine on you.
Depending on the annual number of processed transactions, companies may fall under different compliance levels. There are four of them in total. Below is an abstract of each.
Level 1 covers companies with 6+ million transactions. It also extends to organizations that had security breaches in the past. The Qualified Security Assessor or a member of an in-house team with a special certificate runs an annual audit and concludes about PCI-DSS compatibility. They sum up the audit results in a report designed by this template. Additionally, the approved company scans the network four times a year to detect possible glitches.
Level 2 includes companies that have 1-6 million transactions. They should also go through a regular audit and network scanning. The latter is ordered from the Approved Scanning Vendor (AVS) that has approved tools to conduct the procedure.
Level 3 applies to firms with 20K – 1 million transactions. They fall under similar terms that level 2 companies do.
Level 4 works for organizations with less than 20K transactions and has similar conditions to those of the second and third levels.
What Are the PCI DSS Requirements?
PCI DSS lists 6 goals and 12 requirements. The table below shows it in more detail.
|Data access restrictions||
Now, let’s take a closer look at each item in the list and see what you can do to implement it.
A firewall is software and (or) hardware designed to protect local computer networks or individual nodes from unauthorized access over the web. Firewalls are often called filters since their main task is not to pass (filter) packets that do not match the configuration criteria. Your mission is to configure the firewall to detect suspicious traffic and prevent it from penetrating your network.
No default passwords
Common passwords like “1111” or “admin” enable an attacker to connect to the network and directly affect on-network devices. It allows to easily steal the personal data of the network owner and network equipment. To ensure a high level of account security, the admin must configure and implement a password policy that provides sufficient complexity, password length, and frequency of password changes for users and service accounts.
Reliable data storage
The most reliable data storage is the one that has no data. So, consider saving cardholders’ details only if it is an acute need. Still, the data in your storage must be encrypted, and the cryptographic keys hidden behind seven locks. Except for encryption, you can use masking, truncation, and hashing. They will help you build an extra layer of protection and reduce the chance of unauthorized entry.
Encrypted data transfer
In addition to reliable data storage, it is vital to ensure safe data transmission. SSH, IPSEC, and TLS protocols will help you in this matter. They detect the identity of the server and client and encrypt all messages between them. For wireless networks, like Wi-Fi, use a WPA2 protocol with an Advanced Encryption Standard (AES) and long passwords to create a secure network.
Malware infiltrates at the device, transmission, or server level and covers trojans, worms, keyloggers, screen loggers, deep attacks, and many other ways of malicious interference. A reliable antivirus neutralizes them by analyzing all incoming files and deleting the suspicious ones. The antivirus must run continuously. If you need to disable it for some reason, be sure to document these cases, as advised in the PCI DSS terms.
Secure coding means adhering to the principles of building secure software. Your developers should anticipate all possible attacks and harden the app system in advance. You can also turn to the help of white hats, i.e., good hackers. Unlike the black hats, they do not intend to harm you but test the system vulnerability and report any issues. Big names like Google or Amazon commonly use this practice to improve their security.
Selected individuals only
A limited number of people should have access to essential data. PCI DSS standards want you to clearly articulate each user’s role, including data interaction goals and reference terms. Besides, the system should verify the user identity during login and make auto-logout after a given time.
To track users’ activity in the system, use unique identifiers. It is an easy way to associate specific actions with a particular user and prevent fraud attempts. You should also keep track of the accounts that are no longer used. PCI DSS requirements prescribe you to disable them within 90 days. If the staff members change positions or leave the company, make sure you meet the deadlines to shut down their accounts.
Limited physical access
Start by equipping data centers with cameras. Do not forget to install access systems to identify users by biometric data or a pass card. Divide access zones according to job responsibilities. If you need a visitor to enter the data center, for example, a payment provider agent, be sure to assign an escort to them. It is also necessary that everyone who interacts with the system has badges with first name, last name, and a job role.
PCI DSS rules require that you use logging systems to track any moves in the app system. They help identify intrusions into the network, recognize wrongly configured equipment, and take prompt steps to correct mistakes. Thus, you stay up to date about current changes and can quickly prevent potential dangers if necessary. There are special frameworks to automate logging: log4j, log4net, Retrace, Logback, Logstash, etc. You should choose one, depending on your business needs.
PCI DSS regulations want you to pass through the vulnerability check once a quarter. An ASV should run testing and confirm your system meets security demands. To prepare for an external scan:
- Do internal testing regularly.
- Pay particular attention to checking the app system after upgrades and after making any changes.
- If you don’t have in-house developers, hire a qualified team to prepare for obligatory testing.
Staff training and motivation
The formulation of a security policy is mandatory, as per the PCI DSS directive. Yet, it is not enough to simply record the policy criteria. You should carry out comprehensive training measures and make sure all employees act within the established policy. Besides, you should annually compose a threat and risk rating and keep records of each team member’s responsibilities.
Is PCI DSS Certificate Needed When Using Payment Gateway?
The short answer is yes. Payment gateway integration does not relieve you of the need to obtain a PCI DSS certificate since you still deal with the payment details to a greater or lesser degree. However, the way you add a payment gateway to your app or site will define the level of compliance.
The easiest path is for those who have decided not to pass buyers’ card data through their server but have entirely relied on the provider. Such apps or sites use the redirect method, which means the checkout occurs on the provider’s page. The customer enters the card number, expiration date, and CVV code on the provider’s site and returns to the shop when the payment is completed. If you choose this one, you fall under the most superficial PCI DSS level. To pass the audit, you need to fill out the Self-Assessment Questionnaire (SAQ) marked with level A.
If you choose a hosted gateway, the PCI audit will be a bigger problem for you. In this case, you add the gateway to the app or website through a special API, and your server processes buyers’ card data directly. It gives reason to classify you in a high-risk group and apply the most stringent PCI compliance level. To pass the certification, you will need to prove the system security according to D-level SAQ.
Need Help With PCI DSS Audit?
The mandatory audit is not as scary as it looks; however, it requires serious preparations that touch all aspects of the organization’s activity. You must establish the safety of software and hardware, as well as produce a security policy and educate personnel. Your efforts will fully pay off after receiving the certificate as you will act based on IPS requirements and form an opinion about the company’s good name and stable position.
To get an app system ready for the audit, you need experienced developers who specialize in financial security and anti-fraud measures. At Softensy, we mainly work with fintech firms and eCommerce stores, so e-payments and PCI matters are part of our daily routine. We know how to launch apps with no glitches and data leakage. If you need help with PCI DSS certification, we’ll be glad to assist.