Now that you have read The Ping: What is Compliance?, you are probably especially aware that your company might need to become compliant in one or more areas. Whether that be PCI, CJIS or something else, you might need to meet minimum regulations to keep your company safe.
For each area of concern with sensitive data, there are published guidelines to follow in order to achieve compliance. Reading and digesting the guidelines in whole can be a difficult task. There are decision making tools, technical requirement write-ups, security policies, and security procedures to pour through. So, without getting into the nitty gritty, we want to answer some of the frequently asked questions that come our way.
Criminal Justice Information Services (CJIS)
Criminal Justice Information Services, or CJIS, is a division of the FBI that provides criminal justice information needed to perform law enforcement duties. It “serve[s] as the focal point and central repository for criminal justice information services in the FBI.” – FBI. In Texas this information is disseminated via the DPS and includes details such as vehicle registration, criminal history, driver’s license, license plate, firearm, etc. Because this information is highly sensitive and needs to be protected, CJIS provides security compliance requirements and performs audits to ensure these requirements are being met. Below are just a few example requirements of the Security Policy…
- Security Awareness Training
- Perimeter Intrusion Detection
- Advanced Authentication
- Maintain Log History
- Change Management
- Device Encryption
Failing a single audit flags an agency as non-compliant. If compliance is not achieved, the agency can lose access to the information and tools needed to perform their duties.
What is compliance? Some of you might be acutely aware of this term, and others might have little to no idea. In broad terms, business compliance means following the rules required to secure your business and the people that interact with it. More specifically, compliance is aimed at information security. Business Compliance means you are complying with requirements by a credible organization or government department that promotes the security and protection of sensitive information.
What is “the cloud?” This is certainly a question you’ve asked or wondered. You may have received a few explanations too. When searching online, the first resulting definition used the words “Paradigm” and “Ubiquitous” … this does not clear things up for me. Let’s take care of that. If you’ve hear about “the cloud” you’ve likely heard the phrase “on premise” as well. If not, that’s ok. Defining both will help understanding each of them. So what exactly do those terms mean? Simple. Cloud vs On Premises is where your data is stored or resides. On premises data is housed locally in an environment that you (or your trusted IT vendor) maintain. Data is on your computers or servers and is easily accessible. Cloud is similar to its name. Data in the cloud resides offsite, somewhere outside of your home or office. Typically it is on a server, in a data center, miles away from you. Cloud data is accessible to you via a web browser or application.
PCI – You’ve probably heard about it but if you’re like me there is always a little too much rattling around to worry about. Well, If your business takes American Express, Discover, JCB, MasterCard, or Visa credit cards then PCI DSS compliance is a critical consideration in all your business technology and process decisions.
PCI DSS (Payment Card Industry Data Security Standard) is a group of processes and security standards developed and mandated by the PCI Security Standards Council. Being PCI Compliant is actually a good thing. If implemented properly PCI will help to protect customer credit card information, increase your data security, and also reduce your liability. The Credit card companies and banks really want everyone to get on board so there are actually fines for non-compliance that range from $5,000 to $500,000 PER MONTH depending on how many transactions you run per month. The fines are levied on merchants by their processors who are in turn fined by the credit card institutions for their merchant’s violations or non-compliance.
There’s quite a bit of smoke and mirrors around PCI compliance at the moment. For instance, Quite a few vendors are stating that if you use their products you are PCI compliant. Unfortunately that isn’t necessarily the case. Every system and process that you use to process or store credit card info has to be PCI compliant as well.
What do you need to do to be PCI compliant? The PCI Security Standards Council has some really nice resources on line to help us get compliant.
I have to admit that the PCI self assessment made getting compliant feels like a daunting task but after calming down for a bit I realized it’s actually a pretty simple task:
1. Create security policies – These policies will outline what is and is not allowed when it comes to security in your business and how to handle credit card data.
2. Test, Evaluate, and correct your policies quarterly: Make sure you’re doing what you say you’re doing and if something in the policy isn’t working then this is your opportunity to fix it.
3. Log access to credit card info: If your payment processing application or device is PCI compliant then it is doing this already. If you physically store credit card info in a file cabinet then make sure that file cabinet locks and log every time it is opened and why.
4. Secure any PCs or systems that you process credit cards through: If you use a stand alone credit card reader and it is PCI compliant then you are set! If you use a PC or Mac to access the system you process cards through then PCI compliance is a little more complex. You have to make sure that these systems are getting windows and antivirus updates and you have to keep logs. You also need to take away admin rights from any account that you use to conduct normal operations and lock down or encrypt all USB, firewire, or other types of portable data ports and log access and security violations on these systems. We use a really nice product called Lumension Device Control for this task.
5. Secure your computer network: If you use a card reader connected to a phone line to process credit card info then you can skip this line. If you don’t then you need to make sure that your network and any systems that are on the same network as your credit card processing systems are as secure as the PCs and Macs that do the credit card processing and your network has to be locked down so that devices outside of your control can’t jump on your network.
If you have a big network I know this probably sounds like a lot to secure but its really manageable and the end result is you will have a better, more secure, less virus prone system. We’re here to help so if you have any questions about PCI Compliance or any other issue please feel free to email or call me at [email protected] or 512-832-6209.