Relating to our post a few weeks ago on the Payment Card Industry Data Security Standard (PCI DSS), our post today dives deeper into what it means to comply with the specific requirements laid down by the PCI Security Standards Council.
The 12 requirements contained, herein, apply to companies that process debit and credit cards, who must meet these requirements directly or by compensating control. Compensating control or alternative control is a mechanism that’s established to meet certain requirements for a security measure that’s considered to be difficult or impractical to implement immediately.
What we didn’t mention in our previous post is this: Failure to meet the PCI DSS 12 requirements can result in fines or termination of credit card processing privileges. Continue reading for the 12 steps you need to take to ensure that you’re on the safe side.
Cyber attacks are on the rise and to truly comply with the essence of the PCI DSS, protecting cardholder data is crucial. By maintaining a firewall, you’re one step closer to ensuring sensitive customer information doesn’t fall into the wrong hands.
One big mistake you may be making is maintaining the same passwords provided, by default, on the system software relating to your payment infrastructure. Needless to say, this represents a golden opportunity for cybercriminals who are more than equipped to cracked such passcodes.
Make sure you change vendor-supplied passwords before installing these systems on your network.
As a rule of thumb, cardholder data, especially the sensitive data contained on the magnetic strip or chip, should not be stored unless it’s absolutely necessary for your business. If it is, make sure that this data is unreadable by unauthorised users.
Cybercriminals are ruthless and will stop at nothing to intercept transmissions of customer data over public networks. Encryption means making it unreadable by unauthorised individuals.
Here, it’s recommended that you use cryptography and security protocols to protect cardholder data.
Anti-virus software is crucial, especially if your business is keen on preventing viruses that will compromise your network and systems. Make sure this software is introduced to all systems, personal computers, and servers.
Additionally, make sure your anti-virus mechanisms are updated at all times.
This step is more of an ongoing process or strategy your company needs to commit to. While this includes updating anti-virus software, it goes very much beyond that. Broadly, the specific requirements of this point can be condensed to identifying risks and installing security patches to address existing vulnerabilities.
More on this requirement can be found here.
As simple as it sounds, this requirement calls for businesses to restrict access to sensitive information on a need-to-know basis only.
Further to this, set up an access control system for system components with multiple users that limit access based on what specific users need to know. Set ‘deny all’ to users unless they are specifically allowed to access this information.
This requirement allows operators to see exactly who has accessed data, why they entered the system, and to track any changes made to system components and cardholder data.
Similar to the other requirements, this point has several follow-up measures that you can implement over time.
As with electronic data, make sure that physical access to data or systems that host cardholder data, whether hard copies, devices, systems or anything similar should be restricted on a need-to-know basis.
To be compliant with PCI DSS, make sure your logging mechanisms are robust and can track user activities.
By making activity logs in all environments, you can track and analyse what happened when something goes wrong.
Testing your system components, processes, and custom software should be done consistently, on a regular basis, to make sure that your vulnerabilities aren’t luring in malicious hackers and cybercriminals.
To prevent the unthinkable from happening, make sure you’re testing your security controls as well.
To create lasting changes in your organization with regard to cybersecurity, establishing a company-wide policy is a crucial action point.
Create a security policy that addresses all other requirements of the PCI DSS and keep reviewing it and updating it with the latest best practices. This should include policies for critical technologies and must relate to their proper use.
If you fall under the regulations set forth by the PCI Security Standards Council, implementing the 12 requirements of the PCI DSS guarantees that your business has taken the necessary steps to protect cardholder data.
With the ‘name and shame’ strategy ruining businesses that fail to take the appropriate safeguards, don’t become another bad example - especially at a time when you have all the resources to ensure that you’re abiding by data security regulations.