Cybersecurity blog header

PCI DSS security audit: don’t let your card be stolen

The PCI DSS security audit is used to verify credit card security

The PCI DSS security audit is used to verify that technical security controls protect cardholder data

E-commerce and card payments, also in physical stores, have been on the rise since our societies and economic systems have gone digital. However, the pandemic has accelerated their implementation and massive success. This is why protecting the data of credit and debit cardholders is a central issue for eCommerce and banks. The PCI DSS security audit ensures that the safeguarding of such sensitive information is carried out optimally.

There are many benefits of credit and debit cards, among them, and although it may sound childish, is the freedom of being able to walk around without physical cash on you. This, together with the convenience of shopping on the Internet and the traceability of our movements, have made them a basic object of our daily lives. We can go one step further. Now we don’t even have to carry them with us, thanks to NFC technology we can use our cell phones as if they were physical payment cards.

Protecting payment data

This economic and social relevance must go hand in hand with rigorous control of its operation. Especially in terms of data protection. Because, if all personal or business information is sensitive, economic and financial information is even more so.

Moreover, if cybersecurity systems are not fortified, they can open the door to fraud and money theft. With catastrophic consequences both for cardholders and for the banks or eCommerce entities involved in the transaction.

It’s therefore essential to have worldwide standards that guarantee good practices in card security. And that, in turn, includes a series of requirements that e-commerce platforms and banks must comply with and that can be subject to review. One more pillar on the road to protect the systems of financial institutions and the development of advanced bank infraestructures security assessment

This is the role of the PCI DSS security audit. Comprehensive monitoring of the technical security controls of payment cards that are based on the PCI DSS standards.

What do those six letters stand for?

A mandatory global standard

It stands for Payment Card Industry Data Security Standard. A globally applicable security standard, developed at the initiative of the major credit and debit card companies (Visa, Mastercard, American Express…) to ensure the protection of their customers’ payment data.

The PCI DSS requirements oblige all organizations involved in card transactions. Thus, the systems of any organization that processes, transmits, or stores payment card information must undergo a PCI DSS security audit.

We are talking about financial and banking institutions, e-commerce platforms, or applications that manage payments. All of them must periodically perform or contract a PCI DSS security audit. This type of technical review is responsible for certifying the adequacy of the systems to the requirements and goals of the standard.

Otherwise, companies will be exposing their customers to possible fraud and data breaches. And, with them, they will be putting their businesses on the chopping block. A person who has been the victim of an attack on their banking data is not willing to trust the entity in charge of managing and protecting it again.

PCI DSS goals and requirements

The current version of the PCI DSS standard, version 3.2.1, is based on 12 requirements, grouped into six specific goals that cover the main aspects of credit and debit card cybersecurity:

  • Goal 1. Create and maintain a secure network. This goal is achieved through the fulfillment of two requirements. On the one hand, a firewall configuration must be installed and maintained to protect cardholder data. On the other hand, vendor-provided defaults for system passwords and other security parameters cannot be used.
  • Goal 2. Protect cardholder data. To meet this goal, the protection of stored cardholder data must be guaranteed and its transmission over public and open networks must be encrypted.
  • Goal 3. To have a vulnerability management program. This is based on two requirements: use and periodically update antivirus software and develop and maintain secure systems and applications.
  • Goal 4. Implement strong access control measures. This goal contains three requirements. The first is to restrict access to cardholder data according to the company’s information needs. The second is to assign a unique ID to each person with access to the data. The third is to restrict physical access to cardholder data.
  • Goal 5. Monitor and test networks regularly. This involves monitoring all access to network resources and cardholder data and periodically testing security systems and processes.
  • Goal 6. Have an information security policy that addresses data protection for both employees and contractors.
Financial institutions must periodically perform PCI DSS security audits

Quarterly PCI DSS Security Audit

To ensure compliance with the requirements and achievement of the goals, a PCI DSS security audit is required every quarter to assess each organization’s infrastructure.

To facilitate the review, the PCI itself specifies the requirements through sub-requirements. These, in turn, have associated with them the test procedures that must be executed to see whether or not they are complied with. And finally, a guidance section is included for each item, specifying its relevance and the reason why the requirement in question is being considered.

Based on these elements, the analysis can be carried out in two fully differentiated ways:

  • External ASV review. This is a security audit carried out on systems subject to PCI and accessible to the Internet. This mode is aimed at web applications (eCommerce portals, transactional websites) and also performs a security check of the infrastructure’s IP addresses. Tarlogic Security uses solutions from certified scanning providers (ASV) authorized by PCI.
  • Internal review. This consists of an internal audit of the systems, which validates the exposure of services, patches, and security mechanisms deployed.

Annual penetration test

In addition, on an annual basis, it is necessary to carry out a penetration test with a broader scope than the previous reviews. This type of action must also be planned and executed when the infrastructure supporting payment management and card processing changes.

The penetration test is performed according to the guidelines of the NIST 800-115 standard. It encompasses three areas:

  • PCI external security test. It is performed with temporary exceptions in the perimeter security elements. It serves to adequately analyze the security level of the organization’s computer systems.
  • Internal PCI security test. It is carried out from different network segments with different levels of privileges (plans or wireless networks) on internal systems.
  • PCI WiFi test. This test identifies and geolocates any WiFi broadcast device in the perimeter of the organization and the data processing center where the systems affected by PCI DSS reside.

In short, the PCI DSS security audit is a set of reviews and tests that ensure that the technical controls for the protection of payment data are robust and fully optimized.

An extremely useful tool to contribute to the security of financial transactions using cards. It certifies that organizations that process, handle, and store highly sensitive financial data comply with the global PCI DSS requirements.

Discover our work and cybersecurity services.