If credit card processing is part of your business practice, then you already know that your business must be PCI Compliant and maintaining PCI DSS is no easy task.
The Payment Card Industry (PCI) Data Security Standard (DSS) is a worldwide standard for payment card and consumer financial data protection. Put more simply, the PCI DSS is a set of rules and regulations put in place to safeguard credit card data. It incorporates the requirements of the Visa USA Cardholder Information Security Program (CISP) and the Visa International Account Information Security (AIS) program, the MasterCard International Site Data Protection (SDP) program, as well as the security requirements of American Express DSS, DiscoverCard DISC and the Japan Credit Bureau (JCB). The major card companies (ie VISA and MasterCard) require all merchants (businesses, nonprofits, schools, and more) who process credit cards to adhere to the PCI compliance security standard. Businesses who do not comply are subject to hefty fines and penalties.
If your company needs assistance with PCI DSS Compliance, Green Marimba can help. We offer template as well as customized compliance solutions.
What are the Data Security Risks?
Many businesses process electronic and online sales and payments via a merchant services account on a daily basis. Electronic payments include debit and credit card processing via eCommerce software systems, mobile devices such as swipers, and Point of Sale systems.
There are many data security risks associated with electronic payments, especially when transactions happen in a Card Not Present environment. Cyberhackers steal credentials and compromise user data daily. Following the PCI mandated requirements for electronic payments will greatly diminish these risks for your company and customers.
PCI DSS Requirements for Processing Electronic Payments
Below we provide a brief overview of the 12 PCI mandated requirements for processing electronic payments.
Requirement 1: Build and Maintain a Secure Network
Firewalls must restrict connections between untrusted networks and any system in the cardholder data environment. Firewalls must prohibit direct public access between the Internet and any system component in the cardholder data environment.
Requirement 2: Do not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters
Vendor-supplied defaults must always be changed before installing a system on the network. Defaults for wireless systems must be changed before implementation. Credentials for non-console administrative access must be encrypted using technologies such as SSH, VPN, or SSL/TLS.
Requirement 3: Protect Stored Cardholder Data
Sensitive personal data should be retained only until completion of the authorization of a transaction. Storage of sensitive authorization data post-authorization is forbidden. This data includes: the full contents of any track from a credit card’s magnetic stripe, the CVV2 card verification code (on back of credit card), or a personal identification number (PIN).
Companies must also mask the display of PANs (primary account numbers), and limit viewing of PANs to only those employees and other parties with a legitimate need. A properly masked number will show only the first six and the last four digits.
Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks
Cardholder data sent across open, public networks must be protected through the use of strong cryptography or security protocols. Sending unencrypted PANs is prohibited.
Requirement 5: Use and Regularly Update Antivirus Software
All systems must have installed an antivirus program which is capable of detecting, removing, and protecting against all known types of malicious software. All antivirus programs must be kept current, be actively running, and capable of generating audit logs.
Requirement 6: Develop and Maintain Secure Systems and Applications
All critical security patches to software must be installed within one month of release.
Requirement 7: Restrict Access to Cardholder Data by Business Need to Know
Access to cardholder data is limited to only those individuals whose job requires such access. Access limitations must include the following: Restriction of access rights to cardholder data to the least access needed to perform job responsibilities, access to cardholder data is based on an individual’s job classification and function, access to cardholder data will be granted only after completing an authorization request form signed by management.
Requirement 8: Assign a Unique ID to Each Person with Computer Access
All employees should have a unique ID for all log-ins. Generic account names should not be used and shared across groups. All accounts used by vendors for remote maintenance shall be enabled only during the time period needed.
Requirement 9: Restrict Physical Access to Cardholder Data
Hard copy materials containing confidential or sensitive information (e.g., paper receipts, paper reports, faxes, etc.) are subject to secure storage guidelines such as:
- Printed reports & all hardcopy media containing cardholder data are to be labeled and physically stored or archived only within secure office environments and locked.
- All confidential or sensitive hardcopy material must be sent or delivered by a secured courier or other delivery method that can be accurately tracked.
- Custodians of hardcopy media containing cardholder data must perform an inventory of the media at least annually.
All media containing cardholder data must be destroyed when no longer needed for business or legal reasons. Shredding, incineration or pulping so that cardholder data cannot be reconstructed must destroy hardcopy media.
Requirement 10: Track & Monitor Access to Network Resources
Ensure audit trails and system logs are maintained for access to all sensitive data. Logs should be reviewed periodically and retained for at least one year.
Requirement 11: Regularly Test Security Systems and Processes
Companies must perform testing to ensure there are no unauthorized wireless access points present in the cardholder environment on a quarterly basis. This includes vulnerability scanning on all in-scope systems.
Requirement 12: Maintain a Policy that Addresses Information Security for Employees and Contractors
All businesses must maintain a security policy that addresses how the company will protect cardholder data. Employees shall not use employee-facing technologies to store, process or otherwise handle cardholder data; this includes: remote-access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants (PDAs), email, and internet usage.
The company must also establish, document, and distribute a security incident response and escalation procedures to ensure timely and effective handling of all situations.
Green Marimba can consult with your business to provide affordable PCI security compliance documentation. Don’t go it alone – get help from the security and compliance experts.