PCI Compliance Requirements Ten and Eleven

The PCI DSS is a set of 12 requirements that all merchants who accept, process, transmit, or store credit card data must conform to. The Payment Card Industry Data Security Standard was created and put into place to help these merchants discover where they may have weaknesses in their systems, and outlines procedures they must take in order to fix these problems.

Make no mistake, PCI compliance is not something a merchant can accomplish overnight. Nor is it something that you can solve with a few clicks of the mouse. The twelve requirements are detailed and complex. They can be very time and resource intensive, but they can also ensure that you can offer a safe environment in which your customers may do business.

As more and more security breaches reach the public notice, more and more customers will demand that you offer a suitable level of security before they will do business with you. As such, PCI compliance is going to become more and more important to your daily business success.

So, if PCI compliance really is so complicated, where do you begin? How do you tackle such a complex system of procedures and requirements?

The best choice is to break it down into smaller, more manageable chunks. For example, we could look at the tenth and eleventh requirements for PCI compliance, which have to deal with regularly monitoring and testing your networks.

Requirement ten mandates that you track and monitor all access to network resources and cardholder data. This means that you should employ logging mechanisms or otherwise employ the ability to track user activity. When these mechanisms are in place you can much more easily perform an analysis on the system should something go wrong. And if you should suffer a breach, the knowledge of how you were breached is critically important if you plan to go forward with your business.

Under this requirement a merchant must have a way of linking system components to each individual user. This is what will give you the ability to link suspicious behavior to a specific user.

An automated audit trail should also be employed to reconstruct events such as: all accesses to cardholder data, all actions taken by users with root access, invalid logical access attempts, use of identification and authentication mechanisms, creation and deletion of system-level objects, and other procedures. If hackers attempt to gain access or perform any of these actions, you should be able to spot it immediately.

Requirement number eleven says you must regularly test security systems and processes. Whether by hackers or software developers and researchers, new vulnerabilities are being discovered all the time. If it's by a researcher, you should have a chance to patch it. If a hacker finds it first though... well, you'll still have a chance to patch it, but that will come only after all the damage has been done. Therefore, you should regularly test your systems, processes, and custom software so you can find the vulnerability first.

You should, on a regular basis, test your security controls, run internal and external vulnerability scans, and perform penetration testing (although the intervals for these tests could vary). You should also deploy file integrity monitoring software to alert you to unauthorized actions on critical files or systems.

These are only two requirements of twelve, but these are going to become more and more important if you want to maintain PCI compliance. As an example, there is still the unresolved case of the grocery store chain on the east coast that recently suffered a breach.

This company had reached PCI compliance, and yet they were still breached. Investigations continue, but there is a chance that if they had focused on testing and continually monitoring their systems, the breach may have been avoided. And by tackling PCI compliance requirements a little at a time, you can avoid those problems altogether.

Andy Eliason is a writer at Main10, Inc. If you'd like to learn more about PCI compliance or the Payment Card Industry Data Security Standard, visit Braintree Payment Solutions.