The Payment Card Industry Date Security Standards (PCI DSS) were set in place to protect credit and debit card data that is shared with vendors. Addressing PCI DSS compliance requirements is of critical importance to businesses that process and store payment card data. We often hear that business owners believe they meet PCI DSS if they purchase “PCI compliant” software or hardware. Unfortunately, meeting PCI DSS standard is a process that cannot be solved with a single, off-the-shelf purchase.
We also hear many small businesses try to “pass the buck” onto third-party payment processing providers as a way to circumvent PCI DSS compliance responsibility. The fact is, if your business or business website sits in between your customer’s credit card information and the end processor, you hold liability in the transaction.
Instead of trying to get around security requirements, Soteria wants to help small businesses understand security and provide them with tools to meet PCI DSS compliance requirements. Soteria even offers free security toolkits to early-stage startups to help them on the path to compliance.
Before tackling compliance, it’s important to understand what is required of your firm. To help, we have created a “cheat sheet” that outlines the PCI DSS compliance requirements as a way to help businesses better understand what this compliance standard entails.
Keep in mind, this write-up is not a comprehensive overview of PCI DSS. For more information on PCI DSS and determining your company’s current level of compliance, visit the PCI Security Standards Council website.
Remember, reaching out to Soteria’s security consultants for answers to your questions is always an option!
Twelve PCI DSS Compliance Requirements
Install and maintain a firewall configuration to protect cardholder data. Firewalls are used to control the flow of data in and out of a business’s network. By correctly configuring firewalls on your devices (including employee-owned devices that are used to access company data), your business will make it more difficult for untrusted or unauthorized individuals to access credit card data stored on your network.
Change all default passwords. It is required that your business changes default login credentials and removes default accounts on all hardware and software used to store and transmit credit card data. Default account login credentials are easily searchable by anyone with a connection to the internet, so change these user logins to add a layer of security to your network.
If you store cardholder data, protect it. Credit card data, such as encrypted personal account numbers (PAN), cardholder name, service codes, and expiration dates, may be stored by a business if deemed necessary for business operations. Under no circumstances can magnetic strip data, 3- or 4- digit security codes (on front or back of credit cards), or PIN numbers be stored by a business.
Encrypt cardholder data that is sent across open, public networks. In the event a hacker is able to intercept card information as it travels from one network to another, encrypting the data will lower the criminal’s ability to use the stolen information for personal gain.
Protect all systems against malware and regularly install software updates. Anti-virus software must be installed and routinely updated on all devices storing cardholder data. Soteria can provide vulnerability scans to determine if your software is up-to-date.
Develop and maintain secure systems and applications. If your business is developing new software or applications, secure coding practices must be followed. If your business uses systems or applications with known security vulnerabilities, your business must obtain and routinely update vendor-provided security patches that mitigate the vulnerabilities.
Only allow access to payment data on a need-to-know basis.Employees should only have access to the least amount of data required to efficiently perform their jobs.
Assign unique employee logins to help track who is accessing your systems. Assign unique login credentials to all point of sale systems and cardholder data systems in order to track the activity of all employees authorized access to these systems.
Restrict physical access to cardholder data. Physical security measures must be put in place to secure systems and identify who is authorized to have access to systems that process and store card data. Examples of physical security measures include but are not limited to ID badges, access control systems, and visitor sign-in procedures.
Track and monitor all access to network resources and cardholder data. Implement logging systems that are able to track the activity of users inside a system. These logs will be key in the event an audit is being performed or the cause of a compromise needs to be determined. (Soteria’s Artemis™ endpoint protection platform can help with this!)
Regularly test security systems and processes. Network security software systems should be routinely screened and updated. Physical security measures must also be routinely reevaluated to account for changing office environments.
Maintain a policy that addresses security for all employees.Education is critical to ensure that employees understand the importance of security policies and procedures. All employees must understand how their actions can impact your company’s security posture.