Having trouble complying with the PCI DSS? Here are some tips

Keeping cardholder data secure can be incredibly difficult, but have you tried… not storing so much information?

You’d be surprised at how effective that apparently flippant advice is. Organisations often store more information than they need, making security trickier than it should be. Take primary account numbers (PANs). This information is needed far less often than cardholders’ names and card numbers, but organisations habitually collect all three as a matter of course, going to extra measures to protect something they don’t even need.

Removing PANs means you dramatically reduce the scope of your cardholder data environment (CDE) and reduce the amount of work you need to do to comply with the Payment Card Industry Data Security Standard (PCI DSS). Sometimes, less really is more.

There are many other ways you can reduce the scope of your CDE and make PCI DSS compliance simpler. Here are a few of the most effective:

Segmentation

Network segmentation is the process of separating a network into smaller sub-sections, limiting the ways in which they can communicate with each other. To be considered out of scope for the PCI DSS, a system must be isolated in such a way that the CDE will be unaffected by a breach.

Segmentation can be achieved via:

  • Firewalls to segment internal zones;
  • Switches, which are often used behind a firewall to segment network zones;
  • Air gapping, in which organisations use separate network connections for different segments; and
  • Analogue phone lines to completely remove the threat of network breaches.

Restricting access

An organisation’s biggest weakness is often its own staff, so it’s important to implement access controls to ensure information is only accessed on a need-to-know basis. This means fewer people can obtain sensitive information, mitigating the risk of it being misused.

Part of this process will involve making sure that systems only store information that’s relevant for particular tasks. For example, you should assess your databases and the way they collect inbound and outbound traffic. Databases that collect all the information they require through an outbound channel shouldn’t be connected to an inbound channel.

Other methods

  • E-commerce merchants will benefit from using third-party payment providers. This puts a whole section of the Standard out of scope.
  • Organisations should consider storing tokenisation, in which PANs are replaced by tokens (i.e. a series of random digits). They can still be used to identify the customer on the organisation’s network, but have no value for malicious use.
  • If your organisation uses PIN entry devices, you should ensure that they implement point-to-point encryption. This converts payment card data into a code, preventing criminal hackers from intercepting information in transit.

Want to know more?

For practical advice on the Standard and how you can minimise your compliance requirements, join us for our free webinar: PCI DSS: Reducing the cardholder data environment. You’ll learn:

  • Which system components, people and processes need to be included in the scope;
  • How to create an accurate data flow diagram to map the movement of cardholder data;
  • What to include when mapping the IT infrastructure and external connections; and
  • Effective methods for reducing the scope of your CDE.

This webinar takes place on Friday, 1 June 2018 at 3:00 pm (BST). If you can’t make it, the presentation will be available to download from our website, where you can also browse our other PCI DSS webinars.