The Payment Card Industry Data Security Standard involves requirements regarding how companies that process credit card information operate where that information is concerned. The body that oversees PCI compliance is comprised of people selected by the major credit card companies. It is an independent body that manages the PCI DSS. This was established in 2006 and has since monitored how businesses process, store, and send any credit card data. In this article, we look at what it means to be PCI compliant.
Requirements For PCI Compliance
There are twelve components when it comes to being PCI compliant. Below is a list of what is required of companies that process card information to comply.
1. Ensure Firewalls are Maintained and in Place
A firewall's job is basically to prevent unknown agents from trying to gain access to private credit card data. Some consider them the primary defense against breaches and hackers. Very often a firewall will be responsible for stopping a hacker from stealing private data. This is why to be in PCI compliance a company must use firewalls.
2. Maintain Password Protection
Much of the equipment that businesses use do have passwords—and often they come with generic passwords already in use. So for example, a router or modem that is being used within the company will require a password and will generally have a default one that it comes with. Many businesses fail to change these default passwords, and this in turn leaves them more vulnerable to breaches. Therefore, they must regularly change passwords as well as maintain a list of all relevant devices that do require passwords that are connected to the businesses in some way.
3. Protect Cardholder Data
Perhaps among the more important requirements for compliance is to have a two-fold system of cardholder data protection in place. First off, they must ensure that cardholder info is encrypted. Such encryptions are done using encryption keys. They then need to regularly scan and make sure that no unencrypted data has found its way into the system.
4. Transmitted Date Must Also be Encrypted
It often occurs that cardholder information is transmitted for a variety of reasons and through a variety of channels. When this happens, the transmitted data must be encrypted for the company to maintain PCI compliance. Also, there should never be any cardholder numbers sent to unknown locations.
5. The Use of Anti-Virus Software
Beyond being PCI compliant, having anti-virus software installed on all relevant devices and technology just makes good sense. It is required for any device that stores primary account numbers. Not to mention, the business needs to be on top of updating this software when necessary.
6. Update all Software Regularly
It is not just your firewalls and anti-virus software that need to be updated. Any software used by the company and especially that which transacts with account numbers need to be updated consistently.
7. Limit all Data Access
Any cardholder data should strictly be limited, as far as access, to those who need to have it. So anyone within the firm that does not necessarily need to access this information should without question be restricted. This goes for any staff or executives as well that do not have roles relevant to collecting cardholder data.
8. Those Who do Need Access IDS
For those individuals who do require access to pertinent credit card info, they should have unique credentials for gaining such access. For instance, they should each have their login and password, versus a single login for multiple employees. This helps make the overall system less susceptible to any sort of fraudulent activity.
9. Ensure Physical Access is Restricted
Any data that is either written or typed needs to be in someplace that is locked and subsequently secured for the company to be in PCI compliance. Also, whenever someone does need to gain access to this information, this access has to be logged and recorded for compliance purposes.
10. Maintain all Access Logs
The access logs regarding any activity dealing with cardholder information need to be carefully maintained. One of the more common problems that arise when it comes to PCI compliance is the lack of diligence when it comes to such record keeping tasks. So businesses need to record how/when data comes into the company as well as how often and when such information is accessed by anyone within the organization.
11. Test the System for Vulnerabilities
With any component of a company's system for safeguarding card information, there can be vulnerabilities that come up. This is why part of PCI compliance is to regularly scan the system for any such issues and stop them before they cause major problems. Things can become out of date, malfunctions can occur; testing is thus critical.
12. Document all Relevant Policies
Keeping careful inventory and documenting all parts of the process is key to PCI compliance. Even the point of where this documentation is stored is an important part of the overall process.
Why be in PCI Compliance
Yes, there seem to be several moving parts to maintaining PCI compliance. So why is it so important for any business to follow the above list of requirements? Some of the more notable benefits of PCI compliance include:
- Your systems are more secure and therefore customers will inevitably have more confidence in your ability to keep their data private. This helps grow that customer base over time.
- It also helps your reputation with the various companies with whom you partner.
- PCI Compliance over the long term will help you to prevent cyber attacks and data breaches that could become quite costly to your company, not to mention a PR nightmare.
- It helps with the overall IT infrastructure not just from a security standpoint, but also from an efficiency one as well.