What is a PCI DSS Compliance Checklist?
A PCI DSS Compliance Checklist is a document used to evaluate if the payment card systems are secured. This assessment includes online payments, physical payment card terminals, and handling of given card details.
The PCI DSS assessment checklist contents are made by an international forum called the PCI Security Standards Council. The council members are Visa, Mastercard, American Express, JCB International, and Discover Financial Services. Together, they create and develop standards and educational resources to ensure safe payments worldwide.
Compliance with the PCI Standards is a must if a business will be receiving card payments. Although the compliance process is continuous, it will bring in many benefits such as gaining customer trust, improved store reputation, and prevention of data breaches.
In this article, the following points are explained:
1. Required security controls and processes
2. How to pass PCI DSS compliance audits with a checklist
3. Standardize PCI DSS compliance audits with a digital tool
Required Security Controls and Processes in the PCI DSS Compliance Checklist
In the PCI DSS Compliance Checklist, security controls, and processes need to be put in place. These controls and procedures aim to protect the cardholder data and authentication data entered into a store’s payment system.
Below are six goals that need to be reached when putting up security controls and processes. The information below is referenced from the PCI Security Standards Council.
Build and Maintain a Secure System and Network
Putting up a secure system and network will prevent criminals from virtually accessing any cardholder and authentication data. And two steps can be taken to achieve this.
The first step is by installing and maintaining a solid firewall configuration. A firewall is a network security device that controls the flow of traffic between networks.
The second step is to change all the default or vendor-supplied passwords in the system. Examples of default passwords are “1234”, “4321”, “guest” “pass” and “admin.” Vendor-supplied passwords are widely known and can be easily used by hackers to infiltrate a payment system.
Protect Cardholder Data
Cardholder data is any information that can be found on or inside a payment card. According to the PCI DSS assessment checklist, businesses are expected to protect cardholder data.
According to the guidelines, some information (like PAN, cardholder name, and expiration date) can be stored, but sensitive information (like complete track data and CVV) must never be stored. And the first step to do so is protecting all the stored cardholder data in the system. And this involves masking, immediate deletion, and making it entirely unrecoverable after authorization.
Another crucial step is encrypting all cardholder data when it needs to be transmitted in a public network. This is because hackers can easily intercept any data in a public network. So, using strong cryptography and security protocols are required to be used for encryption.
Maintain a Vulnerability Management Program
A Vulnerability Management Program is a process of finding vulnerabilities, weaknesses, and exploits in a payment card system.
To accomplish this, the PCI DSS compliance audit checklist requires having malware protection and regular updating of anti-virus software in the system. This will significantly eliminate any software threats that might have entered.
Next is to develop and maintain strong security systems and applications. It is required to apply vendor-supplied patches continuously. This is crucial since it contains fixes and repairs to system vulnerabilities.
Implement Strong Access Control Measures
Having a strong access control to a payment card system dramatically reduces the number of users accessing cardholder data. The Council requires having a business need-to-know type of access.
Access restriction is a necessary measure. This means limiting access to data depending on the job responsibilities and privileges of the system user.
Another required measure is to find ways to identify and authenticate the system components of a user. This way, any access and changes made can be traced.
Regularly Monitor and Test Networks
Network systems and devices can be used by criminals to gain access to payment card information. And to protect the system from these attacks, regular monitoring and testing of networks is needed.
To do so, the Council requires putting in logging mechanisms in the network environment. This will allow easy tracking of cases of compromised cardholder data.
Criminals are continuously finding ways to find vulnerabilities in the system, so they must test system components, processes, and software regularly. This is critical, especially if there is a system change like newly installed software and changes in the system configurations.
Maintain an Information Security Policy
Promoting employee awareness of the sensitivity and responsibility of cardholder data is a great way to improve security controls. That is why the PCI DSS Compliance Checklist requires a strong information security policy in a company.
General Process of Passing the PCI DSS Compliance Audit Checklist
Aside from considering the required security controls and measures, there are also other requirements like consultations and documentation to completely pass the PCI Data Security Standards.
Although the specific requirements may vary depending on the payment card brand, the general steps below can be used to reference the process of compliance with PCI Data Security Standards.
- Scope – Accurately determine what system components are in scope or included in the PCI DSS. This includes all the people, processes, and technology that are related to the cardholder data.
- Assess – Evaluation of the compliance of all system components that fall under the scope of PCI DSS.
- Report – Passing all the required documentation like security policies, control records, training records, self-assessment questionnaires, and compliance reports.
- Attest – Passing of Attestation of Compliance (AOC) which is a document that declares that an entity upheld all the best practices recommended by the Council.
- Submit – Submission of all supporting documents to the acquirer or requestor.
- Remediate – Fixing and addressing all the requirements that were not met.
Standardize PCI DSS compliance audits with a digital tool
PCI DSS checks are a continuous process that must be repeated again and again. To maintain an overview, fall back on data from previous audits, and make the audits simple, a digital tool is more suitable than paper documents.
Lumiform is a highly readable mobile application for audits and inspections. Using the app on your smartphone or tablet, you can easily perform PCI DSS compliance self-assessments in the field and share the data instantly with other employees. Set Lumiform as your PCI compliance app by taking advantage of the following digital solution benefits:
- Access free, ready-to-use PCI DSS checklists from the Lumiform template library.
- Convert existing paper forms to digital format or create your checklis templates in just a few steps with the flexible form builder.
- Use the app on your smartphone or tablet to perform audits and assessments – offline or online.
- Create corrective actions in the app and assign them to responsible parties. Set the due date and determine the priority level.
- View and annotate photos during controls to create a comprehensive and detailed report.
- Automatically generate and send reports to the appropriate personnel.
- Store reports in secure cloud storage to ensure that only authorized personnel can access the data.
