How to Maintain PCI-DSS Compliance for E-commerce Applications

By, Gui Alvarenga, Product Marketing Manager

While retailers and online stores continue to be targets for hackers due to the large financial gains, it is surprising that many are struggling to meet the demands of payment card security. In fact, according to the 2020 Verizon Payment Security Report, only 27.9% of organizations are currently able to maintain full compliance with the Payment Card Industry Data Security Standard (PCI DSS).

And as the number of card and contactless payments continue to rise, as consumer preferences steadily change in favor of plastic, mobile wallets and online shopping, these rates will continue to stagger. These new dynamic computing environments demand a switch in focus from conventional cybersecurity methods towards individual workload protection, API security and configuration management.

This post discusses the compliance requirements of the PCI-DSS and how to apply them agains modern hybrid-cloud and multi-cloud environments.

PCI-DSS Compliance Requirements

The PCI-DSS specifies twelve technical and operational requirements as follows.

1. Install and Maintain a Firewall Configuration to Protect Cardholder Data

A firewall is your first line of defense, preventing potentially malicious traffic from entering your network based on a set of pre-configured rules.

However, traditional perimeter-based firewalls are no longer enough to protect your cloud assets, as there’s no clear boundary between your users and internal network.

To overcome this issue, you’ll need a cloud firewall. This works much like a conventional firewall, but has been specifically adapted to the distributed nature of the cloud, where applications are broken up into discrete components dispersed across your network environment.

2. Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters

Vendors of routers, POS systems and related components supply their equipment with default usernames, passwords and configurations to make installation and setup as quick and easy as possible.

As these factory settings are readily available to fraudsters, they become easy targets to gain access to internal networks and steal cardholder data. Using unique login credentials and configurations is basic 101 to help keep the hackers out.

In the same regard, beware of using other default configurations, such as access permissions. CloudSecOps teams need to make sure that their applications and cloud workloads are not overly permissive and only give the necessary level of access to sensitive resources to reduce the attack surface.

3. Protect Stored Cardholder Data

The best way to protect cardholder information is simply to avoid storing it entirely, or at the very least, encrypt it.

To comply with PCI-DSS, any such encryption must use the industry-standard AES-256 algorithm. But remember your data is only as secure as the keys you use to encrypt it. So safeguard your encryption keys using an effective key management system.

It’s also important to have a clear picture of what cardholder data you’re storing in the first place—typically through the use of data discovery tools and an inventory of your data assets.

4. Encrypt Transmission of Cardholder Data across Open, Public Networks

Correctly configure each of your cloud and on-premises environments to encrypt cardholder data using transport layer security (TLS), where it moves across the Internet between the different parts of your payment card ecosystem. Also consider investing in a comprehensive cloud network security solution for public and hybrid clouds, and make sure every wireless network uses a strong password and the latest available Wi-Fi security protocol.

5. Use and Regularly Update Antivirus Software or Programs

Your antivirus (AV) software should be capable of protecting all environments that host your payment card system—across your hybrid-cloud or multi-cloud infrastructure.

However, with more sophisticated types of threats targeting cloud-based deployments, you now need a wider range of security approaches to protect cardholder details, such as cloud security posture management (CSPM) and cloud workload protection.

6. Develop and Maintain Secure Systems and Applications

You need to ensure security is built into your application development and lifecycle processes. This includes support for secure coding practices through training, guidelines and checklists, as well as regular reviews of any in-house or custom application code.

7. Restrict Access to Cardholder Data by Business Need to Know

You should limit the number of people who can access cardholder details to a bare minimum by only allowing those with a legitimate business need to do so. The most practical way of doing this is to implement a role-based access control (RBAC) system, which should grant access to sensitive resources, such as cardholder data, based on the principle of least privilege.

8. Assign a Unique ID to Each Person with Computer Access

Each authorized user of your systems should have a unique ID and password. This ensures you always know the identity of anyone who accesses cardholder data at any time. Also PCI-DSS now only permits those users with administrative privileges remote access using two-factor authentication (2FA).

9. Restrict Physical Access to Cardholder Data

When you host applications in the public cloud, you offload the responsibility for the physical security of your servers to your cloud service provider. However, you still have a responsibility to ensure the physical security of your endpoint devices. Take steps to help prevent unauthorized access to payment devices and workstations through measures such as video surveillance, security policies and procedures, staff training, time-based lockout controls and making sure screens are away from view of the general public.

10. Track and Monitor All Access to Network Resources and Cardholder Data

Logging and monitoring access to your payment card system will help you spot the early signs of suspicious activity and will also provide you with alerts and insights when things go wrong.

The needs in this area have evolved from mere visibility to observability, to not only maintain visibility over all your card processing components, but also quickly identify and remediate any issues. To accomplish this, you may need to look for new-generation monitoring tools that provide centralized visibility across your hybrid-cloud and multi-cloud infrastructure.

11. Regularly Test Security Systems and Processes

To complement other security measures, such as AV scanning and patch management, you should regularly check that your payment card system is robust enough to withstand potential threats. To do this, automated vulnerability scanning tools, as well as routine penetration testing are required. Other testing procedures should include regular checks on card readers for skimming software and processes to identify unauthorized wireless access points.

12. Maintain a Policy That Addresses Information Security for Employees and Contractors

A well-documented and well-communicated information security policy will help raise staff awareness of the risks to cardholder data and their responsibilities to protect it. Relevant policies and procedures should also be incorporated into employee manuals, third-party vendor agreements, risk assessments and incident response plans.

PCI-DSS compliance is a baseline requirement for handling cardholder data, it doesn’t necessarily guarantee full protection. Digital transformation and cloud migration have shifted the security goalposts, and companies need to look beyond traditional methods of security.

This calls for new solutions that are adapted to the complex and dynamic nature of hybrid-cloud and multi-cloud deployments. For example, workload protection (CWPP) to protect individual applications, containers, even serverless functions to ensure they are properly protected and secured during runtime. This step should be complimented a cloud security posture management (CSPM) solution to not only identify security and compliance gaps during development, but also continuously monitor and benchmark configurations against best practices and compliance requirements. And you should also protect cardholder against today’s new and increasingly sophisticated threats with a solution that provides cloud network security capabilities for all of your network traffic.

Look for tools that provide continual protection rather than simply to achieve once-per-year compliance—with unified visibility across all components of your payment card system from a single pane of glass.