• E-mail

PCI DSS compliance

These days, the occurrences of organisations being breached and customer’s credit or debit card data being accessed is a common story that we’ve all become familiar with. In fact, it’s probably safe to say that most of us have been affected by it at one time or another. This is caused by malware the majority of the time, although of course cybercrooks and hacktivists are also responsible in some cases.

It’s serious if this happens to your business and many that are breached often find that the damage caused to their business is irreparable. To help guard against these things, businesses that accept credit or debit card payments are required to become PCI DSS compliant.

This is essentially a set of rules that govern how sensitive data is stored and handled and every business that accepts card payments must adhere to them. However, whilst this isn’t a particularly difficult process, many businesses still fail their annual audit.

According to research from Forrester Consulting: The State of PCI Compliance (PDF):

  • 81% of US and EU businesses store card numbers
  • 73% store expiry dates
  • 71% store verification codes
  • 57% store customer data taken from the magnetic strip

This is all risky behaviour which is all but inviting hackers in, especially if your network is not sufficiently protected by security software and hardware. Further to this, since January 2005, over 234m data sets containing sensitive information have been breached.

Responsibility lies with the business

As a business, it’s your responsibility to ensure that customer data is protected. Failure to do so can result in huge fines and a significant loss of business. This means that it’s essential that you implement security, a layered approach is best, as well as only allowing those who need to as a part of their job stored data.

PCI compliance is something that’s ongoing too. It’s not enough to pass the initial audit and then forget about it until the next one comes along, you should aim to ensure that data and operational procedures remain compliant all year round.

Even if you store all of your data externally, such as in the cloud, it’s your responsibility as the business owner to ensure that it remains compliant. As such, you should always check with service providers about their PCI DSS status.

Training is necessary

You should also train staff to ensure that they know the risks associated with a data breach to both the customer and the business. After all, if a serious breach comes about, then their job could be on the line if the business can’t recover – and many don’t.

You should also:

  • Only store essential data
  • Use encryption software
  • Use file/network monitoring software
  • Use permissions on the network, don’t just give full admin access to everyone but allow based on their job
  • Implement security measures such as antivirus software and firewalls
  • Ensure that software is updated as soon as patches become available
  • Use third-parties that have sufficient security and are also PCI approved – think about your web hosts, ecommerce/payment gateway software, cloud service providers, etc.

Access control

One main area where many businesses fail is in access control. As mentioned above you should only allow administrator permissions to those that need it in order to carry out their job. Investing in file and server monitoring software will also ensure that in the event that data files are accessed, it’s a simple matter to find out by who. This software can also in some cases pick up changes to the network that could be the result of a breach. Early detection is often vital when it comes to minimising the damage.

Know what’s needed at audit

Getting down to the nitty gritty, the effect on business can be catastrophic if details are stolen. These can include fines going well into the thousands and you could be stripped of your right to accept and process credit and debit cards.

If this happened would your business survive?

When it comes to audit time then, this is carried out by a PCI SSC (Payment Card Industry Security Standards Council) qualified security assessor (QSA) who will be looking to ensure that systems are secure, and that stored data is done so in such a manner that it can be considered safe. When the assessor has carried out the audit, you’ll be issued with a risk assessment which will look at how you can improve your network and procedures.

If any issues are discovered, these will be ranked by the QSA as to how serious any vulnerabilities are. The QSA will to some extent act as a consultant to show you where and how the systems can be improved.

Bear in mind when choosing an assessor that they all hold different levels of expertise and experience, so you should really do some research and ask around other businesses local to your area for recommendations.

There are different levels of PCI DSS compliance which depend on the amount of transactions that are carried out over the course of a year, so you should choose a QSA with plenty of experience in your level and if you like, your particular industry.

To smaller businesses, PCI DSS compliance sounds pretty daunting, but this needn’t be the case. Ensure that your business processes and hardware are secure and that you have set procedures in place and tight access controls and you should pass your audits with flying colours. Remember though that it’s not something that you should carry out once a year, but something that you should remain vigilant about all year round.

PCI compliance checklist

Tagged with:
  • E-mail

Leave a Reply

Your email address will not be published. Required fields are marked *