847.221.0200  Main Office
PCI DSS Compliance Image

Achieving And Maintaining PCI DSS Compliance

PCI Qualified Security Assessor

The Payment Card Industry Data Security Standard (PCI DSS) specifies technical and operational requirements for all organizations that store, process or transmit credit card data. From the world’s largest corporations to the smallest brick and mortar store, if you handle credit card data, the PCI DSS applies to you. Given the huge volume of online purchases, financial transactions and banking inquires now made online, this standard is critical to both protect consumers and ensure companies are doing enough to safeguard payment card data. The problem? PCI DSS is both complex and constantly changing, making it difficult for even seasoned IT teams to navigate. HALOCK Security Labs can assist you in meeting PCI DSS requirements by helping organizations determine how the standard applies to them, providing guidance throughout the remediation process to close any compliance gaps, validating compliance and preparing and submitting required validation paperwork. With help from HALOCK, you can quickly answer critical PCI questions, such as:

How Do I Become PCI Compliant?

To satisfy PCI DSS requirements, companies must address specific concerns, including:

  • Scope Optimization – Determining the scope of the current PCI DSS cardholder data environment and identify the best strategy for optimizing scope to satisfy the business needs and drivers.
  • Cardholder data removal — As appropriate, organizations must remove credit card data to meet business and legal requirements and ensure it is not recoverable.

Closing compliance gaps — To achieve PCI DSS compliance, all applicable requirements have to be addressed. As your PCI QSA, HALOCK can help ensure your remediation efforts will meet compliance requirements.

Am I PCI Compliant?

Perhaps you’ve already made efforts to satisfy PCI DSS standards but aren’t sure if you’re hitting the mark. HALOCK can review the scope of PCI compliance for your organization and each applicable DSS requirement to help you determine if you are ready to validate compliance.

How Do I Show PCI Compliance?

Different transaction volumes and types require different demonstrations of compliance — whether your transaction volume demands a full on-site assessment and PCI DSS Report on Compliance (ROC) or you need to fill out a Self-Assessment Questionnaire (SAQ), our Qualified Security Asessors (QSAs) can help you compile the required evidence, audit security controls, and author the appropriate compliance reports to register and demonstrate your PCI compliance.

How Do I Stay PCI Compliant?

While achieving PCI compliance is a point-in-time event, adhering to the PCI DSS and maintaining PCI compliance is a continuous process. From providing ad hoc counseling and advisory services to facilitating an ongoing PCI compliance program, HALOCK has the experience and expertise to get you compliant and help you stay compliant over time.

For many companies, achieving and maintaining PCI compliance seems both daunting and difficult to attain. HALOCK can guide you through the process to PCI compliance with a focus on not only PCI DSS requirements, but what is best for your organization. Our Purpose Driven Security® philosophy and approach will help you reach PCI compliance in a manner that is aligned with your mission, in addition to giving you the technical and operational infrastructure required to maintain that compliance over time. If you store, process or transmit cardholder data, need PCI assistance, or have questions about PCI compliance, contact HALOCK today.

PCI Deadline is Fast Approaching on June 30, 2018

Cyber security is a moving target.  The technology and policies that kept users, devices and data safe at one time are eventually compromised at some point by the growing skills of cybercriminals and technology itself.  This is one of the reasons security standards such as PCI DSS (Payment Card Industry Data Security Standard) are moving targets as well.  Things never remain stationary in a world that is digitally transforming itself and security standards would not be relevant unless they dynamically changed along with the world.  Although proper attention to new compliance standards does require added work and expense, it is more than worth it in order to avoid the risk of a data breach that could destroy the reputation and financial viability of your business.

One of the primary security mechanisms used to secure data both at rest and in transit is encryption.  Encryption is essential and in many cases required so that data that may be compromised is useless in the hands of an unauthorized perpetrator without the decryption key.  Encryption technology has grown more robust over the years in order to combat hacking tools and methodologies.  There is even a fear that in the not so distant future, computers that are readily available to the public will be able to decrypt even the most rigorous of encryption standards in real time.    This will essentially make encryption as we know it today obsolete.

The Details PCI DSS version 3.2

Fortunately, cryptography is still a very relevant and effective method of protecting your data today, but only if you utilize the latest versions and standards.  The PCI Security Standards Council (PCI SSC) in PCI DSS v3.2 is requiring that all versions of SSL and TSL version 1.0 must be disabled.  In order to be PCI DSS compliant you must be utilizing TLS 1.1 at a minimum, (although TLS 1.2 is highly recommended).  This mandate was originally slated for implementation by 2016 but due to the burdensome impact to organizations, the PCI SSC extended the timeline to June 30, 2018. The PCI DSS applies to all organizations receiving credit card payments for goods and/or services (merchants) and any third party service providers for PCI DSS merchants. For a copy of our PCI DSS 3.2 Guide, click here.

What is SSL and TLS?

The purpose of SSL and TLS is to encrypt data traveling between two endpoints, such as a web browser and a web server.  SSL or Secure Sockets Layer has been around for more than 20 years and many people refer to all web encryption protocols as SSL but TLS or Transport Layer Security is actually a separate protocol.   TLS v1.0 was released in 1999 and was designed to supersede SSL v3.0, which was beginning to show vulnerabilities.  Since then, other vulnerabilities within SSL have been discovered, the most famous being in 2014 when a man-in-the-middle attack vulnerability called POODLE was discovered that made it possible for data to be decrypted and extracted while in transit.  A few months later, a vulnerability was found in TLS v1.0 that allowed a hacker to mount a similar attack.  Which means that neither of these cryptography methods can fully protect your data.  For that reason, any version of SSL and TSL v1.0 must be completely disabled.

Are There Any Consequences for Disabling SSL and TSL v1.0?

There can be inconveniences to disabling these two vulnerable and outdated security protocols.  The first is that users will not be able to interact with your site using HTTPS with any of the following older browsers:

  • Firefox version 27 or lower
  • Google Chrome version 29 and lower
  • Google Android Browser version 4.4 or lower
  • Internet Explorer version 10 and lower
  • iOS 4 devices
  • Safari version 8 or lower

In some cases, users can simply install a new web browser.  Some however, will have to upgrade their operating systems or devices in order to accommodate a newer web browser that supports the newer encryption protocols.  For instance, the minimum Microsoft client OS is Windows 7.  The new compliance mandate also means that your server must support TLS v1.1 or higher .  For Windows, this would mean Server 2008 R2 at the minimum.  You will not have to replace your web certificates however, as they are not aligned with security protocol versions.

Recommendations beyond TLS 1.1

It is highly recommended that you use TLS v1.2 if possible as it will offer the maximum protection available today.  If you are running devices using TLS v1.1, you should ensure that they are fully patched and up to date. Merchants who currently rely on their Service Providers to encrypt data in transit may already be utilizing TLS 1.2 as Service Providers were required to provide a secure service offering by June 30th of 2016.  Of course, proper security entails more than simply disabling and enabling protocols.  It is highly recommended that you work with a PCI QSA to ensure correct understanding and impact of the PCI DSS for your organization.