PCI Compliance: Is Your Business PCI Compliant?
Credit card theft and fraud is a multi-billion dollar a year industry, one that affects businesses both large and small. If your business handles, transmits, or processes credit card information, you are at risk for attack. Worse yet, if your business fails to meet the PCI-DSS security standard, you will be responsible for fines, damages, possible legal action, and the termination of your relationship with credit companies. Do not risk it! The PCI-DSS standards are laid out in a 12 part document, each of which describes a category of compliance, and how to meet it. One should of course read the document themselves, or partner with an IT company knowledgeable about the standards. PCI compliance is not something you should skimp on for your business.
1 & 2) Build and Maintain a Secure Network and Systems
Common Failures: Improperly configured firewall. Default passwords used on devices.
Remediation: Network analysis by Qualified IT professionals.
3 & 4) Encrypt Cardholder Data
Common Failures: Credit card data not encrypted. Improper VPNs or other transport encryption when data is transferred. Credit card in unauthorized areas.
Remediation: Examination of card data pathway. Proper VPNs, SSL Certificates, and other security measures to protect the flow of data. Control what removable devices can connect to card data repositories.
5 & 6) Maintain a Vulnerability Management Program
Common Failures: Devices do not have proper Antivirus software. Network does not have proper intrusion protection systems. Devices are not updated properly. Usage of out of date software such as IE 6, Server 2003, or Windows XP.
Remediation: Antivirus on all machines in the data environment. Intrusion protection and log monitoring to detect tampering. Removal or Upgrade of older systems such as XP workstations
7 & 8 & 9) Implement Strong Access Control Measures
Common Failures: Improper personnel have access to cardholder data. Users do not have proper passwords, and authentication systems are not robust. Storage material for cardholder data is not physically secure.
Remediation: Quarterly audits and security testing on a quarterly basis by a qualified security team. Proper and secure controls on data. Implement advanced security measures such as two factor authentication to prevent breaches. Physically guard and secure all storage devices, log when they are accessed, and prevent users from bringing unauthorized removable media to them (thumb drives)
10 & 11) Regularly Monitor and Test Networks
Common failures: Cardholder data access is not logged, or not properly documented. Changes are not logged and monitored for abnormalities. Quarterly reviews and yearly penetration testing is not performed.
Remediation: Cardholder access and configuration changes are properly logged and monitored. Quarterly and yearly testing and evaluation is done by qualified partners with approved PCI-DSS tools.
12) Maintain an Information Security Policy
Common Failures: Policy does not exist or is not properly updated.
Remediation: Create a policy to be reviewed on a quarterly basis. This policy can be developed with the help of an IT partner.
That’s a lot of steps! However you’re not in it alone, a Information Security partner can take the complication out of compliance, and help you continue your business safer and more secure than ever. We at Squeeze Technology partner with industry leading security companies to help businesses meet and exceed industry Specifications all in an affordable and efficient manner.
If you have questions about PCI compliance, or need a hand getting through it, send us an email at firstname.lastname@example.org