PCI – You’ve probably heard about it but if you’re like me there is always a little too much rattling around to worry about. Well, If your business takes American Express, Discover, JCB, MasterCard, or Visa credit cards then PCI DSS compliance is a critical consideration in all your business technology and process decisions.
PCI DSS (Payment Card Industry Data Security Standard) is a group of processes and security standards developed and mandated by the PCI Security Standards Council. Being PCI Compliant is actually a good thing. If implemented properly PCI will help to protect customer credit card information, increase your data security, and also reduce your liability. The Credit card companies and banks really want everyone to get on board so there are actually fines for non-compliance that range from $5,000 to $500,000 PER MONTH depending on how many transactions you run per month. The fines are levied on merchants by their processors who are in turn fined by the credit card institutions for their merchant’s violations or non-compliance.
There’s quite a bit of smoke and mirrors around PCI compliance at the moment. For instance, Quite a few vendors are stating that if you use their products you are PCI compliant. Unfortunately that isn’t necessarily the case. Every system and process that you use to process or store credit card info has to be PCI compliant as well.
What do you need to do to be PCI compliant? The PCI Security Standards Council has some really nice resources on line to help us get compliant.
I have to admit that the PCI self assessment made getting compliant feels like a daunting task but after calming down for a bit I realized it’s actually a pretty simple task:
1. Create security policies – These policies will outline what is and is not allowed when it comes to security in your business and how to handle credit card data.
2. Test, Evaluate, and correct your policies quarterly: Make sure you’re doing what you say you’re doing and if something in the policy isn’t working then this is your opportunity to fix it.
3. Log access to credit card info: If your payment processing application or device is PCI compliant then it is doing this already. If you physically store credit card info in a file cabinet then make sure that file cabinet locks and log every time it is opened and why.
4. Secure any PCs or systems that you process credit cards through: If you use a stand alone credit card reader and it is PCI compliant then you are set! If you use a PC or Mac to access the system you process cards through then PCI compliance is a little more complex. You have to make sure that these systems are getting windows and antivirus updates and you have to keep logs. You also need to take away admin rights from any account that you use to conduct normal operations and lock down or encrypt all USB, firewire, or other types of portable data ports and log access and security violations on these systems. We use a really nice product called Lumension Device Control for this task.
5. Secure your computer network: If you use a card reader connected to a phone line to process credit card info then you can skip this line. If you don’t then you need to make sure that your network and any systems that are on the same network as your credit card processing systems are as secure as the PCs and Macs that do the credit card processing and your network has to be locked down so that devices outside of your control can’t jump on your network.
If you have a big network I know this probably sounds like a lot to secure but its really manageable and the end result is you will have a better, more secure, less virus prone system. We’re here to help so if you have any questions about PCI Compliance or any other issue please feel free to email or call me at [email protected] or 512-832-6209.