PCI DSS checklist 2022

The Payment Card Industry Data Security Standard was introduced to promote card data security globally and provide a standard that all businesses that hold cardholder data should strive for. The 2022 PCI DSS has a list of requirements organisations must achieve before getting certified. Organisations must be assessed annually to ensure their ongoing commitment to protecting cardholder data. At OmniCyber Security we can guide you through the entire process, from advising you on your first steps, getting you up to the standard, and then helping you through the assessment. The 2022 PCI DSS checklist we have prepared will help you get an idea of what is required of you to get PCI DSS certified. The PCI DSS has twelve principal requirements across six general actions:

1. Build and maintain a secure network and systems
2. Protect account data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy

Build and maintain a secure network and systems

Requirement 1: Install and maintain network security controls Network security controls (NSCs) such as firewalls regulate traffic between networks based on predetermined policies or rules. Usually, firewalls are placed between networks with different levels of security or trust levels, such as a software firewall on a device accessing the internet on a public Wi-Fi network. Cardholder data is sensitive information, so naturally, NSCs must be in place to control access to that data.  PCI DSS checklist for network security controls:

• Processes and mechanisms for installing and maintaining NSCs must be defined and understood.
• NSCs must be correctly configured and maintained.
• Network access to and from the cardholder data environment must be restricted.
• Network connections between trusted and untrusted networks must be controlled.
• Risk to the cardholder data environment from devices that can connect to untrusted networks and the data environment must be mitigated.

Requirement 2: Apply secure configurations to all system components Devices are often not secure in their default settings. Default passwords, applications, and accounts can allow attackers a way into your network. Applying secure configuration means changing default passwords, removing unnecessary software and accounts, and anything else unnecessary that could give an attacker a way in. PCI DSS checklist for secure configurations:

• Processes and mechanisms for applying secure configurations to all system components must be defined and understood.
• System components must be correctly configured and maintained.
• Wireless environments must be configured and managed securely.

Protect account data

Requirement 3: Protect stored account data No cybersecurity controls can ever be 100% fool proof. New hacking methods are constantly being developed, so must be protected in case it is accessed by an attacker. Data can be protected through encryption, for example, so that it is useless to any intruder who gains access to it. PCI DSS checklist for protecting stored account data:

• Processes and mechanisms for protecting stored account data must be defined and understood.
• Storage of account data must be kept to a minimum.
• Sensitive authentication data must not be stored after authorisation.
• Access to full primary account numbers (PAN) and the ability to copy cardholder data must be restricted.
• PAN must be secured whenever they are stored.
• When cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle must be defined and implemented.

Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks Following on from Requirement 3, sensitive data is particularly vulnerable when accessed on open or untrusted networks. Encrypting PAN mitigates the risk of any unauthorised access when the public network is being used. PCI DSS checklist for protecting cardholder data on open networks:

• Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented.
• PAN must be protected with strong cryptography during transmission.

Maintain a vulnerability management program

Requirement 5: Protect all systems and networks from malicious software Malware is software that malicious actors use to damage your network or device, often to compromise or retrieve data stored on it. Malware is often transmitted through emails (e.g. phishing) and other legitimate business activities. Anti-malware solutions can protect your systems from the threat of malware. PCI DSS checklist for protecting systems from malicious software:

• Processes and mechanisms for protecting all systems and networks from malicious software must be defined and understood.
• Malicious software (malware) must be prevented from infiltrating systems or detected and addressed.
• Anti-malware mechanisms and processes must be maintained and monitored.
• Anti-phishing mechanisms must protect users against phishing attacks.

Requirement 6: Develop and maintain secure systems and software Attackers regularly find vulnerabilities in software and use those to gain access to systems, including cardholder data storage. These vulnerabilities are fixed by patches from the software vendor, which are either installed automatically or manually by a system administrator. All components in your systems must have these patches installed to protect them against attackers exploiting known vulnerabilities. PCI DSS checklist for secure systems and software:

• Processes and mechanisms for developing and maintaining secure systems and software are defined and understood.
• Bespoke and custom software must be developed securely.
• Security vulnerabilities must be identified and addressed promptly.
• Public-facing web applications must be protected against attacks.
• Changes to all system components must be managed securely.

Implement strong access control measures

Requirement 7: Restrict access to system components and cardholder data by business need to know Access to sensitive data must be tightly controlled. Ineffective access control rules mean that unnecessary accounts may have access and privileges regarding cardholder data. This makes the data more vulnerable, as it means attackers have more chance of gaining access to a user account that can read cardholder data. Access control must be restricted to users on a need-to-know basis. ‘Access’ rules mean users can access a system, application, or data, while ‘privileges’ mean users can act on that system, application, or data. For example, a user with access to cardholder data can read that data, but can’t edit, copy, or delete any data without privileges. These rules apply to anyone who might access the network like employees, contractors, or consultants. PCI DSS checklist for restricting access to system components:

• Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.
• Access to system components and data must be appropriately defined and assigned.
• Access to system components and data must be managed via an access control system.

Requirement 8: Identify users and authenticate access to system components After restricting access to different system components in Requirement 7, users must now be properly identified to make sure the right people are using the right accounts to access information. Identifying users is simply achieved by assigning them an account. Authenticating that user is done with at least one authentication factor. The first is something you know, like a password. The second is something you have, like an authenticator app on a mobile device. The third is something you are, like a fingerprint. PCI DSS checklist for identifying users and authenticating access:

• Processes and mechanisms for identifying users and authenticating access to system components must be defined and understood.
• User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle.
• Strong authentication for users and administrators must be established and managed.
• Multi-factor authentication (MFA) must be implemented to secure access to the cardholder data environment.
• MFA systems must be configured to prevent misuse.
• Use of application and system accounts and associated authentication factors must be strictly managed.

Requirement 9: Restrict physical access to cardholder data As an extension of Requirements 7 and 8, physical access to sensitive information must be considered and controlled to make it secure. Cyber attacks are not always purely virtual, they can involve physically accessing, copying, or removing data. PCI DSS checklist for restricting physical access:

• Processes and mechanisms for restricting physical access to cardholder data must be defined and understood.
• Physical access controls must manage entry into facilities and systems containing cardholder data.
• Physical access for personnel and visitors must be authorized and managed.
• Media with cardholder data must be securely stored, accessed, distributed, and destroyed.
• Point of interaction (POI) devices must be protected from tampering and unauthorized substitution.

Regularly monitor and test networks

Requirement 10: Log and monitor all access to system components and cardholder data Logging access to sensitive information is vital to detecting potential reaches of information. Logs allow for tracking and alerts to make sure nothing goes wrong, and if something does go wrong, logs can be analysed to work out what happened. PCI DSS checklist for logging and monitoring:

• Processes and mechanisms for logging and monitoring all access to system components and cardholder data must be defined and documented.
• Audit logs must be implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
• Audit logs must be protected from destruction and unauthorized modifications.
• Audit logs must be regularly reviewed to identify anomalies or suspicious activity.
• Audit log history must be retained and available for analysis.
• Time-synchronization mechanisms must support consistent time settings across all systems.
• Failures of critical security control systems must be detected, reported, and responded to promptly.

Requirement 11: Test security of systems and networks regularly Attackers constantly identify new exploitable vulnerabilities in systems and software. By testing frequently, you can identify and rectify any vulnerabilities as they are discovered. OmniCyber Security provides world-class penetration testing services to help you fulfil this requirement. PCI DSS checklist for testing systems and networks:

• Processes and mechanisms for regularly testing the security of systems and networks must be defined and understood.
• Wireless access points must be identified and monitored, and unauthorized wireless access points must be addressed.
• External and internal vulnerabilities must be regularly identified, prioritized, and addressed.
• External and internal penetration testing must be regularly performed, and exploitable vulnerabilities and security weaknesses must be corrected.
• Network intrusions and unexpected file changes must be detected and responded to.
• Unauthorized changes on payment pages must be detected and responded to.

Maintain an information security policy

Requirement 11: Support information security with organisational policies and programs Employees can be the weak point of any organisation’s security. Attackers can target employees through phishing, for example, to obtain passwords and login details to gain access to your network. A robust information security policy should set out your business’s cybersecurity agenda and inform personnel, including temporary staff or contractors, what is expected of them. PCI DSS checklist for testing systems and networks:

• A comprehensive information security policy that governs and provides direction for the protection of your organisation’s information assets must be known and up to date.
• Acceptable use policies for end-user technologies must be defined and implemented.
• Risks to the cardholder data environment must be formally identified, evaluated, and managed.
• PCI DSS compliance must be managed.
• PCI DSS scope must be documented and validated.
• Security awareness education must be an ongoing activity.
• Personnel must be screened to reduce risks from insider threats.
• Risk to information assets associated with third-party service provider (TPSP) relationships must be managed.
• TPSPs must support their customers’ PCI DSS compliance.
• Suspected and confirmed security incidents that could impact the cardholder data environment are responded to immediately.

All these requirements will make your business a secure place for cardholder data. This guide is only an overview, for the exact details and expert guidance on getting PCI DSS certified, contact the OmniCyber team today.