At Coeo we’ve supported a large number of retail organisations to ensure that their data platform is Payment Card Industry Data Security Standards (PCI DSS) compliant. As this topic is so critical for businesses in this sector and beyond, we’ve put together a brief introduction to PCI DSS.
- What is PCI DSS
- Who does PCI DSS apply to?
- What are PCI DSS Requirements?
- Recommendations for retail organisations
- What are the consequences of PCI DSS non-compliance?
- PCI DSS and Microsoft Azure
- How can Coeo help with PCI DSS?
The PCI DSS Council is a body put in place by credit payment card brands, in order to protect customers (and, ultimately, the banks) from fraudulent activity. It is particularly important to those working in the retail industry as a lot of ecommerce providers take large volumes of card payments, however its scope is not limited to this sector and affects anyone taking card payments.
The PCI DSS standard has some very explicit compliance requirements and control processes that companies have to put in place. It also has to be audited externally or internally, so it’s worth reviewing the PCI DSS documentation. The standard is currently on version 3.2.1, which was released in May 2018.
PCI DSS applies to any organisation that stores, processes or transmits sensitive cardholder data, such as the long card number, CVV number or associated cardholder information. Any computer or service that comes into contact with this data is within the scope of the company’s PCI DSS annual audit.
What are PCI DSS requirements?
For full details of requirements, we recommend reading the PCI DSS documentation. However, here is a run-down of some of the major points relevant to data professionals:
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Firewalls need to be installed wherever the database containing PCI DSS sensitive data is connected to another network. This includes the front-end and other backend networks that have access to the environment.
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- One of the configuration items we’ve helped customers with is SQL Server’s default ‘System Administrator’ (SA) account, which is a potential weakness that hackers look for. Our consultants change the password on this account to a very long string and then disable it to prevent it being compromised.
- Requirement 3: Protect stored cardholder data
- Use protection methods such as encryption and masking to prevent hackers from viewing cardholders’ data. We have helped customers set up Transparent Data Encryption (TDE) to ensure all data stored at rest is encrypted
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
- HTTPS can be used to encrypt information during transmission, this means that hackers “snooping” on your site cannot see the information that is being passed over the wire.
- Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
- Finding the balance between security and performance can be an issue with anti-virus software. Coeo have helped customers effectively configure their anti-virus software so that they are protected, but SQL Server continues to perform well.
- Requirement 6: Develop and maintain secure systems and applications
- Computer systems must be within vendor support (i.e. receive software patches). Coeo is offering a free initial server assessment for organisations concerned about SQL Server 2008 End of Life.
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Employees should only be granted access to the data that they need to do their job.
- Requirement 8: Identify and authenticate access to system components
- Support customers setting up SQL Server with Active Directory to provide the strongest level of authentication and authorisation. Configuring the application to use Active Directory rather than less secure SQL logins.
- Requirement 9: Restrict physical access to cardholder data
- Any physical server disks must also be encrypted to prevent key information from being maliciously accessed in the event of a break-in.
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Our support team have an extensive monitoring platform and also set up database and server auditing for customers that have stringent compliance requirements.
- Requirement 11: Regularly test security systems and processes.
- Our Dedicated Support team run regular tests against standards that our customers must keep, ensuring compliance against regulations such as PCI DSS.
- Requirement 12: Maintain a policy that addresses information security for all personnel
- Ensure that all employees know what is expected of them in terms of security, such as locking laptops and not sharing passwords. Make information security part of company policy.
The most important consideration when dealing with PCI DSS is scope. It’s important to scope access to PCI DSS sensitive data down to the smallest possible subset of services and servers, as that reduces the amount of auditing that the organisation needs to do. The business then needs to keep that boundary well defined so that they can ensure they know exactly where that card data is, how it’s processed and what and who has access to it.
Over the past few years, many organisations have moved responsibility for PCI DSS data on to their payment provider. Those that choose this option still make sure they are aware of where the data is, how it is processed and who has access to it so that they really understand what data they’re holding, how they’re processing it and how their systems interact with that data.
Ultimately, organisations that fail their audit may no longer be able to have a merchant account, and therefore cannot accept card payments. This will have a huge effect on sales as they will be effectively unable to trade online.
There are also risks linked to GDPR. Non-compliance with this data protection standard carries very severe penalties, including a fine of up to 4% of global turnover.
Microsoft have written some security architectures or visual architectures specifically for PCI DSS. They have created a PCI DSS Blueprint, which provides you with some best-practice reference architectures that are compliant with the standard. These are especially helpful for companies trying to take a solution that they’ve created and migrate it into Azure. They will still need to make sure that reference architectures adhere to their internal standards, but they are a good place to start.
Our team of consultants have done a lot of work with internet retailers over the past 10 years. We’ve helped customers design the data platforms that sit behind their systems and ensure that they’re building these to best practice in terms of security in accordance with PCI DSS standards. Our Dedicated Support team works alongside our customers to make sure they are doing everything they can do to protect and restrict access to their data to keep their systems operational and performant.