Set of six requirements
The standard is based on a set of six requirements . To one degree or another, they are generally recognized best practices in the information security world. According to PCI DSS, a company must:
- Protect the network infrastructure. All incoming and outgoing traffic is filtered by firewalls. In this case, the part of the network responsible for processing client data should be segmented - that is, it is divided into several independent clusters. This allows you to limit the potential damage if hackers do manage to "infiltrate" the network.
In this case, all virtual machines must perform only one function. This approach ensures that server hacking prevents attackers from gaining control over multiple steps in the data processing process.
Passwords used to access infrastructure components must be different from the factory passwords and not included in the list of most common passwords. Otherwise, there is a risk of hacking with a simple dictionary enumeration a >. For example, one of the reasons for the leak at the Equifax credit bureau in 2017 was a weak password. Organization used username and password admin to access the database.
- Use encryption. For data encryption, use strong cryptography (with keys of at least 128 bits). The latest PCI DSS document dated January 1, 2019, obliges companies to use TLS 1.2. This measure was introduced due to the vulnerability in the predecessor of the protocol - SSL 3.0, which gives an attacker can extract private information from the encrypted communication channel.
At the same time, the PCI DSS document contains a list of cryptographic solution providers whose products are recommended to be used for successful certification. It includes 886 payment software vendors and over 200 developers of various encryption systems.
- Install anti-virus software. The process of updating vulnerable software itself must be regulated in order to proactively close all potential vulnerabilities.
- Configure data access policies. One of the requirements is to use multi-factor authentication to connect to critical infrastructure components and personal data. At the same time, it is necessary to restrict access to places of physical storage of client data. These policies are adjusted every time a company changes staff.
- Organize infrastructure monitoring. It is important to log all operations performed on data in order to quickly detect hacks. The security systems themselves should be regularly tested to quickly identify weaknesses in the IT infrastructure.
- Formulate a corporate information security policy. It is important to prescribe the general principles of ensuring the security of the IT infrastructure, the algorithm for providing access to user data and the steps that will be taken in the event of a threat to this data. The documents must be updated every year in accordance with the changes made to the IT structure.
Companies processing less than 20 thousand payments per year can conduct an audit on their own. The rest of the organizations are obliged to resort to the help of certified auditors.
Audit starts with theoretical part . Here, the relevance of internal security policies and the competence of personnel are checked. The company provides developed instructions, regulations and other regulatory and administrative documents on information security.
The reliability of the IT infrastructure is then assessed. For this, auditors conduct penetration test - a simulated attack on a company's network. SoIt verifies that solutions to protect cardholder data are working and identifies potential security holes.
If everything is successful, it will remain to agree on the technical characteristics of the infrastructure with the auditors. Experts evaluate software, hardware parameters, network topology, operating system configuration, etc. Note that if minor violations of PCI DSS requirements are detected during the audit, they can be corrected on the spot.
How to simplify certification
PCI DSS certification takes a lot of time and effort. This process took us over a year. The IT-GRAD team of specialists had to rebuild a large segment of our hosting infrastructure. We created an isolated network based on ESX, vSphere and vCenter, which is accessed via VPN with two-factor authentication. In this network we are deployed monitoring systems, logging and data integrity control, as well as anti-virus software.
To pass an audit, sometimes you have to completely rethink the IT infrastructure. And the larger the company, the longer this process. It turns out that businesses that need PCI DSS infrastructure more than others - banks and large retailers - The hardest thing is to manage these standards yourself.
IaaS providers are capable of simplifying the certification process. For example, at IT-GRAD we provide the service PCI DSS Hosting . It enables companies to shift some of the responsibility for meeting the requirements of the standard onto the shoulders of a cloud provider. For example, IT-GRAD specialists are responsible for network protection and control of physical access to equipment. Our data centers in Moscow and St. Petersburg meet the highest security requirements. Additionally, we help to set up the server environment and organize the monitoring necessary for certification.
Thus, using the PCI DSS hosting service, the client saves his money and reduces the time for certification. This approach makes it possible to focus on the core business development.
Link to article < / p>