Are you *REALLY* PCI Compliant?
By Roger Murray | June 23rd, 2016
If your business processes credit cards or other forms of electronic payment, it is required to meet the standards established by the Payment Card Industry (PCI). That means not only retailers, but any establishment that accepts card payments in their place of business. If you don’t maintain PCI standards for compliance and suffer a data breach, you could face penalties ranging from $5,000 to $100,000 a month, putting your entire business’s future at risk. These penalties can also be incurred if the card companies suspect your business of poor security practices. Maintaining compliance is not a singular assessment or evaluation, but rather a constant review of your process to ensure appropriate measures have been taken to protect the sensitive financial transaction data of your customers. In order to be in compliance, you must meet the following standards.
Maintaining a Secure Network
One of the most common misconceptions is that after conducting the now mandatory penetration testing and passing the ASV scan, you are compliant, indefinitely. However this is simply not true. A penetration test and ASV scan should be thought of as a snapshot of your current level of compliance, and as a business, you should constantly update software and ensure to the best of your abilities that the latest attacks are unable to breach your network infrastructure.
Tip: Your IT provider should have firewalls in place to protect and create a secure, private network. You should also establish with them a firewall policy and configuration test that is in part designed to protect cardholder data.
It is critical to also undergo quarterly internal and external vulnerability scans. While the internal scan can be done internally as long as you or your IT department has the expertise, the external scan must be completed by a PCI SSC approved vendor. Additional scans are also necessary if your business undergoes significant changes, such as a complete remodel, relocation, or changes to your payment processing and network.
Tip: There are also regular updates you can conduct as well, such as ensuring your anti-virus software is kept up to date to protect against the most recently developed malware. If data is being hosted on outsourced servers, your managed service provider assumes the responsibility of maintaining that safe environment – Including generating the audit logs.
Controlling Access: Any data being stored with each business transaction presents opportunities for identity theft, exposing your business’s banking information. Any database or network device managing payment card processes is open for a PCI audit should there be suspicion of fraudulent charges or negligence.
Tip: Restrict and limit the number of personnel that have access to cardholder data to a business, need-to-know only basis. Track and monitor all access to network resources and data through unique user accounts, logging systems to track activity, and stored archives.
Overall PCI compliance can be vague with room for interpretation, and has become some of the most comprehensive and detailed sets of security controls compiled for a major industry. The interpretation lies with minimizing your liability by documenting and showing your business has taken every measure to protect and secure the sensitive data, within reason. To learn more about the PCI Security Assessment Procedures, review this PCI DSS Quick Reference Guide from the PCI Security Standards Council; or Contact Us to speak with one of our knowledgeable experts!