Three years ago I wrote about PCI-DSS explaining what it is and what requirements companies have to comply if they want to store, process or transmit cardholder data. However, today, I have more knowledge than three years ago about PCI because I have been working for the banking sector and some companies from then to try to protect their data. Therefore, I would like to share and write an overview about this standard.
Obviously, this standard has increasingly demanding requirements due to the fact that more and more people are using plastic card to buy online. As a result, the Payment Card Industry like the major card brands (Visa, MasterCard, American Express, etc) want to reinforce the requirements because they are losing money with the last attacks to the systems of merchants, processors, acquirers, issuers, and service providers. Consequently, it is mandatory to implement the requirements of PCI-DSS if you want to work with cardholder data. Until when? Maybe when all of us have our money in Google Bank. Nooo please!!
One of the latest change the council has done into the PCI-DSS standard has been last April when they released the 3.1 version which doesn't recommend the SSL libraries because last SSL vulnerabilities like FREAK, PODDLE, Heartbleed or BEAST are painful and dangerous for their pockets. However, policies and procedures like Security Policy, Change Management Procedure, Incident Response Procedure or the Security Development Methodology remain important if we want to protect our data and comply with this standard.
Although documentation is essential and auditors couldn't audit anything without them, in fact, if it isn't written down, it doesn't exist, technical controls should be implemented as well. One of the technical control that more impact to me is how we should encrypt the cardholder data because we must encrypt the Data Encryption Key (DEK) with a Key Encryption Key (KEK), they must be store separately and KEK should be at least as strong as the DEK. The best option to do this is with an HSM appliance but the cheapest option is to store the cardholder data and DEK in a server and KEK and master key in another server. What does all of this mean? We have at least to encrypt the cardholder data with a key, this with another key store in other place, and this last key should be encrypted as well. All of this to protect cardholder data.
In addition to encryption keys, there are a lot of technical controls that we should take into account like two factor authentication for remote access to the PCI infrastructure, penetration test and vulnerability scan, user management, firewall installation, network and services segmentation, file integrity monitoring, IDS/IPS, retention of logs, etc.
Best regards my friend and remember, if you have to adapt your infrastructure to the PCI-DSS standard, you'll have to implement the 12 requirements to protect the most important thing for your customers, the cardholder data.