The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. If your company accepts credit card payments by storing, processing and transmitting cardholder data, you need to ensure that your cardholder data is stored securely and is PCI compliant. You can accomplish this by hosting your data securely with a PCI compliant hosting provider.
I have conducted several PCI-DSS assessments and have helped companies get PCI
compliant. During these projects, some of the common issues I have found with companies trying to get PCI compliant, are:
Being able to identify where cardholder data is located.
Cardholder data is often stored or transmitted in several formats. It could be in paper form, such as through faxes or reports. It could be in electronic form, such as on spreadsheets, databases, network shared files, and even audio files.
At one client's site, we found that when customer service agents were taking calls, customers often provided them with debit or credit card information on the phone. The company was unaware that this conversation with cardholder information was being backed up into audio files onto the shared network drive and had failed to include this as part of the inventory of locations cardholder data is located. |
In the example of the client who was unaware of audio files being backed up containing cardholder data, it was also found that several people in multiple departments had access to those audio files without having the need for such access. Our recommendation was that they restrict access to these audio files to only those people and roles who needed the access for their work. |
According to the PCI Security Standards council, they suggest 6 goals and 12 PCI-DSS requirements as security best practices when handling cardholder data.
Goals (per PCI Security Standards Council) |
PCI-DSS requirements (per PCI Security Standards Council) |
Build and maintain a secure network |
1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
Protect Cardholder data |
3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks |
Maintain a Vulnerability Management program |
5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications |
Implement Strong Access Control Measures
|
7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data |
Regularly Monitor and Test Networks |
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
Maintain an Information Security Policy |
12. Maintain a policy that addresses information security for all personnel |
The main purpose of PCI-DSS compliance is to reduce the risk of loss of debit and credit card data. There is no penalty imposed by any federal agency for non-compliance, but there are financial implications. For instance, by being PCI compliant, you may be entitled to receive a substantial discount from your card servicing company, or they may assess a penalty for not being PCI compliant.
If you accept debit or credit cards as a form of payment, and receive, store or transmit card information in any way, then you will find a benefit in taking the steps needed to become PCI compliant. PCI-DSS compliance can be quite complex as it has a significant number of steps involved. You can choose to either self-assess for compliance or hire a contractor to help you. Read about the PCI-DSS compliance services offered by 24By7Security, Inc.., a PCI Qualified Security Assessor (QSA) company.
Is it secure to pay with a credit or debit card at restaurants?
Is your retail store vulnerable to a cyber attack?