What does Equifax, Yahoo, Target Stores, Adult Friend Finder, and JP Morgan Chase have in common? If you have been paying for the last few years, then you already know. These businesses experienced some of the most devastating data breaches that occurred during just the last five years.
Data breaches happen every day. However, the extent of damage to business revenues, brand reputations, and customers can vary dramatically. Major retailers, like Target, apologize, evaluate its security, take appropriate actions, and recover. Recovery and comeback isn’t so easy for small merchants. This is why PCI compliance is critical to your business. Becoming PCI DSS-compliant is another important to ensuring your customers’ sensitive data is protected.
Understanding PCI Compliance
PCI compliance is known as the Payment Card Industry Data Security Standard (PCI DSS). It’s a security standard for any organization that stores, processes, or transmits branded credit cards from the major card companies, including Visa, MasterCard, American Express, Discover, and JCB. Prior to this, credit card companies had their own standards and regulations.
PCI compliance is not a federal law, however, 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring private, governmental, and educational bodies to notify individuals of security breaches of information involving personally identifiable information.
Critical IT Steps to Ensure PCI Compliance
1. Implement a Firewall: A firewall is created to block unauthorized access while allowing outward communication within a computer network. The firewall will need to be position in a way that it prohibits inbound and outbound traffic from the CDE (cardholder data environment), which is a system or group of IT systems that processes, stores and/or transmits cardholder data or sensitive payment authentication data. Also, IT must explicitly allow outbound connections from the CDE, and record all firewall policies and procedures, so they can be reviewed and altered, as needed.
2. Create Configuration Standards: Merchants need its IT teams to provide a safe way to access and manage systems, and keep an inventory of all hardware and software implemented in the CDE. Additionally, all configuration standards must be recorded for every system in the CDE. Finally, get rid of anything you don’t need. Remove, disable, and uninstall any unnecessary programs, services, guest accounts, drivers, and features, and change any vendor-supplied default usernames and passwords.
3. Protect Cardholder Data: First, create a data retention policy and a data flow chart. Steps you need to take include hiding the PAN (primary account number) information on receipts, and eliminate storage of personal authentication information after a card is authorized. Also, ensure all employees are trained in these policies and practices and fully understand them.
4. Safeguard Customer Data When Transmitted: Ensure all POS and POI devices are encrypting data properly. It is critical that you protect personal cardholder information during transmission that occurs over open, public networks. Most importantly, only allow the use of valid, trusted certificates and key; also, this means you need to regularly need to verify that there are no encryption vulnerabilities and update them as needed.
5. Scan for Vulnerabilities: Implement a process for identifying and detecting wireless access points on a quarterly basis. Also, you will need a change-detection system installed in the CDE to find unauthorized changes to critical files.
6. Put It on Paper: One of the major actions to take to ensure PCI compliance is to create a corporate policy documenting everything you did and what employees should do and what regulations they must follow.
Additionally, you need to do regular anti-virus and software updates as part of your business’ regularly scheduled security measures.
The Final Word on PCI Compliance
PCI compliance may seem tedious and overwhelming, but, worth the effort. A data breach could mean the end of your business, but may be prevented with a few extra steps. Merchants also can save themselves some time and effort by pairing with a merchant service provider, like eMerchantBroker.com (EMB), that offers PCI compliance. EMB offers payment solutions for merchants of all sizes and backgrounds, including high-risk businesses.