PCI Compliance from Service Engineers' Perspective

Part of the job of a service engineer is to make sure the environment hosting credit card data is up and running 24/7 and even more importantly protect the environment from hackers and other unauthorized access. You also need to ensure that you meet the PCI DSS and pass the external audits.

Before we jump forward, very briefly on the what and why.

What is PCI DSS?

Payment card industry data security standard – is a set of requirements developed to ensure any merchant/business handling credit card data has a good grip on security. The standard is developed by PCI DSS council. The initiative to create the council and PCI DSS comes from the biggest credit card companies (Visa, MasterCard, Amex etc) as having weak security around processing credit card data is simply bad for business.

Why should one care about PCI DSS?
If you are a business and want to store credit card data of your customers in your managed environment you should, according to PCI DSS council, be PCI DSS compliant. If you are not compliant and still go forward with handling credit card data you risk lawsuits / payment partners and banks refusing to work with you and more.¹

Here are a few things to keep in mind:

1. Keep the PCI environments scope small and separated (separate networks, separate vms/servers etc, the smaller the environment the easier to keep it secure and compliant)
2. Keep the amount of engineers involved in PCI environment small (having access or developing PCI apps brings some overhead to the engineer, its unavoidable – so onboarding your whole engineering department to PCI is not cost effective)

So where should one start to build PCI DSS compliant credit card storage?

Start by looking at the existing online service and systems that you already have and see how well they match with PCI DSS either by hiring a compliance expert or reviewing the PCI DSS requirements yourself – they are available for free online. This would give you a good idea of how much extra effort you would have to plan for when creating the actual PCI DSS compliant environment. Depending on your company's current security practices building a PCI DSS compliant environment might be a small project or a massive endeavour.

For example for a company where systems security is well developed getting PCI DSS compliant might mean just tweaking some configurations (ie changing logging configuration for some systems and applications) and specifying some security procedures (i.e., having a PCI Incident management process and roles in place).

On the other hand, if security has been an afterthought then building a PCI DSS compliant environment and keeping it PCI DSS compliant will be quite an undertaking.

Building a PCI environment

Assuming you want to go forward with building PCI environment, the actual first step towards building it would be creating a diagram that describes the environment and the intended business logic flow (where is credit card data entered into your system, which applications capture the data, which database stores it, which networks are hosting these applications, which firewalls are involved etc).

With help of the diagram you should have the PCI DSS scope in place – meaning you should know, which applications/systems/networks need to follow PCI DSS and which teams and engineers will be involved in both building the environment as well as keeping the environment PCI DSS compliant in the future. As mentioned earlier there is overhead for the involved engineers to keep an environment PCI DSS compliant, a lot of things can be automated but even then.

After a high level network/business logic flow diagram for storing credit card data is in place you should again make a sanity check against PCI DSS. Either with help of an expert or step by step going through each and every requirement in PCI DSS and seeing how well it matches with what you are planning to build. Make changes as needed to be compliant and done. Build what you have in the diagram.

PCI DSS requirements are written out quite well. So you should not be afraid to assess your diagram against the requirements yourself. In addition to each requirements description the PCI DSS also includes notes on how to test that this requirement is met as well as a guidance section which includes a small section on why this requirement is relevant and helps with the context.

If you do go with the option of throwing money at the problem and hiring a PCI DSS compliance expert to help you assess your plans then I strongly recommend hiring from a company that is qualified to do PCI audits.

In any case before starting to handle production data you will need to have an initial PCI DSS audit against your environment and then get re-audited annually by a qualified security assessor thereafter.

What are the PCI DSS requirements?

A little bit about the PCI DSS requirements themselves. They are divided into 6 sections to make sure all attack vectors are covered.²

The sections are:

• Build and maintain a secure network and systems – this section covers requirements related to the networks where your PCI environment is hosted. Requirements range from having to have a formal network ACL change process in place, separating your PCI networks from the rest of your environments and applying good security practices on your network devices.

• Protect cardholder data – requirements regarding encrypting cardholder data at rest as well as during transmit

• Maintain a vulnerability management program – requirements around patching your systems, having antivirus in place, having change management process in place, doing code reviews etc.

• Implement strong access control measures – mostly self explanatory, all users with any kind of access to PCI environment should have unique usernames, multi factor authentication, password changes should be forced etc.

• Regularly monitor and test networks – requirements around conducting penetration tests, having intrusion system detections in place, reviewing for anomalies in logs etc.

• Maintain an information security policy – your company should have a security policy that is known and followed and engineers attest at least annually that they understand and are aware

For an engineer, for the most part, the requirements are not surprising, make perfect sense and in many cases are already practiced with or without PCI DSS. For example it does make sense that each engineer with access to any production environment has a unique account. It also makes sense that applications, firewalls, systems are logging what's happening on them, including input from users with access. It also makes perfect sense that if you take the effort to encrypt traffic or data then you should make sure your chosen method is actually deemed secure by industry experts.

Then there are quite a few requirements that strongly encourage automation – requirements around patching and around intrusion detection are perfect candidates to be solved with help of automation.

On the other hand there are several requirements which are hard if not impossible to automate and thus create overhead for PCI environment involved teams, for example:

• Requirement to have a separate PCI Incident response plan and test it annually (in form of tabletop exercise)
• Annual risk assessment of your PCI DSS compliant environment should be done.
• Changes to code of applications handling credit card data should have code reviews done by engineers with relevant training.

Overall though, achieving PCI DSS compliance should be doable regardless of the technology stack you use. It can all be done on Windows server based environments, Linux based environments involving both private cloud / public cloud as well as bare metal servers or even a hybrid combination.

Cost effective addition to your merchant account

If your business operates internationally, you’re most likely to deal with payments in different currencies and have to convert between them from time to time. This is where you could employ a reliable and cost effective partner to take care of your currency exchanges. One very obvious detail that you need to consider when looking for a partner is their exchange rate as a lot of companies set their own rates to cover the conversion cost and/or earn profit from the transaction. This often means 3 - 6% additional cost to you.

The good news is that there are services like Wise that offer real exchange rates with no mark-up for a small and transparent fee that is up to 14x cheaper than PayPal.

Here are some benefits you can take advantage of using Wise Business:

1. Instant transfer to most currencies
2. Batch Payment of up to 1000 recipients all at the real exchange rate perfect for paying suppliers and contractors abroad.
3. Multi-currency account that allows you to receive payments in EUR, USD, AUD, NZD, HUF and GBP for free.
4. Multi-currency debit card for faster international payments with no exchange rate mark-up.
5. Seamless integration with Quickbooks and Xero to ease tax reconciliation.

With these benefits, you could save 3 - 4% on conversion charges alone which means more profit for your business.

Start saving today with Wise