PCI Compliance Checklist for MSPs

PCI Compliance Checklist for MSPs

If you work with clients that accept credit or debit cards (retailers, hotels, restaurants, etc.), they’re counting on you to maintain your compliance with the Payment Card Industry Data Security Standard (PCI DSS). Remember, businesses that accept and process credit cards aren’t the only ones that need to comply with PCI DSS. Any incursion into the cardholder data environment (CDE) needs to be secure. That means if you use a remote agent to access your clients’ systems, and those systems contain payment card information, you’re on the hook for PCI DSS compliance.

If you’re an MSP, the following checklist should help. Here are some of the major PCI DSS requirements that might apply to you with tips on how to comply:

Rule

How to comply

Do not use vendor-supplied defaults for system password and other security parameters.

Use a password management system to enforce strong passwords and monitor your users for poor password practices, like using vendor-supplied defaults.

Restrict access to cardholder data by business need to know.

Assign privileges in your password management system for groups of users based on which systems they need to access and their level of authority. Don’t grant access to any user to any system he or she doesn’t need to access to do his or her job.

Incorporate two-factor authentication for remote network access originating outside the network by personnel (including users and administrators) and all third parties (including vendor access for support and maintenance).

Implement a multi-factor authentication solution and require its use to access client systems. This might be easier than you think. The most common first factor is a password, of course, while for the second factor, many businesses are choosing to go with biometrics (like a fingerprint scan) or a one-time use code generated on a smartphone or key fob. With the ubiquity of smartphones these days, that last option might be the most convenient. No one ever forgets to bring their phone to work anymore.

Track and monitor all access to network resources and cardholder data

Again, a good password management system will come in useful here. They’re ideal tools for generating audit logs because they “know” every time a credential is used and can match it to whoever used it, storing the data permanently in an easy-to-access form.

Your password management system should be able to log the following information for every auditable event:

  • User identification
  • Type of event
  • Date and time
  • Success or failure indication
  • Origination of event
  • Identity or name of affected data, system component, or resource

 

Ready to Get Started?

Try AuthAnvil