PCI Compliance and Data Security Standards
If your business takes credit cards, then you’re probably already familiar with the Payment Card Industries (PCI) data security standards (DSS). You probably also know that failure to comply could mean the loss of your ability to process credit cards. The security standards require businesses to comply with a strict set of rules governing how cardholder data – namely credit card numbers – are protected. Self-assessment questionnaires, vulnerability scanning, endless acronyms, and confusing terminology can be a headache but are all part of understanding the requirements and becoming compliant.
With credit card fraud at frightening levels, the payment card industry formed the Payment Card Industry Security Standards Counsel. This counsel is made up of credit card providers such as American Express, Visa and MasterCard. The focus of this group is the development and management of data security standards, and to help merchants become aware of the requirements of these standards. These standards, in turn, help protect consumer credit card information. Businesses that aren’t doing their part to protect cardholder data won’t be allowed to process credit cards, and could be fined.
The Technology of PCI Compliance
Much of becoming PCI DSS compliant revolves around policies, procedures and documentation. The other half is technology. The three primary steps to becoming compliant are to assess, remediate, and report. Step one, assess, means to gather information on your card handling policies, credit card processing applications and cardholder data, and network configuration – then analyzing them for vulnerabilities. This may be performed by hiring a QSA (Qualified Security Assessor) or filling out a self-assessment questionnaire (SAQ). Often your bank or credit card processor will assist with selecting the right method. Step two, remediation, means to correct any deficiencies found during the assessment process. Step three, report, is to compile the information and submit it to the requestor, typically your bank or credit card processor.
At its core, PCI DSS includes the following requirements:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt the transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
The technical requirements aren’t overly complex, and any modern, well-designed and maintained business network should have no trouble meeting them. Having up to date hardware for your computer systems and payment terminals will give you an advantage when assessment time comes.
Investment In Data Security
There is typically some cost involved to maintain PCI DSS compliance. Hiring an Approved Scanning Vendor (ASV) to scan your network externally looking for potential vulnerabilities will likely be necessary. This helps show that you have a secure firewall, and that any known vulnerabilities are not present on your external facing network. ASV’s will scan your network quarterly and report any findings, which can be used to both correct any new or existing flaws, as well as provide the required documentation in the report. Some ASV’s pricing start as low as $250 per year.
Internally on your network, a properly managed infrastructure will usually lend itself to compliance. Installing Windows critical updates, antivirus updates, and having a documented process for validating these are indeed happening on all computers and servers is necessary. Vulnerability scanning can also be done internally, to ensure all computers and network devices are secure. Your IT company will likely need to help with some portion of your PCI compliance quest, whether from an information gathering standpoint – or through ongoing engagement to maintain your network to the standards required.
It’s important to recognize the importance of complying with the regulatory requirements so that your customers – and your business – protect cardholder data. If you own or run a small business, talk with your financial institution and IT provider about what steps you should be taking. You can read more about PCI compliance here: https://www.pcisecuritystandards.org/smb/how_to_secure.html