The PCI DSS - Implementing Strong Access Control Measures

Data security cannot be ignored in today's business environment. A customer's personal information is a valuable commodity, and more and more they are going to demand high levels of security and protection. So the question is: are you able to provide it?

The PCI DSS was created by the five major credit card companies to be a measure and standard that all merchants who store, process, and transmit cardholder data must conform to. There are 12 requirements to the PCI DSS, and all of them deal with security in one form or another, but three of them are specifically about strong access control measures.

Requirement seven states that you must restrict access to cardholder data by business need-to-know. In other words, only authorized personnel should have access to this sensitive information. What this means in practical terms is that you must limit access to computing resources and cardholder data to those people whose jobs necessitate it. Obviously, the more people who have access to a system full of cardholder data, the more likely someone with malicious intent, or even with dangerously inadequate training, can get to it.

A merchant must also include a mechanism on systems with multiple users to restrict access to need-to-know. In other words, your system should be set to "deny all" unless otherwise stated.

The eighth requirement of the PCI DSS is a little more involved. It requires you to assign a unique ID to each person with computer access. This makes it so that any actions taken on any critical systems are done by authorized employees or, more importantly, can be traced to those users.

In more specific terms, this means that every employee must have their own ID. They cannot share a single ID between them. There must also be passwords, token devices, or biometrics along with the ID to authenticate the users. These passwords must also be encrypted in storage and in transit. User IDs require a whole other layer of management to make sure they remain safe.

Access control measures have to be exactly that thorough, though. You can't go just halfway when it comes to data security. When you manage your passwords, then, you must be sure to control the addition, deletion, and modification of the IDs. Always verify the user before modifying passwords, set first-time passwords to a unique value for each user and then change it after the first use. Immediately remove access by terminated users, and remove access by terminated users, and remove any accounts that have been inactive for more than 90 days. Accounts for remote maintenance should only be active during the necessary period of time, and you must not use group, shared, or generic accounts and passwords.

This is really just the beginning. But don't get overwhelmed, here. All these procedures are extremely important, and also relatively easy to maintain once they've been put into place.

Requirement number nine of the PCI DSS states that you must restrict physical access to cardholder data. If someone can physically access cardholder data then they can remove the systems or hard copies which contain that information. There are a lot of restrictions here as well. A merchant must restrict access to publicly accessible network jacks and wireless access points as well.

Visitors can become a problem if you're not paying attention. A visitor who is unauthorized to be there, and is also ignored while there, can cause a lot of problems. These visitors must be authorized to be in specific areas (where data is stored), or given a specific token that expires after a certain amount of time. You should also store media back-ups in secure locations. Off-site would be a good choice for this. Any paper and other hard copies need to be secured in safe locations as well. Possibly the most important thing to remember is that you must destroy everything that has this sensitive information when you no longer need it.

PCI compliance can be a tricky and time consuming process, but the importance of the PCI DSS should not be underestimated. Data security is quickly becoming one of the most important aspects of a merchant's continued success.

Andy Eliason is a writer at Main10, Inc. If you'd like to learn more about the PCI DSS or Data Security, visit Braintree Payment Solutions today.