12 Steps to PCI Compliance

The Payment Card Industry Compliance (PCI Compliance) is a set of rules and security measures businesses are required to implement to protect credit card data against any threat.

All organisations that use or handle data credit transfers must follow the PCI Compliance requirements, issued and regulated by the Payment Card Industry Security Standards Council (PCI SSC) and assessed by the merchant’s credit card brand.

There are twelve requirements that businesses must meet in order to be PCI compliant, which are as follows:

#1: Install and maintain a firewall configuration to protect cardholder data

Firewalls are built to protect information which is passing through an open network. Installing a firewall for data credit transfers allows the transaction to be closed and private for both parties. The organisation also needs to maintain the firewall, by regularly updating and making sure they have the strongest security. These can be hardware or software firewalls, or a mixture of both, withnext-generation firewalls providing the best, most up-to-date protection.

#2: Do not use vendor-supplied defaults for system passwords and other security parameters

This is more of a common sense rule than anything else, when the organisation obtains data credit transfer equipment and any software alongside, they should be quick to remove default passwords and security information set by the supplier and change to more secure and unique passwords, to lower the risk of internal hacking. This applies to routers and other access points where data can potentially be intercepted.

#3: Protect stored cardholder data

Known as “data at rest”, the organisation must protect and continue to protect stored cardholder data, not just for one-time transactions, but for years, until the data is either wiped from the system or the user changes information. This can be done with encryption techniques to make sure hackers cannot find the information on databases.

#4: Encrypt transmission of cardholder data across open, public networks

Most, if not all, transactions will be done over the Internet, a public network open to anyone. In order to make sure nobody obtains the cardholder data while a transaction is taking place, it is necessary to encrypt all transmissions, to make sure nobody will be able to intercept and easily understand what the data transmission contains.

#5: Use and regularly update anti-virus software

Anti-virus software is critical on all systems, especially ones holding third party information. If a virus or malware manages to get on the organisation’s system and corrupt or steal files, it could bring huge damage to the consumer and the business. Running regular anti-virus checks and making sure the latest version is downloaded will minimise risk alongside the use of a firewall, encryption and file monitoring.

#6: Develop and maintain secure systems and applications

When an organisation builds a system or application, they must maintain security and develop tools to make sure user data is always secure. Updating these systems and applications to meet with new guidelines is always necessary.

#7: Restrict access to cardholder data by business need-to-know

The organisation should not let an employee or any third party have access to individual user data. By combining accounts together into a database, employees can make one change to all accounts without ever seeing every user ID.

#8: Assign a unique ID to each person with computer access

Assigning unique IDs allows an organisation to monitor what each employee does on the system. If all admins shared the same ID, it would be easy for someone to breach security or make a mistake, without being called up on it. Unique IDs prevent this and allow for complete transparency.

#9: Restrict physical access to cardholder data

Servers and storage rooms should be monitored and locked from all members of staff, apart from those with security clearance which will usually only involve the IT department staff. This means no one can interfere with the physical side of the system.

#10: Track and monitor all access to network resources and cardholder data

Since a lot of transactions will take place over the system at any one time, organisations need to work hard to track and monitor all exchanges on the network, making sure all transactions are secure and abide by the other rules. This can be done using file and server monitoring software which can flag up any unusual activity on the network

#11: Regularly test security systems and processes

Rigorous testing of the system is an essential part of making sure it is secure from all threats. System security can go out of date quickly and new viruses and threats can be made within weeks or even days of the system’s last check-up. It’s vital that regular updates and security patches are applied to the network and workstations, especially if a serious threat is discovered by vendors.

#12: Maintain a policy that addresses information security

Creating an effective policy that addresses all PCI Compliance rules for both employees and contractors helps layout instructions and keep everyone in check. Different credit card vendors require varying levels of scrutiny; currently MasterCard and Visa use on-site visits and network scans to make sure the merchant’s security is up to the level required.

If credit card vendors find compliance is broken, or the merchant has problems ensuring security, they can downgrade validation of the merchant and strip away credit card processing privileges. 

In some cases, if the PCI Compliance has been regularly broken, the court can issue fines or termination of license to sell goods. This of course is something that could sound the death knell for many companies, especially as it isn’t just applied at a departmental level, but across the entire organisation. With this in mind, it’s vital that any company that accepts credit or debit card payments carry out regular audits to ensure that compliance is being met.