In 2019, the PCI Security Standards Council released a draft of version 4.0 of the PCI Data Security Standards (PCI DSS) and called for community stakeholders to submit suggestions and concerns. The council is currently reviewing suggestions and is expected to release the formal version of v4.0 by the end of 2020.
What best practices for PCI DSS compliance should you follow in preparation for v4.0? The good news is, your cybersecurity won’t require a major overhaul. The 12 core requirements of the PCI DSS will remain the same.
Here are 12 best practices you can follow to maintain your current compliance and prepare for PCI DSS v4.0.
Use a Firewall
It doesn’t take a security expert to know that firewalls are an important part of protecting your data. A firewall is your first line of defense against malicious parties looking to access your private data. That’s why this PCI DSS best practice is required for compliance.
Make sure your firewall is regularly maintained in order to prevent unwanted entities from gaining unauthorized access.
Install Anti-Virus Software
This may sound like another no-brainer, but under PCI DSS, anti-virus software is required for any device that interacts with or stores PAN. To protect your data, ensure that your antivirus software is regularly patched, and that your POS provider employs antivirus measures as well.
Protect Your Passwords
Having strong passwords is just the first step in securing your organization’s sensitive data. What many organizations overlook are passwords on third-party products like routers, modems and POS systems. Third-party products often come with factory-set passwords, leaving them vulnerable to determined hackers.
Always change the passwords on any factory-set devices your business uses, and keep an inventory of your devices and their passwords so that you can change them as needed.
Encrypt Your Data
When a payment is made, the cardholder data is sent across multiple channels such as retail locations, offices and payment processors. In order to be PCI DSS compliant, all payment data must be encrypted during transit.
Use a point-to-point encryption (P2PE) solution to ensure that sensitive cardholder information never traverses your system.
Secure Cardholder Information
The PCI DSS requires that you protect cardholder data such as card numbers and user information with encryption. Tokenization is one way to ensure that your organization does not store raw data in its system. With tokenization, card numbers are replaced by “tokens,” which are random codes that render data meaningless to unauthorized parties.
Along with employing tokenization, it’s important to regularly scan primary account numbers (PAN) to ensure no data is left unencrypted.
Keep Software Up to Date
Software updates aren’t just there to give you the newest gadgets and features — they usually include crucial security patches that resolve newly discovered vulnerabilities.
Make sure to update all your software regularly on devices that interact with payment information. Updates are doubly important for your antivirus and firewall programs.
Restrict Access to Need-to-Know Parties
Unless it’s needed to perform a task, cardholder data doesn’t need to be shared. The PCI DSS mandates that access to cardholder information remain restricted to parties who need to know it. These roles must be well documented and updated frequently to comply with PCI DSS requirements.
Unique Access IDs
On that note, those who are qualified to peruse sensitive information must have individual access credentials under PCI DSS standards. That’s because a single login for multiple parties can make it difficult to backtrack and uncover the source in the event data is breached, making your response time slower.
Restrict and Log Physical Access
Just like digital data, sensitive physical data must be guarded and monitored closely. Any information that is written or typed must be kept in a secured room, drawer or cabinet. To maintain PCI DSS compliance, keep a log of the dates, times and parties who access this physical data storage.
Maintain Access Records
Keeping your data safe isn’t just about encryption and cybersecurity — it’s also about good, old-fashioned recordkeeping. PCI DSS compliance mandates that you document how information flows through your organization, and when access is required.
Document Your Policies
Along with keeping record of access, you’ll also need to maintain an inventory of your equipment, software and the employees who access them. Not only will this ensure that you remain PCI DSS compliant, but it will also help you retrace steps and find the source if your system is compromised.
Regularly Test for Vulnerabilities
Software and technology are constantly changing — and so do hackers’ techniques. That’s why the PCI DSS requires that you regularly scan and test your system for weaknesses, outdated software and holes in your security strategy.
Protect your POS and Online Data with Bluefin
Using a PCI-validated security solution is the first step in becoming PCI DSS compliant. Bluefin specializes in PCI-validated Point-to-Point Encryption (P2PE) products that protect cardholder data at the point-of-slae. And our ShieldConex data security platform ensures that your online payment data is protected with a unique combination of our iFrame and tokenization technologies.