Staying Secure in the 2020’s
We’ve all seen what happens when security is violated. Customer information is compromised and confidence in providers is damaged or entirely lost. Maintaining proper security with customer information is one way to protect your customers, your business and to avoid being a negative headline.
PCI Compliance is one of the ways to protect customer data when operating a website.
What Is PCI Compliance?
Even PCI is an abbreviation of PCI DSS, so we will define PCI DSS. This is Payment Card Industry Data Security Standards. In a nutshell, PCI standards are a way to protect consumer credit card information and prevent data theft and fraud. So, you’re probably asking what does PCI DSS mean, and if it’s for the payment card industry why should it matter to a business owner? Those are valid questions, and some of the answer may be found within the details of what PCI compliance is.
In order to be considered PCI Compliant you must adhere to a set group of standards designed to ensure that every company that processes, stores, or transmits credit card information maintains a secure environment. Security protocols are created to help organizations of all types and sizes ensure that cardholder information is handled and distributed in safe and secure ways, at all times. These requirements cover every aspect of the card and data handling process including prevention, fraud detection, and even what to do in the event of a security breach.
The Responsibility of Retailers to be PCI Compliant
Any and every business owner that handles credit card information has a requirement to be compliant with PCI standards. While being compliant can earn you trust from consumers the penalties for non-compliance are severe. For financial institutions and banks those penalties could be as much as a half a million dollars.
PCI Compliance Requirements
Protect Your Passwords
Consider the systems you use passwords for, and how each one can become a fail point in your data security. Making sure generic passwords are not used, that a variety of passwords are used, and keeping a list of all devices and software that requires passwords is a brief overview of the basics in this area. Changing passwords routinely is essential to ensuring that breaches of larger systems and software providers don’t create weak points in your own systems. Restricting cardholder and customer data to staff levels that need access to this data is a good practice. The smaller the number of people with access, the easier it is to maintain security.
Restrict Access & Create Unique Access IDs
Creating unique IDs for access ensures a trail in the event that data is ever compromised. Shared logins makes figuring out where data breaches occurred a logistical nightmare. One of the most common practices is to maintain documentation when sensitive data is accessed. To remain in compliance, you must document how data flows into your organization along with the dates and times and individuals accessing this data.
Routine Vulnerability Scans & Tests
Preventing data breaches requires routine tests and updates of your system. Hackers are constantly working to find vulnerabilities to access sensitive data, software, and systems. This means your systems must be up to date with the latest and most advanced technology to protect your data and protect your customers and consumers. This may be done for you or you may need to have in-house teams dedicated to detection and deterrence.
Protect Cardholder Data & Encrypt Transmitted Data
Protecting cardholder data requires encrypting data and sending data only to known and secure locations.
Use & Maintain Firewalls
In lay terms, firewalls are a crucial element in your business security to prevent hackers from accessing private data. Due to their effectiveness in preventing unauthorized access, firewalls are a requirements in order to become and stay PCI Compliant. Ask your local Internet or digital service provider about the level and type of firewall security levels available to your business.
Maintain Anti-Virus Software
While it is always a good practice to have anti-virus software, even on personal devices, it becomes a requirement when you want to be PCI Compliant. It’s a good idea to ask your POS provider if anti-virus software is automatically updated or if a manual process needs to be adopted to ensure regular updates and compliance is maintained.
Adopt Regular Update Checks & Implementation
This brings us to the next point, software updates. As hackers and malware continue to work to penetrate security, vulnerabilities are identified, and software updates are created. It is often up to the business to ensure that these updates for firewalls, devices, and systems are downloaded and installed. It is equally important, in addition to creating a regular update process, to thoroughly read the requirements around updates. Some may only require an installation while others may requires that after updates are installed a full system reboot occur to initiate the new software protections.
Approved Materials & Resources
The PCI Security Standards Council (PCI SSC) is the agency tasked with managing compliance. They provide a number of tools and resources to answer questions and provide minimum criteria and guidelines.
- Self-Assessment Questionnaires
- Payment Application Data Security Standard
- A list of Validated Payment Applications
- PIN Transaction Security Requirements
Public Resources Are Also Available
- Education Program on Internal Security Assessors (ISA)
- Lists of Qualified Security Assessors (QSA)
- Payment Application for Qualified Security Assessors (PA-QSAs)
- Approved Scanning Vendors (ASVs)
Keep Your Business and Customer Information Secure
If you have questions, or want to make sure your website is PCI Compliant, contact the team at Hunter Marketing. We routinely employ website standards and processes to ensure that your digital platforms adhere to the strictest standards.
PCI Compliance is an ongoing effort that helps keep your business and customer data secure. By being secure, we hope the bad guys go after an easier target…somewhere else.