PCI Compliance refers to the Payment Card Industry Data Security Standard. If your company accepts credit card payments, this concerns you.
If your company stores, processes, or transmits cardholder data – or it intends to – you must host all of that data in a secure manner, using a PCI compliant hosting provider. Cardholder data refers to personally identifiable information that is associated with a credit or debit card. This includes primary account numbers, the name on the card, and expiration dates along with all other personally identifiable information (PII).
The PCI Security Standards Council has established 12 PCI compliance requirements. Together, they create secure networks, protect data, and manage access to that data.
The PCI Compliance Checklist
- Protect cardholder data by installing and maintaining a firewall
Every company storing, processing, or transmitting cardholder data must create its own firewall configuration policy. Your hosting provider should take care of this.
- You must not use the default security parameters provided by vendors
Typically, vendor-supplied equipment comes with easy to remember usernames and passwords, such as ‘user’ or ‘admin’ and ‘password.’ Even if your vendor-supplied security parameters appear to be more complex, you must change them for your own unique and secure passwords.
- If you store cardholder data, you must protect it.
Many companies avoid this, by ensuring that they do not automatically store cardholder data. Getting hold of cardholder data would please hackers or any cyber attackers, so protection needs to be stringent. The data should be physically protected by keeping it under restricted access, with locks preventing access to the servers, network and storage devices. The data should also require virtual authorization i.e. passwords or other kinds of authentication.
- Encrypt transmitted cardholder database
If this data is being transmitted across an open network, it should be encrypted to render it unreadable and unusable by anyone without the required cipher.Additionally, any PIN numbers or validation codes must not be stored.
- Use and maintain anti-virus software
Malware is constantly being updated. Make sure that your protection is up to the task by performing regular maintenance.
- Develop and maintain secure applications and systems
Even when systems and applications are considered to be secure, they should continue to be monitored and tested in order to identify new vulnerabilities. A PCI compliant hosting provider will monitor and update their system to discover and deal with vulnerabilities.
- Restrict access
Users are a major cause of data breaches. This security risk can be mitigated by restricting access to the data. If only the people who need it have access, the chances of a breach are also reduced.
- Use IDs
If each user has a unique ID, their activity on the network can be tracked and monitored. In the event of a data breach or accidental loss as a consequence of this individual’s actions, it should be possible to see how and when things went wrong. Accountability is a powerful tool.These IDs need to be subject to best practices, such as including encryption of passwords, 30-day limits on passwords, and limits on time users can remain logged in.
- Restrict physical access to cardholder data
A secure PCI-compliant environment will not only restrict cardholder data by using physical locks, but they should also employ surveillance cameras and use entry authentication.
- Monitor all access to cardholder data and network resources
Monitoring and tracking this access helps to identify the source of a problem in the event of a data loss or breach.
- Test security systems and processes on a regular basis
Those who seek cardholder data are constantly improving their systems and processes. That’s why it’s necessary to do the same if you are storing cardholder data.
- Your policy addressing information security requires constant maintenance
Finally, PCI compliance requires that a business maintains a policy that includes all acceptable uses of technology, risk analysis processes, security procedures, and other admin tasks.