The Ultimate PCI Compliance IT Cheat Sheet

Sep 18, 2018

What does Equifax, Yahoo, Target Stores, Adult Friend Finder, and JP Morgan Chase have in common? If you have been paying for the last few years, then you already know. These businesses experienced some of the most devastating data breaches that occurred during just the last five years.

Data breaches happen every day. However, the extent of damage to business revenues, brand reputations, and customers can vary dramatically. Major retailers, like Target, apologize, evaluate its security, take appropriate actions, and recover. Recovery and comeback isn’t so easy for small merchants. This is why PCI compliance is critical to your business. Becoming PCI DSS-compliant is another important to ensuring your customers’ sensitive data is protected.

Understanding PCI Compliance

PCI compliance is known as the Payment Card Industry Data Security Standard (PCI DSS). It’s a security standard for any organization that stores, processes, or transmits branded credit cards from the major card companies, including Visa, MasterCard, American Express, Discover, and JCB. Prior to this, credit card companies had their own standards and regulations.

PCI compliance is not a federal law, however, 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring private, governmental, and educational bodies to notify individuals of security breaches of information involving personally identifiable information.

Critical IT Steps to Ensure PCI Compliance

1.    Implement a Firewall: A firewall is created to block unauthorized access while allowing outward communication within a computer network. The firewall will need to be position in a way that it prohibits inbound and outbound traffic from the CDE (cardholder data environment), which is a system or  group of IT systems that processes, stores and/or transmits cardholder data or sensitive payment authentication data. Also, IT must explicitly allow outbound connections from the CDE, and record all firewall policies and procedures, so they can be reviewed and altered, as needed.

2.    Create Configuration Standards: Merchants need its IT teams to provide a safe way to access and manage systems, and keep an inventory of all hardware and software implemented in the CDE. Additionally, all configuration standards must be recorded for every system in the CDE. Finally, get rid of anything you don’t need. Remove, disable, and uninstall any unnecessary programs, services, guest accounts, drivers, and features, and change any vendor-supplied default usernames and passwords.

3.    Protect Cardholder Data: First, create a data retention policy and a data flow chart. Steps you need to take include hiding the PAN (primary account number) information on receipts, and eliminate storage of personal authentication information after a card is authorized. Also, ensure all employees are trained in these policies and practices and fully understand them.

4.    Safeguard Customer Data When Transmitted: Ensure all POS and POI devices are encrypting data properly. It is critical that you protect personal cardholder information during transmission that occurs over open, public networks. Most importantly, only allow the use of valid, trusted certificates and key; also, this means you need to regularly need to verify that there are no encryption vulnerabilities and update them as needed.

5.    Scan for Vulnerabilities: Implement a process for identifying and detecting wireless access points on a quarterly basis. Also, you will need a change-detection system installed in the CDE to find unauthorized changes to critical files.

6.    Put It on Paper: One of the major actions to take to ensure PCI compliance is to create a corporate policy documenting everything you did and what employees should do and what regulations they must follow.

Additionally, you need to do regular anti-virus and software updates as part of your business’ regularly scheduled security measures.

The Final Word on PCI Compliance

PCI compliance may seem tedious and overwhelming, but, worth the effort. A data breach could mean the end of your business, but may be prevented with a few extra steps. Merchants also can save themselves some time and effort by pairing with a merchant service provider, like eMerchantBroker.com (EMB), that offers PCI compliance. EMB offers payment solutions for merchants of all sizes and backgrounds, including high-risk businesses.

Let us help you get a high risk merchant account today!

Get Started

Award winning.

  • 2012
  • 2013
  • 2014
  • 2015
  • 2016

Having a merchant account allows an account holder to take advantage of merchant cash advances. When a merchant is approved for an advance, the business agrees to receive a lump sum of cash in exchange for an agreed-upon percentage of future credit card sales.

Pricing varies depending the merchant’s industry, past credit card processing history, the type of business seeking the account, average ticket sales, and average transaction volumes.

Yes, EMB works with merchants who are building their credit, as well as those who have poor credit. EMB also approves merchants that have no credit card processing history and businesses that have lost their merchant accounts due to high chargebacks.

Several factors influence a merchant’s risk level. Though only one factor likely will not get a merchant classified as high risk, a combination of these may: business size, location, and industry, credit score, credit card processing history, a industry’s reputation for excessive chargebacks, a prior history of high chargeback ratios, and whether a merchant exclusively sells online.

Virtual terminals are stationed on a merchant’s website, making it easy for customers to make a payment or purchase online. Merchants or a payment processor can easily set up virtual terminals, so online businesses can accept credit and debit card and e-check transactions.

A merchant account is a business account with an acquiring bank. Without this business account, which actually works more like a line of credit, a merchant cannot accept and process credit and debit card transactions. Businesses need a merchant account to accept major credit cards via a static point-of-sale terminal, mobile card reader, or through a virtual payment gateway.

After filling out EMB’s simple online application and submitting any necessary, requested documents, many merchants get approved within 24 and 48 hours.

EMB specializes in working with high-risk merchants. EMB works with many merchants, including but not limited to businesses in these industries: gambling and gaming, adult entertainment, nutraceuticals, vaping and e-cigarettes, electronics, tech support, travel, high-end furniture, weight loss programs, calling cards, e-books and software, and telecommunications.

Live Chat