Today, fewer individuals are carrying around cash and coins. Instead, they rely on credit and debit cards to pay for their needs and services. Making sure your business can handle card transactions is now an essential part of owning and operating a business. However, to ensure that your business can accept these forms of payments, you must understand their responsibilities. Unfortunately, businesses are often the target of data plunderers. Knowing how to protect your business from these modern-day thieves is vital for avoiding paying restitution, fines, or losing the right to accept cards as payment.
PCI, which stands for Payment Card Industry, has created a set of security standards that all businesses must follow to ensure safe card transactions. Not only do these standards seek to protect businesses from thieves, but they also seek to protect consumers from having their valuable information and money stolen. PCI compliance is a must for all businesses, big and small.
Understanding PCI SSC Security Standards
Established in September 2006, the PCI Security Standards Council (SSC) created comprehensive standards and supporting materials to develop the framework, tools, and measurements for businesses to ensure security for consumers using cards as payment. These tools and resources, which are available to all companies in the United States, are as follows:
- Self-Assessment: Questionnaires that are used to help determine whether a business is PCI compliant.
- PIN Transaction Security: A set of requirements for device vendors and manufacturers of card-accepting devices. This also includes a list of approved transaction devices that can legally take an individual’s PIN.
- Payment Application Data Security Standards: This consists of a list of validated payment applications to ensure that software vendors develop secure payment applications that protect cardholders and businesses.
The PCI SSC also established public resources for individuals to protect themselves from potential fraud. These resources include:
- Lists of Qualified Security Assessors: These independent security organizations have been qualified to create lists of businesses that adhere to the PCI Standards.
- Payment Application Qualified Security Assessors: The PCI SSC has created an in-depth program for security companies seeking to become payment application qualified assessors; these security companies need to be recertified every year.
- Approved Scanning Vendors: These organizations ensure that businesses have regular network scans to detect any vulnerabilities.
- Internal Security Assessor: This designation creates standards that an internal security auditor professional must meet to work for a qualifying company.
The Standards of PCI DSS Compliance
Using and Maintaining Firewalls
Firewalls are programs that block attacks from foreign entities attempting to access private data. PCI DSS compliance standards demand that businesses install firewalls for their servers to ensure they have a strong first line of defense against hackers.
Secure Password Protection
Routers, Point of Sale (POS) systems, and other third-party products often come with randomized yet generic passwords. Hackers can easily figure out these passwords, leaving businesses vulnerable to an attack. PCI DSS compliance requires businesses to keep a list of all devices and software that require passwords and that those passwords are changed periodically. Passwords should be kept in a secure inventory and changed every six months to ensure that hackers cannot get in.
Protecting Cardholder Data
Card data must be encrypted with algorithms that are established encryption keys. Regular maintenance and scanning of these account numbers are needed to ensure that no data goes unencrypted. In addition, any unencrypted data must be encrypted immediately to prevent hackers or unauthorized parties from getting a hold of the data.
Transmitted Data Must Be Encrypted
When consumers pay with their card, information is sent through many channels such as the payment processor or to home offices from local stores. Information passing through these systems must be encrypted to ensure that they are protected from hackers, and that sensitive information is not sent to an unknown location.
Using and Maintaining Anti-Virus Software
Viruses plague the modern technological world and can be used by hackers to destroy or steal sensitive information. For your business to be PCI DSS compliant, it must have ant-virus software installed and managed to ensure safe interaction with consumer information and the store’s PAN.
Restrict Data Access
Cardholder data should only be accessed during “need to know” situations, such as processing a payment. Anyone who is not involved in these transactions should never have access to this data. Anyone with access to cardholder data needs to be documented along with any actions they take concerning the data.
Proper IDs for Data Access
Individuals permitted access to cardholder data should have their credentials and identification on them at all times. This ensures that no two users have the same username and password. In addition, this creates a more secure system and ensures a quicker response time in case the data ever did become compromised.
Restricting Physical Access to Data
All cardholder data must be kept in a secure location, both electronically and physically. Access to this data must be limited, and access must be logged to comply with PCI DSS regulations.
Creating and Maintaining a Data Access Log
All activity dealing with cardholder information must be logged appropriately to show how data flows and the number of times the data is accessed. This log must be kept electronically to ensure the accuracy of the information and to avoid altering the information.
Testing for Vulnerabilities
Scanning and testing the methods by which your company protects valuable data is required to reveal vulnerable areas of security measures.
Your business policies, equipment inventory, software, and employees with access to sensitive cardholder information should be documented.
What Are the Benefits of PCI Compliance?
- Helps develop a stronger bond of trust between you and your consumers due to a more secure system
- Your business will be able to comply with other federal and state-mandated data security regulations more easily
- You will be able to identify more variables and enable your IT infrastructure to be streamlined