Does PCI-DSS compliance apply to you?
The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. If your company accepts credit card payments by storing, processing and transmitting cardholder data, you need to ensure that your cardholder data is stored securely and is PCI compliant. You can accomplish this by hosting your data securely with a PCI compliant hosting provider.
Common issues in reaching PCI compliance:
I have conducted several PCI-DSS assessments and have helped companies get PCI
compliant. During these projects, some of the common issues I have found with companies trying to get PCI compliant, are:
-
Being able to identify where cardholder data is located.
-
Cardholder data is often stored or transmitted in several formats. It could be in paper form, such as through faxes or reports. It could be in electronic form, such as on spreadsheets, databases, network shared files, and even audio files.
- Do you know all the places and formats in which you are receiving, storing or transmitting cardholder data?
 |
At one client's site, we found that when customer service agents were taking calls, customers often provided them with debit or credit card information on the phone. The company was unaware that this conversation with cardholder information was being backed up into audio files onto the shared network drive and had failed to include this as part of the inventory of locations cardholder data is located. |
-
Who has access to that data?
- Do you know which of your employees and departments have access to cardholder data? Are you maintaining appropriate access control logs and reviews?
- Other parties may have access to your cardholder data, for instance, billing companies and contractors. Do you have the proper agreements and policies in place to properly govern access to this data?
| In the example of the client who was unaware of audio files being backed up containing cardholder data, it was also found that several people in multiple departments had access to those audio files without having the need for such access. Our recommendation was that they restrict access to these audio files to only those people and roles who needed the access for their work. |  |
-
Ensuring that you have comprehensive policies and procedures in place.
- In many companies, comprehensive documentation or standard operating procedures may not be in place.
- It is important to establish comprehensive policies and procedures regarding storing, receiving, processing and transmitting cardholder data, governing all access to cardholder data and ensuring the security of this data.
-
Training of the team with regards to proper handling of the data.
- Training is often an issue we have seen with companies. In the case of one client, we saw that all their employees who were web developers had been receiving training on PCI compliance and procedures, but the contractor web developers had not received this training. Be sure to train all your employees who may come into contact with cardholder data.
-
Coding standards.
- We have also found in many cases, a lack of appropriate coding standards when it comes to writing code related to cardholder data processing. We usually provide recommendations to our clients for secure coding standards based on OWASP (Open Web Application Security Project) and other best business practices.
12 requirements for PCI-DSS compliance:
According to the PCI Security Standards council, they suggest 6 goals and 12 PCI-DSS requirements as security best practices when handling cardholder data.
|
Goals (per PCI Security Standards Council) |
PCI-DSS requirements (per PCI Security Standards Council) |
|
Build and maintain a secure network |
1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
|
Protect Cardholder data |
3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks |
|
Maintain a Vulnerability Management program |
5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications |
|
Implement Strong Access Control Measures
|
7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data |
|
Regularly Monitor and Test Networks |
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
|
Maintain an Information Security Policy |
12. Maintain a policy that addresses information security for all personnel |
Why should you as a company, get PCI compliant?
The main purpose of PCI-DSS compliance is to reduce the risk of loss of debit and credit card data. There is no penalty imposed by any federal agency for non-compliance, but there are financial implications. For instance, by being PCI compliant, you may be entitled to receive a substantial discount from your card servicing company, or they may assess a penalty for not being PCI compliant. 
If you accept debit or credit cards as a form of payment, and receive, store or transmit card information in any way, then you will find a benefit in taking the steps needed to become PCI compliant. PCI-DSS compliance can be quite complex as it has a significant number of steps involved. You can choose to either self-assess for compliance or hire a contractor to help you. Read about the PCI-DSS compliance services offered by 24By7Security, Inc.., a PCI Qualified Security Assessor (QSA) company.
Read some of our other blog posts related to this subject:
Is it secure to pay with a credit or debit card at restaurants?
