A Guide to PCI-DSS for Sysadmins

The Payment Card Industry Data Security Standards (PCI-DSS) are the rules that the major credit card issuers (Visa, MasterCard, Discover, American Express, and JCB) require all businesses that handle credit card information to follow.

Unlike HIPAA, PCI-DSS isn’t a law, but failure to comply can still have serious consequences for your business. If a breach of cardholder business is traced back to your company, you can expect to be held liable for losses from banks and card issuers, and they may even revoke your ability to process credit cards at all. So it pays to take payment card security seriously.

As a system administrator, what do you need to do in order to keep your network PCI compliant?

Secure Your Network

PCI-DSS requires that you protect your network with firewalls and antivirus programs. A good network gateway is your first line of defense against hackers trying to get in. Choose one from a reliable vendor that specializes in high-security applications. Don’t forget to change the default passwords on all of your network equipment -- especially routers and switches. And if you use Wi-Fi, make sure to use robust authentication and encryption settings.

Effective antivirus is a must, both on your workstations and your servers. With more malware than ever floating around, you’ll also want to look into other options like disabling MS Office macros or software restriction policies/AppLocker to help protect against new and emerging threats.

Update Your Software

Another important component of PCI-DSS is the requirement to regularly patch software that’s in use on your network. This includes both client software, server-side applications, and client and server operating systems. Deploying a WSUS server is a great start; this will let you automatically deploy Microsoft software updates to clients, and find out which ones are having trouble patching so that you can troubleshoot them.

You’ll need a procedure in place to make sure that your line-of-business applications are tested and updated ASAP, especially when new security vulnerabilities are found. A solution like PDQ Deploy can help with this, letting you install updates on all of your workstations simultaneously.

Test and Monitor

Another major requirement of PCI-DSS is the auditing requirement. An intrusion detection system (IDP/IDS) is a must -- it can scan the logs on all of your devices for suspicious activity, and then alert you if something is amiss. You may also be required to run regular vulnerability scans on your internal and external systems, and fix any issues that are detected. This will check for things like unnecessary open ports, unpatched software, and other issues that could give a hacker a foothold into your network.

Help with PCI-DSS Compliance

PCI-DSS is a broad set of requirements for companies handling cardholder information. For more information, check out the official Payment Card Industry website: https://www.pcisecuritystandards.org/

If you’re not sure where to begin implementing these standards, partnering with an experienced managed service provider (MSP) can help you. E-N Computers has helped thousands of businesses of all sizes to keep their network secure. Contact us today for a consultation to find out how we can help you keep your network secure and compliant with PCI-DSS.