PCI DSS compliance is a very big concern for any organization! Many people wonder whether PCI DSS compliance can be achieved without spending a lot of money or hiring expensive security staff.
In this article I will explain what you should know about PCI DSS and how to comply with it using free tools and best practices. To get started, let’s talk about the PCI DSS compliance requirements.
There are 12 main PCI DSS standards that you need to care about, including but not limited to:
– Requirement 1 : Install security patches as soon as they are available
– Requirement 2 : Protect all systems against malware
– Requirement 3 : Maintain a vulnerability management program
– Requirement 4 : Use and regularly update anti-virus software
– Requirement 5 : Develop and maintain secure systems and applications
There are also 8 sub-categories, which vary depending on the payment card industry (PCI) standard version you are using. For example, if you are working with v1.2 of PCI DSS, sub-categories are called Support Requirements . For PCI DSS v3.2, they are called Attribute Requirements .
For this article I will be using v1.2 since that is what most companies use at the moment.
The entire list of requirements can be found in the official PCI DSS documentation , which I highly recommend you read. In the next few paragraphs I will explain what each standard means and how to comply with it as a software package maintainer.
I will only be explaining the standard that deals with software security, which is PCI DSS Requirement 6 “Keep card holder data (CHD) to a minimum”. CHD, also known as sensitive authentication data, includes credit card numbers and CVV2.
This section of PCI DSS was created by the Payment Card Industry Council (PCI SSC) to minimize the risk associated with storing CHD.
The standard states that you should only store the data you truly need, and delete it as soon as possible. Let’s take an online shop for example; how much data does the shop really need to process transactions? – The answer is not much! That is why you usually process transactions without storing the sensitive data, which is known as tokenization. TrustNet offers PCI DSS Certification services and the you can do the PCI Self Assessment yourself.
With that said, let’s see what PCI DSS Requirement 6 specifically states:
Keep cardholder data storage to a minimum by implementing strong data retention and disposal policies, procedures, and techniques (for example, progressive authorization or truncation)
How can you comply with this standard? If you are using a payment gateway, it is likely that they are storing your sensitive data. However, if you are using a custom shopping cart system, then the responsibility is all yours! I will explain how to achieve PCI DSS compliance as a software developer in 3 simple steps:
– Step 1: Use strong cryptography to protect all your sensitive data
– Step 2 : Make sure you really need to store the data
– Step 3 : Destroy all sensitive data when it is no longer needed
For more information about what type of strong cryptography you should use, see the official PCI DSS documentation.