{"id":11390,"date":"2019-08-15T17:34:53","date_gmt":"2019-08-15T21:34:53","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=11390"},"modified":"2023-04-07T13:01:18","modified_gmt":"2023-04-07T17:01:18","slug":"demystifying-pci-dss-compliance","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/demystifying-pci-dss-compliance\/","title":{"rendered":"Demystifying PCI DSS Compliance"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-as-far-as-compliance-goes-pci-dss-isn-t-as-onerous-as-it-seems\">As far as compliance goes, PCI DSS isn\u2019t as onerous as it seems<\/h2>\n\n\n\n<p>Compliance is, <a href=\"https:\/\/www.thesslstore.com\/blog\/71-of-organizations-dont-know-how-many-certificates-keys-they-have\/\">without a doubt<\/a>, the biggest concern for most organizations when they\u2019re handling their <a href=\"https:\/\/www.thesslstore.com\/blog\/on-demand-webinar-the-challenges-of-enterprise-certificate-management\/\">certificate and key management duties<\/a>. Whether it\u2019s PCI DSS compliance, GDPR, HIPAA or any other regulatory framework, non-compliance is anathema to most companies, it can result in lost trust and massive financial penalties. <\/p>\n\n\n\n<p>And frankly, if I had to guess I\u2019d say that\u2019s why compliance\nranks so highly amongst enterprise concerns. Other ramifications of poor security\nor certificate\/key management don\u2019t have as obvious an effect. A data breach or\na compromised key can cause a ton of damage, but that damage is harder to\nquantify in real time. Compliance penalties are known quantities, \u201cif we don\u2019t\ndo X, we get fined Y.\u201d <\/p>\n\n\n\n<p>That\u2019s easy to understand, and it\u2019s easy to explain to the C-suite and upper management. If I come into your office and try to explain <a href=\"https:\/\/www.thesslstore.com\/blog\/what-happens-when-your-ssl-certificate-expires\/\">what could happen if a certificate expires<\/a> it requires a much longer explanation \u2013 and more attention from the person you\u2019re explaining it to \u2013 than simply stating we\u2019ll get fined $10,000 for not doing something.<\/p>\n\n\n\n<p>Anyway, today we\u2019re going to talk about Payment Card Industry Data Security Standards (PCI DSS) and try to demystify it a little bit. As far as compliance goes, PCI DSS compliance really isn\u2019t all that onerous. In fact, it\u2019s actually pretty straightforward. So let\u2019s talk about PCI DSS, how you can make compliance with PCI DSS easy and what happens if you decide it\u2019s too much trouble.<\/p>\n\n\n\n<p>Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-pci-dss-protecting-payment-card-information\">PCI DSS: Protecting Payment Card Information<\/h2>\n\n\n\n<p>When we talk about sensitive data, <a href=\"https:\/\/www.thesslstore.com\/blog\/2018-cybercrime-statistics\/\">payment card information is among the most valuable<\/a>. That\u2019s for pretty obvious reasons. So, it makes a lot of sense that the payment card industry would want to put certain requirements in place to safeguard it. We\u2019ve seen what can happen when payment card info gets compromised thanks to <a href=\"https:\/\/www.thesslstore.com\/blog\/equifax-data-breach-total-data-lost-the-final-count\/\">breaches like Equifax\u2019s<\/a>. <\/p>\n\n\n\n<p>The Payment Card Industry\u2019s Security Standards Council is comprised of all the biggest creditors in the world:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Payment-Cards-PCI-DSS-300x300.png\" alt=\"\" class=\"wp-image-11402\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Payment-Cards-PCI-DSS-300x300.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Payment-Cards-PCI-DSS-768x768.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Payment-Cards-PCI-DSS-1024x1024.png 1024w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n<\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Visa<\/li>\n\n\n\n<li>American Express<\/li>\n\n\n\n<li>Mastercard<\/li>\n\n\n\n<li>Discover<\/li>\n\n\n\n<li>JCB International<\/li>\n<\/ul>\n\n\n\n<p>Basically all the major credit card companies. It\u2019s the PCI SSC that determines the PCI DSS compliance requirements (today we dine on acronym soup). And that\u2019s what makes these rules binding, if you want to accept payment cards from these companies you\u2019ll need to follow their rules. They\u2019ve all incorporated PCI DSS into the technical requirements for each of their respective compliance programs and expect any company that accepts payment through their cards to follow them.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"PCI Compliance 101 - What is PCI Compliance, and How to Become PCI Compliant\" width=\"960\" height=\"540\" src=\"https:\/\/www.youtube.com\/embed\/jcJpVEv16pk?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>We\u2019ll get into the penalties for non-compliance with PCI DSS\nlater, but suffice it to say in addition to fines you\u2019ll likely have your\nrelationship with these creditors downgraded or possibly even fully severed. <\/p>\n\n\n\n<p>Now, it\u2019s worth pointing out that while the council sets the\nrules, it doesn\u2019t enforce them. That is incumbent upon the individual payment brands.\nSo, non-compliance isn\u2019t necessarily met with a single monolithic fine or\npenalty \u2013 each of these companies will enforce penalties using their own\nproprietary guidelines. So you may actually end up with four or five fines,\ndepending on how badly you run afoul of the rules. <\/p>\n\n\n\n<p>This is arguably the biggest misconception about PCI DSS. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-pci-dss-compliance-requirements-are-really-just-a-bunch-of-security-best-practices\">PCI DSS compliance requirements are really just a bunch of security best practices<\/h2>\n\n\n\n<p>Here\u2019s the thing, most of the 12 PCI DSS requirements are just common sense steps you should already be taking. It\u2019s not like PCI DSS is asking you to reinvent the wheel or anything. There are 12 different requirements that fall into six different categories:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-pci-dss-compliance-requirements\">PCI DSS Compliance Requirements<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"434\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Table-1-1024x434.png\" alt=\"\" class=\"wp-image-11400\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Table-1-1024x434.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Table-1-300x127.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Table-1-768x325.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Table-1.png 1039w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p>When you actually look at the requirements, you\u2019ll see nothing is all that onerous. Again, most of this is stuff you\u2019re ideally already doing. Firewalls, antivirus programs, access management, encryption \u2013 this is all low-hanging fruit. You just need to document it. And even the things that sound difficult can be addressed fairly quickly.<\/p>\n\n\n\n<p>This is as straightforward as regulations get.<\/p>\n\n\n\n<p>And part of that is borne out of the unique position the PCI\nSSC operates in. Not unlike the CAB Forum, where the browsers basically rule by\nedict and you have to follow what they say to continue operating on their\nplatforms, the PCI SSC can create and enforce these rules because they occupy a\nposition of strength in their industry. If you want to accept their payment\ncards, you have to play by their rules.<\/p>\n\n\n\n<p>Compare that to other regulations like <a href=\"https:\/\/www.thesslstore.com\/blog\/preparing-gdpr-introduction-1\/\">GDPR<\/a>, which have to operate within the context of state governments, and it\u2019s a lot easier to be clear and concise. The EU has to write GDPR in a way that it can be assimilated into the various national laws of its member states. That can lead to some ambiguity and confusion as companies around the world attempt to interpret it. <\/p>\n\n\n\n<p>Both regulations actually contain a lot of the same things,\nPCI DSS is just a lot more clear about it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-who-needs-to-follow-pci-dss\">Who needs to follow PCI DSS?<\/h2>\n\n\n\n<p>Anyone that accepts payment cards from the aforementioned\nbrands needs to comply with PCI DSS. That\u2019s true with pretty much any payment\nplatform you use, even PayPal has terms of service that must be followed. <\/p>\n\n\n\n<p>PCI DSS is divided into four different compliance levels.\nRather unintuitively, they don\u2019t ascend \u2013 Level 1 is strictest and level 4 is\nthe most lax. <\/p>\n\n\n\n<p>Still, the requirements are largely the same across all four levels, with the biggest difference being that Level 1 organizations require an on-site audit in addition to their other responsibilities.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-pci-dss-levels\">PCI DSS Levels<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"216\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Table-2-1024x216.png\" alt=\"\" class=\"wp-image-11399\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Table-2-1024x216.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Table-2-300x63.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Table-2-768x162.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Table-2.png 1039w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p>Each level must complete a yearly self-assessment and submit quarterly scanning reports, but level ones also need to have that on-site data security assessment performed once per year, too.<\/p>\n\n\n\n<p>Now let\u2019s go through each of the various PCI DSS compliance requirements.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-pci-dss-compliance-requirements-1\">PCI DSS Compliance Requirements<\/h2>\n\n\n\n<p>As we just touched on, you can group these requirements into\nsix different categories. We\u2019ll go through each one individually just for\nclarity\u2019s sake, but you may sometimes see things categorized this way by other\norganizations. They\u2019re not wrong, they\u2019re simply painting with broader strokes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-1-install-and-maintain-a-firewall\">1 \u2013 Install and Maintain a Firewall<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"274\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Firewall-3-300x274.png\" alt=\"PCI DSS Compliance Requirement 1\" class=\"wp-image-11396\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Firewall-3-300x274.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Firewall-3-768x703.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Firewall-3-1024x937.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Firewall-3.png 1691w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n<\/div>\n\n\n<p>Firewalls monitor and control traffic as it comes in and out of your network. Installing one is considered best practice. Generally speaking, there are two different kinds of firewall, network-based and host-based. You can inspect on the application level or do deep packet inspection. You have plenty of options, however, what\u2019s most appropriate is going to vary based on your organization\u2019s size and needs. But make no mistake about it, shopping for a good firewall isn\u2019t exactly a difficult task. Just perform your due diligence before picking a vendor. Not all firewalls are created equal.<\/p>\n\n\n\n<p><strong>Specifics:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Establish and implement firewall and router\nconfiguration standards<\/li>\n\n\n\n<li>Build firewall and router configurations that\nrestrict connections between untrusted networks and any system components in\nthe cardholder data environment<\/li>\n\n\n\n<li>Block direct public access between the Internet\nand any system component in the cardholder data environment<\/li>\n\n\n\n<li>Install personal firewall software (or something\nequivalent)on any portable connected devices that connect to the Internet from\noutside the network<\/li>\n\n\n\n<li>Ensure that your security policies and\noperational procedures for managing firewalls are documented, in use, and known\nto the key stakeholders<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-2-change-vendor-defaults-ids-and-passwords\">2 \u2013 Change vendor defaults (IDs and passwords)<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCI-DSS-Default-300x300.png\" alt=\"PCi DSS Compliance Requirement 2\" class=\"wp-image-11403\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCI-DSS-Default-300x300.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCI-DSS-Default.png 673w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n<\/div>\n\n\n<p>When you purchase a new device (or even some software) it\u2019s typically configured to use a vendor default for its password and login ID. This is to ensure the device is accessible, but these vendor defaults are published online and easy for criminals to find. Now consider <a href=\"https:\/\/www.thesslstore.com\/blog\/google-and-facebook-manipulate-users-to-circumvent-gdpr\/\">95% of people never change their default settings<\/a>. That\u2019s bad on an individual level, worse on an organizational level. We\u2019ve demonstrated in the past <a href=\"https:\/\/www.thesslstore.com\/blog\/man-in-the-middle-attack-2\/\">how trivial hacking into a device is using vendor defaults and Shodan.io is<\/a>. You can see why the PCI DSS compliance documentation is explicit about changing these defaults. Neglecting to do so isn\u2019t that different from leaving a key under your doormat \u2013 you\u2019re just inviting unwanted guests. <\/p>\n\n\n\n<p><strong>Specifics:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Always change vendor-supplied default credentials\nand remove or disable unnecessary default accounts before installing a system\non the network<\/li>\n\n\n\n<li>Develop configuration standards for all system\ncomponents. Make sure these standards address all known security\nvulnerabilities and are consistent with industry-accepted system hardening\nstandards<\/li>\n\n\n\n<li>Encrypt all non-console administrative access\nusing strong cryptography (we\u2019ll get to what this means later)<\/li>\n\n\n\n<li>Maintain an inventory of system components that\nare relevant for PCI DSS<\/li>\n\n\n\n<li>Make sure that your security policies and\noperational procedures for managing vendor defaults and other security\nparameters are documented, in use, and known to the key stakeholders<\/li>\n\n\n\n<li>Shared hosting providers must protect each\nentity\u2019s hosted environment and cardholder data<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-3-protect-cardholder-data-at-rest\">3 \u2013 Protect cardholder data at-rest<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"237\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCI-DSS-Encryption-1-300x237.png\" alt=\"PCi DSS Compliance Requirement 3\" class=\"wp-image-11404\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCI-DSS-Encryption-1-300x237.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCI-DSS-Encryption-1.png 389w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n<\/div>\n\n\n<p>The next two PCI DSS compliance requirements can both be categorized as encryption requirements. You should already be encrypting all personal information both at-rest and in-transit. Almost every compliance framework includes this requirement. Encrypting data at-rest protects it even in the event of a network intrusion. That data is useless to criminals and hackers if they can\u2019t decrypt it. Obviously, this makes <a href=\"https:\/\/www.thesslstore.com\/blog\/71-of-organizations-dont-know-how-many-certificates-keys-they-have\/\">key security<\/a> a major concern, but as long as the proper precautions are taken finding and fielding at-rest encryption solutions should be no problem.<\/p>\n\n\n\n<p><strong>Specifics:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep cardholder data storage to a minimum by\ndesigning and implementing data retention and disposal policies, procedures and\nprocesses<\/li>\n\n\n\n<li>Don\u2019t store sensitive authentication data after\nauthorization (even if it\u2019s encrypted)<\/li>\n\n\n\n<li>Mask Primary Account Numbers when displayed (the\nfirst six and last four digits are the maximum number of digits that are\nallowed to be displayed), make sure only personnel with a legitimate business\nneed can see more than the first six\/last four digits of the PAN<\/li>\n\n\n\n<li>Render PAN unreadable using hashing, encryption\nor truncation<\/li>\n\n\n\n<li>Document and implement the procedures you use to\nprotect and manage encryption keys <\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-4-protect-cardholder-data-in-transit\">4 \u2013 Protect cardholder data in-transit<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/SSL-Encryption-PCi-DSS-1-300x300.png\" alt=\"PCI DSS Compliance Requirement 4\" class=\"wp-image-11406\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/SSL-Encryption-PCi-DSS-1-300x300.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/SSL-Encryption-PCi-DSS-1.png 315w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n<\/div>\n\n\n<p>This PCI DSS compliance requirement could be re-written simply as use SSL\/TLS and HTTPS. Not to toot our own horn, but <a href=\"https:\/\/www.thesslstore.com\">SSL is kind of our thing<\/a>. As of July 2018 <a href=\"https:\/\/www.thesslstore.com\/blog\/google-chrome-68-https-mandatory\/\">it\u2019s mandatory for all websites<\/a>, so you should already be meeting this requirement. But its importance can\u2019t be understated. <a href=\"https:\/\/www.thesslstore.com\/blog\/what-does-https-protect\/\">Internet connections are not 1:1<\/a>, they get routed through dozens of different points on their way to their destination. Remember how we just discussed that for every 20 people, 19 didn\u2019t change the factory defaults on their routers and webcams? Well, that comes back to bite us here, because if any one of those points you connection gets routed through is compromised \u2013 <a href=\"https:\/\/www.thesslstore.com\/blog\/man-in-the-middle-attack-2\/\">again, not difficult to pull off<\/a> \u2013 any information that passes through it can be intercepted and stolen. Or even manipulated. SSL\/TLS protects against this, rather than data traversing its path in plaintext, it gets encrypted and becomes useless to attackers \u2013 even if they\u2019ve compromised one of the devices it routes through.<\/p>\n\n\n\n<p><strong>Specifics:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use strong cryptography and security protocols<\/li>\n\n\n\n<li>Don\u2019t send cardholder information via unsecure\nchannels like text messages or unencrypted messenger apps<\/li>\n\n\n\n<li>Make sure that security policies and operational\nprocedures for encrypting data in-transit are documented, in use, and known to\nall key stakeholders<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-5-use-antivirus-software-and-update-it-regularly\">5 \u2013 Use antivirus software and update it regularly<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCI-DSS-Antivirus-300x300.png\" alt=\"PCI DSS Compliance Requirement 5\" class=\"wp-image-11395\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCI-DSS-Antivirus-300x300.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCI-DSS-Antivirus.png 673w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n<\/div>\n\n\n<p>This is kind of a two-part requirement, because simply having an antivirus program isn\u2019t enough. Each and every day more and more malware is discovered and documented. These antivirus programs receive regular updates so they can sniff out even the most up-to-date malware. So, not updating your antivirus program regularly literally makes it less effective by the day. Remember, cybercrime is a game of cat and mouse. While you occasionally see criminals dust off a decade\u2019s old exploit, they generally try to stay ahead of the security community by continually evolving. Put it this way, Comodo uses over 30,000 different tests from known malware samples when it runs a scan. You need every single one of those tests, too. And you need to keep them current. Failing to update can lead to disaster \u2013 <a href=\"https:\/\/www.thesslstore.com\/blog\/the-equifax-data-breach-went-undetected-for-76-days-because-of-an-expired-certificate\/\">just ask Equifax<\/a>.<\/p>\n\n\n\n<p><strong>Specifics:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deploy your antivirus software on any system\nthat can be affected by malware<\/li>\n\n\n\n<li>Make sure to keep your antivirus programs up-to-date,\nrun regular scans and document them in audit logs<\/li>\n\n\n\n<li>Make sure your antivirus programs are always\nrunning and can\u2019t be disabled by non-privileged users<\/li>\n\n\n\n<li>Make sure that security policies and operational\nprocedures for administering your antivirus program are documented, in use, and\nknown to all key stakeholders<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-6-develop-and-maintain-secure-systems-and-applications\">6 \u2013 Develop and maintain secure systems and applications<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-Secure-System-300x300.png\" alt=\"PCi DSS Compliance Requirement 6\" class=\"wp-image-11407\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-Secure-System-300x300.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-Secure-System.png 372w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n<\/div>\n\n\n<p>The word that confuses people in this requirement is \u201cdevelop.\u201d\nMost companies aren\u2019t developing their own security systems, they\u2019re leveraging\nproducts from trusted security vendors. Really all this requirement is asking\nyou to do is maintain a good patching cadence and put in place a diagnostic\nsystem that can find vulnerabilities and rank them in terms of severity. Again,\nyou can find a solution for this that involves zero development. And, not to\nbelabor the point, this is just following best practices. Much like with\nupdating your antivirus, the programs you use are finding and disclosing\nvulnerabilities all the time. When this happens they issue a patch to protect\nagainst it. Not installing these patches regularly leaves your systems vulnerable.\nSo, just make sure you\u2019ve got a system for identifying vulnerabilities and\npatching or remediating them. <\/p>\n\n\n\n<p>Now, quickly, if you are in developing a system, you need to do it with a security focus. That means designing it to comply with the PCI DSS compliance requirements and following industry best practices. But again, this requirement really isn\u2019t as complicated as it may appear at first blush.<\/p>\n\n\n\n<p><strong>Specifics:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Establish a process to identify security vulnerabilities,\nusing reputable outside sources for security vulnerability information, and\nassign a risk ranking<\/li>\n\n\n\n<li>Make sure that all system components and\nsoftware are protected from known vulnerabilities by installing applicable\nvendor-supplied security patches<\/li>\n\n\n\n<li>If you are developing programs or systems, make\nsure to abide PCI DSS standards and industry best practices<\/li>\n\n\n\n<li>Follow change control processes and procedures\nfor all changes to system components<\/li>\n\n\n\n<li>Address common coding vulnerabilities in formal\nsoftware-development processes<\/li>\n\n\n\n<li>For public-facing web applications, address new\nthreats and vulnerabilities on an ongoing basis<\/li>\n\n\n\n<li>Make sure that security policies and operational\nprocedures for maintaining secure systems and applications are documented, in\nuse, and known to all key stakeholders<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-7-restrict-access-to-data-on-a-need-to-know-basis\">7 \u2013 Restrict access to data on a need-to-know basis<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-No-Access-Physical-300x300.png\" alt=\"PCi DSS Compliance Requirement 7\" class=\"wp-image-11410\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-No-Access-Physical-300x300.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-No-Access-Physical.png 692w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n<\/div>\n\n\n<p>This PCI DSS compliance requirement comes down to assigning privileges to users on your network and documenting those decisions. But, once again, this is just best practice. Your network and its servers store all kinds of information. Allowing employees complete access to everything just invites trouble. Employees should only have permission to access data that\u2019s germane to their job functions. &nbsp;For instance, within our own organization I have access to the marketing and production servers, but if I try to get into our customer experience server my computer emits a jolt of electricity that practically knocks me out of my chair (that&#8217;s actually an improvement, at first we misconfigured the zapper and had a <a href=\"https:\/\/www.quora.com\/How-realistic-was-the-no-sponge-execution-of-Delacroix-the-guy-with-the-mouse-in-The-Green-Mile\">Green Mile moment<\/a> with an intern). These types of access controls make sense and help you to silo off information, which limits damage in the event an employee goes rogue.<\/p>\n\n\n\n<p><strong>Specifics:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Limit access to system components and cardholder\ndata to only those who need it<\/li>\n\n\n\n<li>Establish an access control system(s) for\nsystems components that restricts access based on a user\u2019s need to know<\/li>\n\n\n\n<li>Make sure that security policies and operational\nprocedures for access control are documented, in use, and known to all key\nstakeholders<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-8-assign-everyone-on-your-network-a-unique-id-and-authenticate-them\">8 \u2013 Assign everyone on your network a unique ID and authenticate them<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-ID-300x300.png\" alt=\"PCi DSS Compliance Requirement 8\" class=\"wp-image-11394\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-ID-300x300.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-ID.png 673w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n<\/div>\n\n\n<p>This is just common sense. In fact, it\u2019s so closely associated with the previous item that you could probably just combine them. It\u2019s tough to enforce access control if the people using your network don\u2019t have unique IDs and can\u2019t be authenticated. This extends beyond just assigning IDs though, this is about creating a policy that governs the assignment and deletion of employee IDs, authentication methods, how you handle inactive accounts, what gets done when an employee is terminated, how long can an account idle before it\u2019s locked out, how to recover a password, etc. You\u2019re also going to want to use multi-factor authentication to add an extra layer of security. Again, this PCI DSS compliance requirement is just best practice.<\/p>\n\n\n\n<p><strong>Specifics:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Define and implement policies and procedures to\nensure proper user identification management for employees and administrators<\/li>\n\n\n\n<li>In addition to assigning a unique ID, ensure\nproper user-authentication management for employees and administrators<\/li>\n\n\n\n<li>Secure all individual non-console administrative\naccess and all remote access with multi-factor authentication<\/li>\n\n\n\n<li>Document and communicate authentication policies\nand procedures to all users<\/li>\n\n\n\n<li>Do not use group, shared, or generic IDs,\npasswords, or other authentication methods<\/li>\n\n\n\n<li>All access to any database containing cardholder\ndata should be restricted to administrators on a need-to-know basis<\/li>\n\n\n\n<li>Make sure that security policies and operational\nprocedures for identification and authentication are documented, in use, and\nknown to all key stakeholders<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-9-restrict-physical-access-to-data\">9 \u2013 Restrict physical access to data<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCI-DSS-Access-Restricted-300x300.png\" alt=\"PCi DSS Compliance Requirement 9\" class=\"wp-image-11409\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCI-DSS-Access-Restricted-300x300.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCI-DSS-Access-Restricted-768x768.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCI-DSS-Access-Restricted-1024x1024.png 1024w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n<\/div>\n\n\n<p>This PCI DSS compliance requirement is really less of a cybersecurity concern than it is a physical security concern with a cybersecurity impact. It\u2019s also another dose of common sense. The hardware that\u2019s storing your data is expensive and likely requires a lot of effort to maintain. You wouldn\u2019t want your employees going near it even independent of your security concerns. I\u2019m not saying you need to <a href=\"https:\/\/www.thesslstore.com\/blog\/air-gapped-computer\/\">air gap all of your computers<\/a>, but you do need to ensure you have physical safeguards preventing unauthorized access to hardware. This extends to other critical items, too. Like encryption keys. Storing them on a physical hardware token is a great way to enhance security. Just make sure only authorized personnel can physically access them.<\/p>\n\n\n\n<p>One more thing, the PCI DSS compliance documentation refers to &#8220;media,&#8221; here\u2019s a working definition of that term: <\/p>\n\n\n\n<p><em>Paper and electronic media (including computers,\nelectronic media, networking and communications hardware, telecommunication\nlines, paper receipts, paper reports, and faxes) that contain cardholder data<\/em><\/p>\n\n\n\n<p><strong>Specifics:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use \u201cappropriate facility entry controls\u201d\n(locks, security systems) to monitor physical access to systems storing\ncardholder data<\/li>\n\n\n\n<li>Develop procedures to help quickly distinguish\nbetween employees and visitors<\/li>\n\n\n\n<li>Restrict employee access to sensitive areas<\/li>\n\n\n\n<li>Create and implement procedures for identifying\nand authorizing visitors<\/li>\n\n\n\n<li>Physically secure all devices and media<\/li>\n\n\n\n<li>Maintain strict controls over internal and\nexternal distribution of any kind of media<\/li>\n\n\n\n<li>Maintain strict controls over the storing and\naccessibility of media<\/li>\n\n\n\n<li>Destroy media when it is no longer required for\nbusiness<\/li>\n\n\n\n<li>Protect devices that capture payment card data\nvia direct physical interaction with the card from \u201ctampering and substitution\u201d<\/li>\n\n\n\n<li>Make sure that security policies and operational\nprocedures for physical security safeguards are documented, in use, and known\nto all key stakeholders<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-10-track-and-monitor-all-access-to-network-data\">10 \u2013 Track and monitor all access to network data<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCI-DSS-physical-security-300x300.png\" alt=\"PCi DSS Compliance Requirement 10\" class=\"wp-image-11393\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCI-DSS-physical-security-300x300.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCI-DSS-physical-security.png 673w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n<\/div>\n\n\n<p>Monitoring traffic on your network is something most organizations are already doing. It\u2019s important to see what\u2019s leaving your network and how the people on it are behaving. Lately we\u2019ve seen machine learning start dominating this conversation. Whereas it would be prohibitively difficult for a human to monitor everything in real time (you can see all the requirements below), a machine learning-backed monitoring solution (I wouldn\u2019t go so far as to label it AI yet, though some do) can maintain complete visibility while also discerning usage patterns that can indicate when something is amiss. For instance, it knows when employees are accessing the network, what they\u2019re typically accessing and where they\u2019re logging in from. If that employee suddenly logs in at an odd time from a far-away location and tries access something they normally don&#8217;t, it\u2019s easy to identify it as an anomaly and then investigate it. Monitoring solutions are readily available, all you need to do is pick the one that best fits your needs.<\/p>\n\n\n\n<p><strong>Specifics:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Implement audit trails that track network access\nfrom each individual, they should be able to reconstruct what was accessed and\nwhat actions were taken, audits should include:\n<ul class=\"wp-block-list\">\n<li>User ID<\/li>\n\n\n\n<li>Type of Event<\/li>\n\n\n\n<li>Date<\/li>\n\n\n\n<li>Time<\/li>\n\n\n\n<li>Success or failure<\/li>\n\n\n\n<li>Origination of event<\/li>\n\n\n\n<li>Identity\/Name of data, system or component\naffected<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Synchronize time across all parts of your\nnetwork<\/li>\n\n\n\n<li>Secure your audit logs so that they cannot be\naltered (potential application for hashing)<\/li>\n\n\n\n<li>Review logs regularly to look for major system\nevents and anomalies<\/li>\n\n\n\n<li>Keep all audit logs for at least one year and\nkeep the last three months of logs readily available<\/li>\n\n\n\n<li>Make sure that security policies and operational\nprocedures for network monitoring are documented, in use, and known to all key\nstakeholders<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-11-scan-systems-and-review-processes-regularly\">11 \u2013 Scan systems and review processes regularly<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-Scan-300x300.png\" alt=\"PCi DSS Compliance Requirement 11\" class=\"wp-image-11411\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-Scan-300x300.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-Scan.png 692w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n<\/div>\n\n\n<p>This is the so-called scanning and reporting requirement, which is not nearly as complicated as it may seem at first blush. All you need to do to satisfy this requirement is purchase a PCI DSS compliance scanning product. <a href=\"https:\/\/www.thesslstore.com\/knowledgebase\/other-security-support\/hackerguardian-pci-scan-control-center\/\">We use HackerGuardian from Comodo CA\/Sectigo<\/a>. It leverages Comodo\u2019s antivirus patterns and works quickly \u2013 it\u2019s also about $200 cheaper than the next closest scanner. Running scans is simple, after you\u2019ve configured it to run on your network you just use the client to start the scan. It provides you with actionable intel on remediating anything it kicks up. Once you take care of that, the scan runs again and produces a ready-to-submit report. Send it in to your acquiring bank once per quarter and you\u2019re good to go. Again, this isn\u2019t as difficult as it sounds once you have the right PCI scanner.<\/p>\n\n\n\n<p><strong>Specifics:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Implement processes to test for the presence of\nwireless access points (802.11), and detect and identify all authorized and\nunauthorized wireless access points on a quarterly basis<\/li>\n\n\n\n<li>Run internal and external network vulnerability\nscans at least quarterly andafter any significant change in the network<\/li>\n\n\n\n<li>Implement and document a method for penetration\ntesting<\/li>\n\n\n\n<li>Use intrusion-detection and\/or\nintrusion-prevention techniques to detect and\/or prevent unauthorized access to\nthe network<\/li>\n\n\n\n<li>Deploy a change-detection mechanism (for\nexample, file-integrity monitoring tools) to alert your organization to\nunauthorized modifications<\/li>\n\n\n\n<li>Make sure that security policies and operational\nprocedures for quarterly scanning are documented, in use, and known to all key\nstakeholders<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-12-maintain-a-policy-that-addresses-security\">12 \u2013 Maintain a policy that addresses security<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-Security-Policy-300x300.png\" alt=\"PCi DSS Compliance Requirement 12\" class=\"wp-image-11408\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-Security-Policy-300x300.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-Security-Policy.png 692w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n<\/div>\n\n\n<p>Ok, take the last 11 steps and document them. Everything. From how you administer your network IDs to the patching process to the scanning \u2013 document it all. If you need help creating a security policy, <a href=\"https:\/\/www.thesslstore.com\/blog\/the-rise-of-cyber-resilience\/\">we\u2019ve actually covered it at length before<\/a>. It\u2019s not difficult, you just need to be comprehensive. Once you\u2019ve written everything down, save a copy of it and then revisit it annually to update anything that\u2019s changed. Should you ever be audited you\u2019ll need to show that your security policy is a living, breathing document that guides your organization\u2019s security. <\/p>\n\n\n\n<p><strong>Specifics:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Establish, publish, maintain, and disseminate a security policy<\/li>\n\n\n\n<li>Create and document a <a href=\"https:\/\/www.thesslstore.com\/blog\/cyber-risk-assessment\/\">risk assessment<\/a> process<\/li>\n\n\n\n<li>Develop usage policies for critical infrastructure and systems<\/li>\n\n\n\n<li>Make sure that security policies and operational procedures are clearly defined for all affected personnel<\/li>\n\n\n\n<li>Implement formal security awareness and training programs that are mandatory for all employees<\/li>\n\n\n\n<li>Screen potential hires to minimize the risk of internal attacks or sabotage<\/li>\n\n\n\n<li>Maintain data processing agreements and other requisite contracts with any partner you share cardholder data with<\/li>\n\n\n\n<li>Create an <a href=\"https:\/\/www.thesslstore.com\/blog\/in-case-of-emergency-a-disaster-recovery-plan-checklist-for-data-security\/\">incident response plan<\/a> and educate your organizations on the steps that must be taken<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-pci-dss-what-is-strong-cryptography\">PCI DSS \u2013 What is strong cryptography?<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"201\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/Encryption-Key-300x201.png\" alt=\"Encryption key\" class=\"wp-image-9993\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/Encryption-Key-300x200.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/Encryption-Key-768x515.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/Encryption-Key-1024x686.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/01\/Encryption-Key.png 1092w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n<\/div>\n\n\n<p>Ah yes, \u201cstrong cryptography,\u201d what does that mean? The actual <a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/PCI_DSS_v3-2-1.pdf?agreement=true&amp;time=1565879484532\">PCI DSS compliance documents<\/a> only allude to \u201cstrong cryptography\u201d because what constitutes \u201cstrong\u201d is going to change at a quicker pace than the PCI DSS compliance requirements will be updated. Unfortunately, that means organizations are forced to either figure out what that means on their own or try to find a definition elsewhere. <\/p>\n\n\n\n<p>PCI DSS\u2019 definition of strong cryptography is basically\nusing encryption based on industry-tested and accepted algorithms, at key\nlengths with requisite computational hardness and then managing it all with\ncertificate and key management best practices.<\/p>\n\n\n<span style=\"--tl-form-height-m:861.156px;--tl-form-height-t:899.625px;--tl-form-height-d:899.625px;\" class=\"tl-placeholder-f-type-shortcode_12653 tl-preload-form\"><span><\/span><\/span>\n\n\n<p>Specifically, that means:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AES \u2013 128-bit key length or higher<\/li>\n\n\n\n<li>TDES\/TDEA \u2013 Triple-length keys<\/li>\n\n\n\n<li>RSA \u2013 2048-bit key length or higher<\/li>\n\n\n\n<li>ECC \u2013 224-bit key length or higher<\/li>\n\n\n\n<li>DSA\/DH \u2013 2048-bit\/224-bit key length or higher<\/li>\n<\/ul>\n\n\n\n<p>As we\u2019ve stated in the past, <a href=\"https:\/\/www.thesslstore.com\/blog\/you-should-be-using-ecc-for-your-ssl-tls-certificates\/\">we recommend using elliptic curve-based cryptosystems for SSL\/TLS<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-pci-dss-compliance-requirements-for-ssl-tls\">PCI DSS Compliance Requirements for SSL\/TLS<\/h3>\n\n\n\n<p>We mentioned earlier that you\u2019re required to secure\ncardholder data as it\u2019s in transit. That means using SSL\/TLS. And while it was\nmentioned in passing earlier we wanted to be explicit about this next point.<\/p>\n\n\n\n<p>With one exception (which will be covered in the next section), <a href=\"https:\/\/www.thesslstore.com\/blog\/june-30-to-disable-tls-1-0\/\">PCI DSS suggests that you use TLS 1.2 or TLS 1.3<\/a> \u2013 you absolutely cannot use SSL or TLS 1.0. It\u2019s also strongly advised you deprecate support for TLS 1.1, too. <\/p>\n\n\n\n<p>We tell our customers to stick to TLS 1.2 and <a href=\"https:\/\/www.thesslstore.com\/blog\/tls-1-3-everything-possibly-needed-know\/\">TLS 1.3<\/a>. It will save you some work when the PCI SSC inevitably mandates its deprecation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-additional-pci-dss-requirement-for-ssl-tls-on-older-pos-poi-terminal-connections\">Additional PCI DSS Requirement for SSL\/TLS on older POS POI terminal\nconnections<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Cash-Register-PCI-DSS-300x300.png\" alt=\"POS POI PCI DSS Requirement\" class=\"wp-image-11401\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Cash-Register-PCI-DSS-300x300.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Cash-Register-PCI-DSS.png 673w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n<\/div>\n\n\n<p>Legacy devices and systems pose a special problem because\nmany are no longer being actively supported, which means there\u2019s no way to\nsupport new protocol versions. This is especially true of point of sale (POS) or\npoint of interaction (POI) terminals. Stuff like cash registers. If you\u2019re an\norganization using legacy technology that simply can\u2019t be updated to support\nnewer protocols and algorithms, there are some additional safeguards you\u2019ll need\nto put in place. <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Organizations using POS POI terminals that only support SSL and older TLS versions must have formal Risk Mitigation and Risk Migration plans.<\/li>\n\n\n\n<li>Legacy devices located in \u201ccard-present\u201d environments must be verified as not being susceptible to known exploits affecting SSL and early TLS versions.<\/li>\n<\/ul>\n\n\n\n<p>You verify this by providing the requisite documentation,\neither from the vendor or from your own remediation efforts. <\/p>\n\n\n\n<p>Bear in mind, any new terminals need to be capable of\nsupporting TLS 1.2 and TLS 1.3. These legacy devices are being grandfathered\nin, moving forward they should be phased out. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-are-the-pci-dss-penalties-for-non-compliance\">What are the PCI DSS penalties for non-compliance?<\/h2>\n\n\n\n<p>Let\u2019s start with how the penalties are handed down, then we\u2019ll get to what can happen. First of all, PCI DSS compliance penalties are like Fight Club, they don\u2019t talk about them. PCI DSS penalties aren\u2019t openly discussed and rarely even made public. <\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"168\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-Penalties-300x168.png\" alt=\"\" class=\"wp-image-11412\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-Penalties-300x168.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-Penalties-768x430.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCi-DSS-Penalties.png 778w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n<\/div>\n\n\n<p>That doesn\u2019t mean they aren\u2019t catastrophic though.<\/p>\n\n\n\n<p>For starters, the PCI SSC doesn\u2019t administer the fines, the credit companies do. Individually. So, if you accept Visa, Mastercard and American Express when you run afoul of PCI DSS compliance, you aren\u2019t looking at one fine. You\u2019re potentially looking at three.<\/p>\n\n\n\n<p>Next, they don\u2019t fine you directly. They fine your acquiring\nbank. Then your acquiring bank passes the fine on to you. Oftentimes with\nadditional fees and penalties. <\/p>\n\n\n\n<p>Now let\u2019s talk about what can happen. <\/p>\n\n\n\n<p>There are going to be two impacts: an immediate one and a longer-term one.<\/p>\n\n\n\n<p>Each payment brand can fine non-compliant organizations between $5,000-$100,000 per month for as long as the problem persists. Obviously, if you\u2019re getting penalized by multiple payment brands those numbers can go as high as $25,000-$500,000. That\u2019s an immediate impact. It\u2019s coming right out of your bottom line.<\/p>\n\n\n\n<p>Then there\u2019s the longer-term impact. At best, you may be required to submit to an assessment or undergo additional audits. At worst, your acquiring bank will sever ties, you won\u2019t be able to accept payment cards and you\u2019ll spend your golden years living under an overpass, offering to squeegee windshields for cupholder change. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-pci-dss-compliance-is-just-formalized-common-sense\">PCI DSS Compliance is just formalized common sense<\/h2>\n\n\n\n<p>Nothing asked of your organization from the payment card\nindustry is really off-base. These are things every organization should already\nbe doing.<\/p>\n\n\n\n<p>If anything, PCI DSS compliance can be a boon to your organization because it basically forces you to follow security best practices. That\u2019s a good thing. We write all the time about how expensive data breaches and security incidents are. They can cast small-and-medium businesses into existential peril and can even manage to crater the bottom lines of enterprise companies. <\/p>\n\n\n\n<p>Anything you can do to fend off that threat is just good\nbusiness. <\/p>\n\n\n\n<p>PCI DSS compliance really isn\u2019t all that complicated if you don\u2019t overthink it. Just follow the steps the PCI SSC have laid out and document everything you do. That second part is almost as important as the first \u2013 this is one time you want to leave a paper trail.<\/p>\n\n\n\n<p><em>As always, leave any comments or questions below\u2026 <\/em><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"267\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-1024x267.jpg\" alt=\"Hashed Out by The SSL Store is the voice of record in the SSL\/TLS industry.\" class=\"wp-image-7276\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-1024x267.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-300x78.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-768x200.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568.jpg 1559w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>PCI DSS compliance isn&#8217;t as complicated as many people think. In fact, most of it&#8217;s just common sense security measures. Let&#8217;s hash it out.<\/p>\n","protected":false},"author":6,"featured_media":11398,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[10670,7638],"class_list":["post-11390","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-compliance","tag-pci-dss","post-with-tags"],"views":25557,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/PCI-DSS-Compliance-Feature.png","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/11390","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=11390"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/11390\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/11398"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=11390"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=11390"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=11390"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}