Recently, the PCI SSC published a series of training “pills,” called Payment Data Security Essentials, to help small online merchants comply with the requirements of the PCI DSS security standard. These training pills provide recommendations and security best practices aligned with the requirements defined by the standard. They also include additional supporting material, such as guides and explanatory videos.
At the time this article was written, the PCI SSC had made the following training pills available to the public:
🔗 Tips for establishing strong passwords
🔗 Tips for securing remote access
🔗 Tips for installing security patches
Some of their most notable characteristics include the following:
Strong Passwords
Random passwords that are difficult for an external attacker to guess must be generated for all logical access to the compliance environment. These passwords should include at least alphabetic characters, special characters, and numeric digits. In addition, they must not be composed of common words that an attacker could guess using a dictionary attack.
Both the user IDs and the passwords used to access the PCI DSS environment must be unique and non‑transferable, and they must never be shared with other individuals or third parties. Shared accounts/passwords among several members of the same department must also be avoided for all access to the environment, whether administrative access or business‑level access.
Passwords must be changed at least every 3 months (90 days), or sooner if there are indications that they may have been compromised by an attacker.
Securing Remote Access
The first recommendation to reduce the risk of a remote attack on a merchant is to minimize the number of remote entry points into the environment. Therefore, it is necessary to follow a need‑to‑have principle, enabling remote access only for employees or third parties who require it to perform their daily tasks.
Additionally, it is essential to periodically review remote access permissions that were granted for a specific need, ensuring that the justification originally provided is still valid. If during one of these reviews it is determined that any of these accesses is no longer necessary, it must be revoked as quickly as possible.
Unique authentication credentials must be enabled for all remote access to the PCI DSS environment, both for internal personnel and for third parties. This includes both user IDs and access passwords.
Lastly, it must be taken into account that all remote access to the PCI DSS environment must be performed using multi‑factor authentication. Typically, this means the user authenticates with a password and an external factor associated with an individual device they possess, such as a coordinate card, a cryptographic token, or an SMS received on their mobile phone, among others.
Security Patch Installation
The most important aspect for merchants to consider when implementing a proper security patch management policy is the need to clearly identify the responsibilities of the technology/application maintenance providers. This ensures that it is explicitly defined who is responsible for installing the patches. It is also important not to overlook web‑hosting environments in e‑commerce, which must likewise be subject to an appropriate patch‑management policy enforced by the companies hosting those websites.
If there is any doubt about the specific questions that should be asked of our service providers to identify their responsibilities in these and other security‑related aspects, merchants can refer to the evaluation questionnaire for merchants issued by the PCI SSC for this purpose.
Once these responsibilities are clearly defined, critical security patches must be installed within a maximum of one month from their release. For other, less critical patches, the risk must be assessed both by the environment administrators and by the entity’s management in order to determine the optimal installation date.