Key Takeaways from the PCI Awareness Training Course
A core facet of Futurex’s corporate culture is the ability to continually improve one’s own knowledge of the data security industry. From time to time, it can be beneficial for those of us at Futurex to revisit the fundamental concepts that shape what we do. In this vein of committing to improving our own knowledge, I decided to revisit the fundamentals of PCI requirements. To do so, I enrolled in the PCI Training course, which became available at no cost, as part of Global Payment Security Education Week. PCI Data Security Standards are set forth by the Payment Card Industry Security Standards Council (PCI SSC) to safeguard cardholder data, and they apply to any organization that has a hand in transmitting cardholder data.
Here are a few major takeaways from the training as they apply to Futurex technology:
- 1.Payment card data is one of the most heavily targeted forms of data in the world. In a system where users have access to cardholder data, that data has an overall tendency to be leaked and sold. In some cases, cardholder data is sold at $10-15 per record. Therefore, it is vital that systems be designed to ensure users do not have access to cardholder data and that employees have limited access. All systems worth considering should be built on the principle of least privilege (also called a need-to-know basis), to increase compliance and decrease the probability of exposing cardholder data.
- 2.PCI DSS mandates that all key management policies and procedures are in place to prevent cardholder misuse. Data security solutions must have advanced permissions to fulfill PCI DSS requirements 3.5 and 3.6, requiring dual-user access and separating user roles. These include requiring multiple users’ credentials for vital tasks, designating specific privileges for each user group, and creating unique user roles with expiration dates. These protections ensure that the sensitive cryptographic information contained within hardware security modules is not exploited by malicious attacks or by employee misuse.
- 3.Wherever possible, organizations should avoid storing cardholder data. To comply with requirement 2.4, an inventory must be kept of system components that are in scope for PCI DSS. A frequent error by those evaluating their compliance is the assumption that once data is encrypted, it’s out of scope. However, there are several requirements cardholder data must still adhere to. The quickest way to limit the scope of PCI DSS assessment is to not hold cardholder data. If not, the card data must be truncated or hashed to comply with requirement 3.4.
- 4.Complicated passwords don’t need to be difficult to remember. The course provides the example of a range of very similar, food-related passwords to drive home this point. On one end, the password “bigmac” takes an estimated .077 seconds for a computer to crack, despite not actually being a defined entry in the dictionary. Yet the password “M1gMac&fries” takes an estimated 344,000 years to crack by conveying a similar meaning with double the characters. PCI DSS requirement 8.4 mandates that password guidance and instructions are supplied for all users. Users should be forced to change default passwords, and administrators should be able to establish lockout periods, lockout thresholds, password histories, and password expiration dates.
Overall, this course has been an informative glance at the terms, processes, and standards used by the PCI SSC. It reaffirmed the need for: distributing critical data on a “need-to-know” basis, developing unique and time-sensitive user roles, advising users on how to secure passwords, and avoiding storage of cardholder data wherever possible. Upon completing this course, I’m eager to strengthen my grasp of PCI DSS and the other security standards that continuously shape our products.