To accept credit card payments – or store, process and transmit cardholder data – your site must be maintained in compliance with the Payment Card Industry Data Security Standard (PCI DSS). This is particularly critical now for small businesses as the advent of the chip and PIN card has shifted fraud liability to merchants.
In other words, maintaining PCI Compliance has become more important than ever for companies accepting payments online. The standard has six aspects, which we will detail below.
1. Build and Maintain a Secure Network
Your system must have a firewall configuration to protect data from would-be usurpers. You must also have your own firewall configuration policy and testing procedure; whose purpose is to protect cardholder data. Further, your hosting provider should have adequate firewalls in place to create a secure network within which privacy can be assured. To keep them secure, all vendor-supplied default passwords should be changed before the system goes live. Further, all passwords should be updated on a regular basis.
2. Protect Cardholder Data
If you store cardholder data on your servers, you’ll need to multiple layers of defense in place, along with a secure data protection strategy made up of both physical and virtual safeguards. Authorization, authentication and passwords are among the virtual protection required.
Meanwhile, restricted access to the system, as well as server, storage and cabinet locks are among the acceptable physical protections. Cardholder data should be encrypted whenever it is transmitted across open networks—without exception. This encryption must be capable of rendering intercepted data meaningless to anyone who does not have the proper cryptographic keys. Additionally, card validation codes and PIN numbers must never be stored on your servers. Customers should be required to key them in for every transaction.
3. Maintain Vulnerability Management
The most current antivirus software must be employed and updated regularly. If your business website servers are outsourced, you must contract a managed server provider who will be held responsible for maintaining the environment to PCI DSS compliant standards. They should also provide audit logs. Your system should be probed regularly to reveal security vulnerabilities. Further, your hosting provider must routinely monitor and update its systems to defend against vulnerabilities and newly emerging threats.
4. Implement Strong Access Control Measures
All access to the network containing cardholder data must be tracked and monitored. Logging protocols capable of recording user activity and archive storage must be in place. These features will provide a trail for investigators to follow if a breach or other security related issue occurs. All systems and processes must be tested regularly to ensure they’re working properly.
5. Maintain an Information Security Policy
Among its tenets should be the identification of all acceptable uses of the technology. The processes by which security reviews, annual risk analysis, and operational security procedures are conducted should be outlined as well. Your hosting provider must provide documentation to auditors demonstrating the methodologies by which all of the PCI DSS compliance requirements are being met on their end as well.
Again, the ultimate goal here is to defend the cardholder data your customers provide. Criminals have proven time and again they will stop at nothing to gain access to payment card data and your customers’ available funds. Staying current on all requirements and performing software updates immediately are critical as protocols continually evolve with the development of new methods of attack.
Maintaining PCI compliance is your best defense against all manner of nefarious activities in this regard. Your customers and the payment card industry are counting on you to keep data safe. And now, with more of the burden of responsibility falling onto your shoulders, this is more important than ever. One good hack can well put the average small business into bankruptcy.
