Achieving PCI DSS Compliance with YugabyteDB
Welcome back to our blog series about how different compliance and regulatory frameworks work and how YugabyteDB can be an essential part of a company’s compliance efforts. In this third installment, we focus on the PCI Security Standards Council’s Payment Card Industry Data Security Standard (PCI DSS). More specifically, we reveal how companies can use YugabyteDB to enable compliance with certain key PCI DSS requirements.
For further details, read our recently published Yugabyte PCI DSS Compliance Guide.
What is the PCI Security Standards Council?
The PCI Security Standards Council is a global industry organization created by major credit card companies such as Visa, MasterCard, and American Express. More specifically, the council develops and drives adoption of data security standards and resources to enable safe financial payments.
What is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standard) is an information security standard for entities (including service providers) involved in payment card processing. As a result, it protects cardholder data security and has six control objectives, with several sub-requirements for building and maintaining a secure network and systems:
- Build and maintain a secure network and systems
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect cardholder data
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Maintain a vulnerability management program
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Implement strong access control measures
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Regularly monitor and test networks
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain an information security policy
- Maintain a policy that addresses information security for all personnel.
Additionally, a useful glossary of terms is available here.
Which organizations must comply with PCI DSS?
PCI DSS generally applies to companies that accept, store, or transmit cardholder data.
What types of cardholder data does PCI DSS protect?
Cardholder data consists of a primary account number (PAN). This is the unique payment card number that identifies the issuer and the particular cardholder account, plus any cardholder name, expiration date, and/or service code. It may also include certain “Sensitive Authentication Data” elements that are transmitted or processed but not stored as part of payment transactions. More specifically, these elements include card validation codes/values (CAV2/CVC2/CVV2/CID) and full track data (from the magnetic stripe or chip). Additional elements include PINs and PIN blocks that are used to authenticate cardholders and/or authorize payment card transactions.
What components of a system does PCI DSS apply to?
The security requirements apply to any system component included in or connected to the cardholder data environment (CDE). This means the people, processes, and technologies that store, process, or transmit either cardholder data or sensitive authentication data. But the system components can include applications, servers, computing devices and network services.
Who has to go through PCI DSS compliance audits?
If you process payment card transactions, it’s generally a good idea to go through a formal audit or self-assessment. But there are five compliance levels.
- Merchants processing more than six million payment card transactions per year have to go through an external audit. Additionally, an audit is necessary for those who experienced an attack resulting in compromised payment card data or service providers who store, process, or transmit more than 300,000 credit card transactions annually. The purpose of the formal audits are to examine the payment system and system components, identify vulnerabilities, and prevent data from being compromised.
- Merchants that process one to six million transactions per year can complete a self assessment questionnaire (SAQ), network scan, and submit an Attestation of Compliance (among other requirements).
- Service providers that store, process, or transmit less than 300,000 credit card transactions annually can complete a self assessment questionnaire (SAQ), network scan, and submit an Attestation of Compliance (among other requirements).
- Merchants that process 20,000 to one million Mastercard or Visa transactions per year can complete a self assessment questionnaire (SAQ), network scan, and submit an Attestation of Compliance (among other requirements).
- Merchants that process fewer than 20,000 Mastercard or Visa transactions annually or up to one million Mastercard or Visa transactions annually can complete a self assessment questionnaire (SAQ), network scan, and submit an Attestation of Compliance (among other requirements).
Who within the organization should be responsible for maintaining PCI DSS compliance?
Everyone who touches the data or has an interest in protecting it. Finance departments often deal with the transactions. Compliance teams manage the requirements and test the systems internally. Risk management teams identify risks within the system and system components themselves. Legal teams manage and advise on regulatory requirements. And IT departments manage technical environments.
Often, organizations handle PCI DSS compliance as they would other compliance efforts and alongside other compliance frameworks such as SOC 2 and ISO 27001. But given the number of moving parts, it is helpful to centralize coordination of these efforts in one department or with one project manager.
What are the penalties for failing to maintain compliance?
There are fines of up to $500,000 per incident for security breaches when merchants are not PCI compliant. Also, when breaches or compromises occur, there are significant notification requirements.
How can you use YugabyteDB to help achieve PCI DSS compliance?
YugabyteDB is an open source distributed SQL database used by enterprises to build systems of record and systems of engagement for mission critical applications. Yugabyte understands that its customers may leverage YugabyteDB as part of a customer solution that processes and stores sensitive information.
Our new PCI DSS Compliance Guide provides detailed recommendations for hardening and secure usage of Yugabyte Platform as a fully customer-hosted solution to manage Yugabyte databases. Specifically, we’ve analyzed each of the six control objectives and determined how you can use YugabyteDB to help achieve compliance with several applicable sub-requirements for building and maintaining a secure network and systems.
1. Build and maintain a secure network and systems
PCI DSS Requirement Reference No. 1.1.6 requires documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. Do not use vendor-supplied defaults for system passwords and other security parameters.
Yugabyte Recommendation: Update your business justification and approval documentation for firewall and router configuration to include YugabyteDB and Yugabyte Platform components as applicable, including but not limited to protocols and ports allowed. Additional information related to protocols and ports in use by Yugabyte Platform can be located in our online documentation.
2. Protect cardholder data
PCI DSS Requirement Reference No. 3.2 states “Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process.”
Yugabyte Recommendation: Ensure that full track/chip data is not stored in your YugabyteDB and Yugabyte Platform instance(s). Additionally, ensure that card validation codes or values are not stored in your YugabyteDB and Yugabyte Platform instance(s). Finally, ensure that PIN data is not stored in your YugabyteDB and Yugabyte Platform instance(s).
3. Maintain a vulnerability management program
PCI DSS Requirement Reference No. 5.3 is to “Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.”
Yugabyte Recommendation: Use technical controls such as anti-virus application system passwords to prevent your users from uninstalling or otherwise disabling anti-virus software running in your YugabyteDB and Yugabyte Platform and CDE.
4. Implement strong access control measures
PCI DSS Requirement Reference No. 7.1.1 requires you to define access needs for each role, including: system components and data resources that each role needs to access for their job function, level of privilege required (e.g., user and administrator) for accessing resources.
Yugabyte Recommendation: Create formal documentation that outlines (by role) the levels of access to your YugabyteDB and Yugabyte Platform system components and the CDE contained within. Then assign each user account to a role. We recommend leveraging YugabyteDB functionality for that as set forth here.
5. Regularly monitor and test networks
PCI DSS Requirement Reference No. 10.7 is to “Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (e.g., online, archived, or restorable from backup).”
Yugabyte Recommendation: Implementing a SIEM to collect and correlate logs and alerts from your Security monitoring systems as well as production systems. Have sufficient storage on your SEIM to hold the last three months of log and audit trail history. From there, store a year’s worth of log and audit trail history in online or offline Storage.
6. Maintain an information security policy
PCI DSS Requirement 12.10.5 is to include Alerts From Security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems.
Yugabyte Recommendation: Implement a SIEM to collect and correlate logs and alerts from your security monitoring systems as well as your Yugabyte Solution and CDE production systems.
For more information and further details, please contact us at firstname.lastname@example.org.