A Business Guide to PCI Compliance
Businesses have a responsibility to protect customers’ payment data. If failure to protect this information results in theft, the consequences can be severe.
Not just for the customer, but for the business in the form of fines and lost reputation.
The security of card payments has been monitored since the 1990s, but as technology has grown so have the ways in which criminals seek to capture sensitive card data.
Businesses wanting to take card payments from their customers securely must ensure they’re PCI DSS compliant.
But what exactly is PCI DSS compliance? And what are the steps involved in creating a PCI DSS-compliant business customers can use with confidence?
What is PCI DSS?
PCI DSS stands for ‘Payment Card Industry Data Security Standard.’
Launched in 2006, the PCI Security Standards Council was created to track the progression of the card payment industry, with a specific focus on security processes.
PCI DSS is managed by the council, at the request of the major card brands – Visa, MasterCard, American Express, Discover and JCB – who all had a hand in the council’s creation.
To be PCI compliant, companies must trade within the rules and guidelines laid out by the council, which ensure businesses are doing everything to protect customers’ card information.
Do I need to bother with PCI compliance?
If you accept card payments from your customers you MUST follow the rules laid out in PCI Compliance. This is for your safety and the safety of your customers.
It’s a legal requirement that could result in serious penalties if not adhered to properly. So make sure you’re following all the steps laid out in this article if you want to be certain.
What are the 12 requirements of PCI compliance?
The PCI Security Standards Council promotes 12 technical and operational standards businesses must follow to remain compliant.
1 – Install and maintain a firewall to protect cardholder data
A secure firewall should be a business’s first port of call in protecting both their data and customer data. Firewalls act as a barrier between the network and unauthorized users while allowing authorized users to continue their work uninterrupted.
2 – Do not use default passwords and security measures
New devices and operating systems often come with pre-set usernames, passwords and other keys when users sign in for the first time.
These default keys are usually simple, easy to guess and could even be found floating around the internet. So it’s essential businesses use their own usernames and passwords, making sure they’re extremely complex. A trusted random password generator is a great tool to use here.
3 – Protect stored cardholder data
If you accept card payments, PCI compliance states you must also be aware of where customer payment data will be stored, what precise data will be saved and exactly how long it will be saved for. All data must be encrypted, hashed, truncated or tokenized. Businesses must also ensure they protect (or remove) any unencrypted card data, which can unknowingly appear in things like log files.
4 – Encrypt transmission of cardholder data across open, public networks
When cardholder data is moved across open or public networks, the data must be encrypted before any transmission is made. Data is arguably at its most vulnerable during these transfers, so proper transmission protocols (SSH, TLS) can limit cybercriminals’ ability to access it using nefarious means.
5 – Use and regularly update anti-virus software
Anti-virus software should be used on all devices in a business (PCs, laptops, tablets, mobile phones, etc.) and must be kept updated to the latest versions. This prevents attacks from malware that could potentially access customer card data.
6 – Develop and maintain secure systems and applications
A business must make sure its systems (often provided by external parties) are reliable and strong enough to identify potential security risks and fix issues quickly and effectively. These systems include operating systems, firewalls and routers, applications, databases, POS terminals and other similar pieces of tech. Only put your trust in reputable system vendors with a great security track record.
7 – Restrict access to cardholder data
Access to cardholder data should be restricted to only those individuals who specifically require access. This is also known as ‘Role Based Access Control (RBAC)’. It’s the responsibility of the business to have a definitive list of individuals who need access, along with information regarding their position in the business – title, rank, seniority level, etc. An access control system helps with this.
8 – Assign a unique ID to each person with computer access
Every person with access to cardholder data must be uniquely identifiable with their own ID and password so their activities can be monitored. This not only restricts access to information but creates a transparent audit trail of who has accessed what in the event data is compromised.
9 – Restrict physical access to cardholder data
Much of the focus on data protection is on digital safety, but you also need to think about the physical security of information and where it’s stored. The firewall in the world will be useless if someone can simply walk up to your servers and take the data.
If you use a data centre, take time to review its security measures. Does it operate keycard systems for entry, have CCTV in place and create access logs to record who is entering the building?
If you plan to store card data on your own servers, you’ll need to create the same access controls to ensure cardholder data is safe.
10 – Track and monitor all access to network resources and cardholder data
Businesses must keep track of all logs received by their centralized syslog server, to check for potential anomalies caused by cybercriminals attempting to make a breach. These should be checked daily – if not hourly. SIEM (Security Information and Event Management) tools monitor these logs and system activities, spotting anything suspicious. Records must also keep track of timestamps and be held for at least a year.
11 – Regularly test security systems and processes
Cybercriminals are constantly finding new ways to crack security protocols and get hold of sensitive data. Businesses need to stay on top of security systems, regularly testing for weaknesses. They need to follow these four processes:
- Detect all authorized and unauthorized wireless access points using a wireless analyser (to be completed quarterly).
- External IPs and domains in the common data environment need to be scanned by a PCI-approved vendor (to be completed quarterly).
- A vulnerability scan of internal devices and systems (to be completed quarterly).
- All external IPs and domains must be put through application and network penetration tests (to be completed yearly or after any major changes).
12 – Maintain a policy that addresses information security for all personnel
Education is one of the most important parts of data security. You can have all the security policies you want, but they’ll be useless if employees don’t know about them or how to follow them.
Early reviews with all employees (and any external contractors) should be done as a minimum to ensure everyone is aware of the latest policies and procedures. They must read the security policy and formally acknowledge they’ve read it. You must also complete:
- Security awareness training
- In-depth background checks for all employees
- Incident management
- A yearly risk assessment that clarifies threats and vulnerabilities
What are the consequences of non-PCI compliance?
Companies that handle card payments but refuse or fail to follow proper PCI protocols can expect to be hit with several consequences, including monthly penalties, legal action, revenue loss and a severely damaged reputation, amongst other negatives.
On the financial side, companies could receive fines from the relevant card companies ranging from $5000 to $100,000 per month, depending on the size of their business and the failure in question.
Are you ready for PCI compliance?
If you’re a business that takes card payments, external providers can make PCI compliance a much simpler standard to follow.
Many merchant services, like those who provide secure card machines, often handle and maintain PCI compliance on their end. Sometimes as part of your package, sometimes as a separate price.
Either way, investing in services and systems that turn your business into a cardholder security stronghold is well worth considering. For your peace of mind and the peace of mind of your customers.