A technical insight on how to be certified to operate in the Payment Card Industry

Khaled Farah Khaled Farah 20th Aug 2019

Posted in

Introduction

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes (Mastercard, Visa etc.)

Being PCI DSS certified verifies that your company infrastructure and business processes are secure enough to process and hold customers card data, allowing the company to process payments, bills, subscriptions etc. PCI DSS certification is a very important certificate to have as a financial institution or fintech company such as NOW Money.

So, is it difficult to become PCI-DSS certified? In this article, we’ll highlight 10 important aspects any company wishing to obtain the certification must address.

1. Limiting public-facing assets

As your business grows and expands, internet-facing assets are often forgotten. You know, that server that runs some legacy code, written by one of the senior devs, has been running since forever and working flawlessly…
Most security breaches begin with such scenarios. You need to maintain a well-defined list of publicly exposed assets. And make sure to monitor this list for security updates, access logs, and all security-related processes.

2. Access control

Whether it’s a database, a cloud console or a bank account, always follow the “Principle of Least Privilege”, meaning that you should only give the required access level to each user. In order to determine and efficiently enforce this control, you’ll need to carefully review user accounts and access controls by asking the following six questions about every asset:

  1. Who has access to this asset?
  2. What kind of access do they have?
  3. Can we revoke this access if required?
  4. Is the access logged and controlled?
  5. Is access restricted from a trusted source, for example a VPN network?
  6. Can we enable MFA on this asset?

Answering these six questions will give you better visibility on the access to your assets.

3. Password control

Passwords have always been the weakest chain in any security control. Awareness for employees, both IT and non-IT is vital.

  1. Encourage users to use password managers
  2. Educate users on the risks of weak passwords. Websites like http://haveibeenpwned.com and http://thehackernews.com can help demonstrate such risk

4.Multi-factor authentication (MFA)

Generally speaking, MFA is an authentication method where users are granted access after presenting two or more pieces of evidence. Types of evidence should be a combination of two from:

  1. Something they know “Password”
  2. Something they have “A key or one-time password (OTP)”
  3. Something they are “Thumbprint/Face ID”

Try to encourage and enforce the use of MFA for assets access where possible.

The most convenient option is to use something they know + something they have, for example by combining passwords & OTP.

5. Firewall controls

Having a firewall between your assets and the Internet is a no brainer. Whether it’s a physical firewall, a security group or an Ip table, firewall controls mainly represent a stateless layer of defense that conditionally allows, rejects or logs connection requests to the assets.
Following a whitelisting scheme is the best option to follow when applying firewall rules. Meaning that you should only allow access to a specific resource from a specific origin, and otherwise forbid the connection.

6. Change control

Regardless if it’s a configuration change, patch deployment or creating new accounts, in every organization, implementing change control processes is important to ensure change safety, documentation purposes and enforced control.
You need to carefully review your current change management process, if you have one, or otherwise implement one.

7. Encryption

We could write a complete article on the importance of encryption, but briefly, you should focus on:

  1. Encryption at rest: Encrypting the data that resides in your databases, especially the user’s sensitive data
  2. Encryption in transit: The connection to & between your assets should be encrypted with strong encryption techniques. Make sure to use standardized techniques, for example Transport Layer Security (TLS).

8. Code reviews

Code reviews are not only for code quality. They can uncover some serious flaws in business logic or software design that may lead to future security issues. Code reviews allow for early discovery of such issues and hence, less expensive solutions, both in time & money.

9. Documentation.

The most hated task among software engineers, it’s often neglected as many people think it doesn’t have direct or immediate value to the business.  Speaking from security audits perspective, the importance of documentation arises when trying to address points #1 and #2, and it saves masses of time when reviewing your infrastructure and codebase.

10. External penetration testing.

It’s always good to see things from a different perspective. Software engineers & ops teams tend to have a bias toward their product’s security. This bias can be blinding and can cause the team to overlook some security issues.

Holding quarterly or semi-annual external penetration tests can give you an external review on your infrastructure and a chance to enhance the process or fix flaws.

Conclusion

Given that every organization is different both in culture and infrastructure, we tried in this article to cover common areas that yours may need to address. By following best practice in these areas, you’ll make obtaining your company’s PCI-DSS certificate easier, and you’ll have better visibility and information about the infrastructure, and greater peace of mind!

Share:

Leave a comment

Your email address will not be published. Required fields are marked *