Tuesday, May 25, 2010

A New 12-Step Program: PCI DSS compliance basics

We’ve discussed the issue of “Paying for Peace of Mind” when it comes to Payment Card Industry Data Security Standards (PCI DSS).  As we noted, many Merchants are paying a PCI Compliance Fee to their current processor with little or no security benefit.  In many cases, it is just another revenue stream for the processor.  Because of the seemingly confusing nature of credit card statements, most Merchants pay the fee because they “just don’t understand the bill in the first place”. 

But what does it take to become PCI Compliant?  Most Merchants – especially small ones – don’t have a clue.  From a Best Practices standpoint, it’s all pretty much based on common sense.  So let’s go over them one by one.  When you get your head around what actually needs to be done, just paying for the peace of mind will seem counterintuitive to how you run all other aspects of your business.

There are 12 requirements to building a PCI Compliant Network, our comments are in italics.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
This is common sense.  But how many small businesses are actually taking this step?  Many people build a firewall on their home computers to protect against tampering.  Why not at work when the data you are handling is 100 fold?

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Again, this common sense.  Use a password that is over eight characters and use numbers, symbols and letters.  Do not use the same password for everything; use different passwords for different applications.  Change them quarterly.

Requirement 3: Protect stored card holder data
This is a little broad.  But the idea is simple.  Take all reasonable steps to protect the customer. 

Requirement 4: Encrypt transmission of cardholder data across open, public networks
Now this is where you need to do due diligence.  If you are using a swipe terminal that is already PCI Compliant, or a PIN Pad from your processor, your encryption is “most likely” up-to-date and compliant.  Notice the quotation marks.  I have known Merchants who still process on out-of-date equipment or non-compliant equipment.  Check with your processor.  It’s only a phone call.
If you are using a Virtual Terminal, this can be a little trickier.  There are only a few companies that actually design and deploy Virtual Terminals.  Most companies create a “front-end” on another company’s work.  They do this so they will not have to undergo rigorous and costly PCI Compliance audits.  If you can work with the manufacturer of the Virtual Terminal – making sure it is not just branded by your processor.  If not for PCI Compliance, do it for better customer service, as you will not be bounced from one company to another to get a problem resolved.

Requirement 5: Use and regularly update anti-virus software or programs
Enough said.

Requirement 6: Develop and maintain secure systems and applications
Much like Requirement 4.  Know what you are buying and from whom you are buying -- whether it’s hardware or software.  Make sure it is PCI compliant.  

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to card holder data
Let’s just take these as one item, because they are pretty similar.  Do not let just any employee have access to your company’s data, especially if you are a small retail business.  If you are using a point of sale (POS) system (tied to a Virtual Terminal) make sure you require an ID for each employee and have them log in and out daily.  Additionally do not give employees access to Management Functions within the POS system.  Audit credit card receipts daily to make sure hard copies match to the number of transactions.
Some businesses set up “House Accounts” -- credit that is offered to customers on a monthly basis.  Do not keep credit data on file and then process it as a “card not present” transaction. You should use a Virtual Terminal with a recurring billing function or a stand-alone recurring billing application.  This will ensure the data is properly secured and its storage is compliant.  

Requirement 10: Track and monitor all access to network resources and cardholder data
The use of employee IDs and restricting access to POS management functionality will go a long way to mitigating problems. Keep these logs on file.

Requirement 11: Regularly test security systems and processes
There are many companies that audit your security infrastructure and processes.

Requirement 12: Maintain a policy that addresses information security for employees and contractors
If you have done Requirements 1-11, then this becomes a training and development issue.  Make sure you document your employee roles and responsibilities, processes, vendors, and make(s)/model(s) of all hardware and software. Communicate the company’s policies to everyone that has anything to do with how the business stores or transmits credit card data.

When you break these requirements down, it doesn’t seem that daunting.  PCI DSS Compliance is about common sense and making policies that will protect your customer -- and ultimately you.  This is an investment in your business -- one that will absolutely pay off in the end.  And remember:  in the long run, it is much less expensive than paying someone for a false sense of security.

No comments:

Post a Comment


| More