A set of six requirements
The basis of the standard is a set of six requirements. To varying degrees, they are generally recognized best practices in the world of information security. According to PCI DSS, a company must:
- Protect your network infrastructure. All incoming and outgoing traffic is filtered by firewalls. The part of the network responsible for processing client data should be segmented - that is, divided into several clusters independent of each other. This helps limit the potential damage if hackers do manage to "penetrate" the network.
In this case, all virtual machines are required to perform only one function. This approach ensures that a server hack will not allow attackers to gain control over multiple stages of the data processing process.
Passwords used to access infrastructure components must be different from factory passwords and must not be on the list of most common passwords. Otherwise, there is a risk of hacking by simple dictionary search. For example, one of the causes of the Equifax credit bureau leak in 2017 was precisely a weak password. The organization used an admin username and password to access the database.
- Use encryption. Strong cryptography (with keys at least 128 bits long) must be used to encrypt data. The latest version of the PCI DSS document, dated January 1, 2019, requires companies to use TLS 1.2. This measure was introduced because of a vulnerability in the protocol's predecessor, SSL 3.0, which gives an attacker the ability to extract sensitive information from an encrypted communication channel.
The PCI DSS document contains a list of cryptographic solution providers whose products are recommended for successful certification. It includes 886 payment software vendors and more than 200 developers of various encryption systems.
- Install antivirus software. The process of updating vulnerable software itself should be regulated to proactively close all potential vulnerabilities.
- Configure data access policies. One of the requirements is to use multifactor authentication to connect to critical infrastructure components and personal data. At the same time, you must restrict access to physical storage locations for client data. These policies are adjusted every time there is a personnel change in the company.
- Organize infrastructure monitoring. It is important to log all operations performed on data to quickly detect hacks. The security systems themselves should be tested regularly to quickly identify weaknesses in the IT infrastructure.
- Formulate a corporate IS policy. It is important to spell out the general principles of IT infrastructure security, the algorithm for providing access to users' personal data, and the steps that will be taken in the event of a threat to this data. The documents should be adjusted every year in accordance with changes made to the IT structure.
The audit process
Companies that process less than 20,000 payments per year can audit themselves. Other organizations have to use the help of certified auditors.
The audit starts with a theoretical part. Here they check the actuality of internal security policies and staff competence. The company provides developed instructions, regulations and other regulatory and administrative documents on IS.
Then the reliability of the IT infrastructure is assessed. To do this, auditors conduct a penetration test - a simulated attack on the company's networks. This tests the operation of solutions aimed at protecting cardholder data, and identifies potential security holes.
If everything is successful, the technical characteristics of the infrastructure remain to be coordinated with the auditors. Specialists evaluate the software, hardware parameters, network topology, configuration of operating systems, etc. Note that if during the audit small breaches of PCI DSS requirements are detected, they can be eliminated "on the spot".
How to simplify certification
PCI DSS certification takes a lot of effort and time. For us, this process took over a year. The IT-GRAD team had to rebuild a large segment of our hosting infrastructure. We created an isolated network based on ESX, vSphere and vCenter which is accessed via VPN with two-factor authentication. On this network we deployed monitoring, logging, and data integrity controls, as well as anti-virus software.
To pass an audit, sometimes you have to completely rethink your IT infrastructure. And the larger the company, the longer the process is. It turns out that businesses that need PCI DSS infrastructure the most - banks and large retailers - have the hardest time organizing compliance on their own.
IaaS providers can simplify the certification process. For example, we at IT-GRAD provide PCI DSS hosting services. It enables companies to shift some of the responsibility for meeting the requirements of the standard onto the shoulders of the cloud provider. For example, IT-GRAD specialists are responsible for network protection and physical access control to equipment. Our data centers in Moscow and St. Petersburg meet the highest security requirements. In addition, we help set up the server environment and organize the monitoring required for certification.
Thus by using PCI DSS hosting service client saves his money and reduces time for certification. This approach allows you to focus on core business development.