PCI Audit Checklist: Top 3 Areas of Weakness for Meeting PCI Compliance
With all of the news about security breaches and their increasingly widespread occurrence, how can you be sure that your customer’s credit card information remains secure? The Payment Card Industry Data Security Standard (PCI DSS) applies to all merchants who accept credit cards — regardless of their annual revenue and credit card transaction volume– to ensure credit card information is secured. However, a vast majority of organizations struggle with achieving and maintaining PCI DSS compliance. Also, it costs a great deal in consulting fees to address the root cause of PCI audit failures.
PCI Audit Checklist – 3 PCI compliance requirements to address before your first audit
Companies can avoid the frustrations of a failed audit and be well on their way to PCI compliance by taking a proactive approach in assessing three areas of weakness when preparing for a PCI Audit. Review the three PCI compliance requirements below:
1. Encryption Key Management
Several sections of PCI DSS address cryptography and key management to protect cardholder data. This can provide challenges for companies who are unfamiliar with the evolving encryption standards and requirements. PCI DSS does not specify which cryptographic standards should be utilized, however most companies today implement Advanced Encryption Standard (AES) as it is widely accepted for the encryption of sensitive data and approved by the National Institute of Standards and Technology (NIST).
Access to the cryptographic keys used for encryption of cardholder data should be limited to the fewest number of custodians necessary, and the keys should be stored securely in as few locations as possible. If a vendor hosts your encryption keys, then they along with hackers can most likely access it. Therefore, it is essential to exclusively host your own encryption keys for maximum security. Additionally, cryptographic keys need strong management, and periodic key changes are mandatory.
The solution to the complex issue of encryption key management, is the utilization of a strong key management application that addresses five fundamentals of encryption key management:
- Key storage
- Key policy management
- Key authentication
- Key authorization
- Key transmission
With a strong key management application, your credit card information can be protected from access by third-parties in its unencrypted form.
2. Multi-Factor Authentication
Another method to significantly reduce the risk of system intrusion is multi-factor authentication, also known as two-factor authentication. With multi-factor authentication you are required to provide two (or more) authentication factors to gain access to a system, such as a password as well as a security code sent to a mobile device. PCI security standards require at least two of three potential authentication factors to be utilized. Those factors are:
- Something you know: This requires knowledge of something such as a password, PIN, or phrase.
- Something you have: This may involve an RSA token device, smartcard, key fob, or cellular device with mobile authentication.
- Something you are: This involves biometric measures such as a fingerprint or retina scan, facial or voice recognition, or other unique physical identification.
By going beyond simple passwords and utilizing multi-factor authentication, companies can reduce the threat of intrusions into cardholder data.
3. System Logging
Section 10 of the PCI DSS indicates that organizations must monitor and track all access to network resources and cardholder data. This is one of the most important PCI compliance requirements as it’s related to network security and access. There are many subsections outlining what needs to be fulfilled in order to maintain compliance in this section.
The following must be logged and maintained:
- There must be a system for logging access to all system components by every individual user.
- Audit trails for each of the following must be established:
- The actions of individual users with access to cardholder data;
- All actions performed by users with administrative privileges;
- All invalid access attempts;
- Clearing of audit logs;
- Security assessment logs (restricted for access only by those with a job-related need).
System logging and the ability to track user activities are crucial in detecting, preventing, and diminishing the potential impact of a data security breach. Without system activity logs, it would be nearly impossible to detect the cause of a compromise and correct it. By maintaining knowledge of who had access to the system and what data they accessed, a company can be proactive if cardholder data goes missing or there is suspicion of any foul play.
Part of the bigger security picture of cyber-risk management
In recent times, many organizations treat PCI compliance as simply a checkbox that they try to get through by fulfilling the minimum requirements of this mandatory regulation. However, by practicing good cybersecurity hygiene on a consistent basis, and being cognizant of the potential areas of weakness, your company can ensure cyber-risk management is a continued priority as you minimize operational risks. This will allow your organization to stay ahead of the curve as technology evolves when the standard updates with time.
Assure Security from Syncsort can help you build the layers of security needed to protect your customer’s credit card information and achieve PCI compliance. For further details, read the eBook: Best Practices for Maintaining IBM i PCI DSS Compliance.