The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes (Mastercard, Visa etc.)
Being PCI DSS certified verifies that your company infrastructure and business processes are secure enough to process and hold customers card data, allowing the company to process payments, bills, subscriptions etc. PCI DSS certification is a very important certificate to have as a financial institution or fintech company such as NOW Money.
So, is it difficult to become PCI-DSS certified? In this article, we’ll highlight 10 important aspects any company wishing to obtain the certification must address.
As your business grows and expands, internet-facing assets are often forgotten. You know, that server that runs some legacy code, written by one of the senior devs, has been running since forever and working flawlessly…
Most security breaches begin with such scenarios. You need to maintain a well-defined list of publicly exposed assets. And make sure to monitor this list for security updates, access logs, and all security-related processes.
Whether it’s a database, a cloud console or a bank account, always follow the “Principle of Least Privilege”, meaning that you should only give the required access level to each user. In order to determine and efficiently enforce this control, you’ll need to carefully review user accounts and access controls by asking the following six questions about every asset:
Answering these six questions will give you better visibility on the access to your assets.
Passwords have always been the weakest chain in any security control. Awareness for employees, both IT and non-IT is vital.
Generally speaking, MFA is an authentication method where users are granted access after presenting two or more pieces of evidence. Types of evidence should be a combination of two from:
Try to encourage and enforce the use of MFA for assets access where possible.
The most convenient option is to use something they know + something they have, for example by combining passwords & OTP.
Having a firewall between your assets and the Internet is a no brainer. Whether it’s a physical firewall, a security group or an Ip table, firewall controls mainly represent a stateless layer of defense that conditionally allows, rejects or logs connection requests to the assets.
Following a whitelisting scheme is the best option to follow when applying firewall rules. Meaning that you should only allow access to a specific resource from a specific origin, and otherwise forbid the connection.
Regardless if it’s a configuration change, patch deployment or creating new accounts, in every organization, implementing change control processes is important to ensure change safety, documentation purposes and enforced control.
You need to carefully review your current change management process, if you have one, or otherwise implement one.
We could write a complete article on the importance of encryption, but briefly, you should focus on:
Code reviews are not only for code quality. They can uncover some serious flaws in business logic or software design that may lead to future security issues. Code reviews allow for early discovery of such issues and hence, less expensive solutions, both in time & money.
The most hated task among software engineers, it’s often neglected as many people think it doesn’t have direct or immediate value to the business. Speaking from security audits perspective, the importance of documentation arises when trying to address points #1 and #2, and it saves masses of time when reviewing your infrastructure and codebase.
It’s always good to see things from a different perspective. Software engineers & ops teams tend to have a bias toward their product’s security. This bias can be blinding and can cause the team to overlook some security issues.
Holding quarterly or semi-annual external penetration tests can give you an external review on your infrastructure and a chance to enhance the process or fix flaws.
Given that every organization is different both in culture and infrastructure, we tried in this article to cover common areas that yours may need to address. By following best practice in these areas, you’ll make obtaining your company’s PCI-DSS certificate easier, and you’ll have better visibility and information about the infrastructure, and greater peace of mind!