Do you handle credit card payments and data? What you need to know about PCI compliance
In an increasingly globalized economy that relies on digital transactions more and more, the questions of regulatory oversight and industry standards have become essential across all sectors. Among other things, PCI compliance is central, particularly for companies that rely on e-commerce for their revenue.
The PCI DSS is the Payment Card Industry Data Security Standard — and it’s several carefully laid-out industry standards that facilitate a more secure environment for any company that transfers, stores or processes credit card information. It’s existed since 2006 and it’s been constantly updated to improve security standards in the payment card industry and generally improve e-commerce security.
As an industry association, the PCI was created by MasterCard, Visa, Discover, American Express and JCB — in the form of the PCI Security Standards Council (the PCI SSC). Payment acquirers and brands are the ones that enforce compliance with standards set forth by the PCI as a whole. So we’ll take a look at some of the requirements for PCI compliance right here:
Maintaining and Using Firewalls. Essentially, firewalls block any unknown or foreign entities from accessing private data. And these are usually the first line of defense when it comes to malicious hackers. In addition, firewalls are essential for PCI compliance due to their effectiveness in blocking unauthorized access to systems containing valuable financial data.
Using Proper Passwords. POS systems, modems, routers, and other third-party hardware come with generic, easy-to-crack passwords and default security measures. And businesses fail to plug these vulnerabilities far too often, which is why PCI compliance includes the need for a list of all software and devices that require passwords or similar security. Apart from basic password and device inventory, other configurations and precautions are necessary, such as routinely changing the password.
Cardholder Data Protection. Cardholder data protection is at the center of PCI DSS compliance and it must be encrypted with specific algorithms. Such encryptions are enacted via encryption keys, which themselves require encryption for full compliance. The regular scanning and maintenance of PANs (primary account numbers) is a necessity to make sure there is no unencrypted data in circulation.
The same is true for cardholder data that is transmitted through various ordinary channels, such as local stores, home offices, payment processors, etc. Any transmitted data must be transferred in an encrypted form whenever it goes to any known locations. Also, account numbers must never be transmitted to unknown locations.
Anti-Virus Maintenance and Use. Even outside the realm of PCI DSS compliance, installing and using anti-virus software is generally considered a good practice. However, when it comes to devices that store and/or interact with PAN, it becomes an absolute necessity. Also, the anti-virus software needs to be regularly updated and patched to remain useful. When anti-virus software cannot be installed directly, your POS provider must also employ similar anti-virus measures.
Proper and timely updates are essential here, especially with anti-virus software and firewalls. Regular updates provide all the necessary threat information to your protective software. And seeing as new threats are popping up all the time and cybercrime is on the rise, staying up to date is the only way to ensure total protection.
Generally, it’s a good idea to update any software product that your business uses regularly. Those businesses that handle security measures will receive patches addressing newly discovered vulnerabilities. And that’s of particular importance when it comes to software on devices that store or interact with cardholder data.
Access Restrictions. To ensure the safety of cardholder data, access to it should be on a strict “need to know” basis. Any executives, staff and third-party personnel that don’t need to access this data to perform their job roles should be barred from accessing it. The personnel that does need access to sensitive data should be well-documented, and those lists should be regularly updated. This is a basic PCI DSS compliance requirement.
Access to cardholder data shouldn’t be simple. Instead, individuals should require special identification and credentials to access it. For example, having a common login account for multiple employees who access the encrypted data is a cardinal mistake. Everyone should have separate usernames and (strong) passwords. Having unique IDs means there are fewer vulnerabilities and a faster response time in the case of a breach or compromise.
Furthermore, cardholder data should be physically secure as well. Any data that is physically typed or written out and digitally kept data (hard drives) need to be kept in locked cabinets, drawers and secure rooms. Access should not only be limited but also carefully logged. Any time an employee accesses sensitive data, a log should be kept to remain in compliance.
Access Logs. Any activity related to primary account numbers and cardholder data should be followed by a log entry. This is one of the most common compliance issues, where companies fail to keep proper documentation and records regarding sensitive data access. Nevertheless, compliance mandates documenting incoming data and when it is accessed. These days, software products for accurate log entries are mostly used to automate the process.
All the compliance standards we’ve outlined here require physical locations, software products and likely a couple of employees. And remaining in compliance is far from easy — plenty of things can malfunction, suffer under human error or simply become out of date. However, fulfilling all PCI requirements for vulnerability testing and regular scans will limit the possibility of threats. It is important to work with your IT partner to determine what needs to be done to help get and keep you compliant.
Bahar Ferguson is president of Wasatch I.T., a Utah provider of outsourced IT services for small and medium-sized businesses.