The In’s and Out’s of PCI Compliance

Paul runs a distribution company. They package, send, and deliver orders all over the area, and most of the transactions they deal with are electronic. Their servers are teeming with data from these transactions, including bank account and credit card numbers. Two weeks ago, Paul had to fire someone in the warehouse. The employee felt the need to get even, so he copied scores of credit card numbers that were in an unsecured folder on an office desktop. This compromised Paul’s entire operation and he knew he was going to face

consequences. He had been to lax on protocol for his network, and knew that when asked if he validated his PCI compliance the answer would be no. What happens, and what can you do to avoid being a Paul? Read on to find out.

WHAT IS PCI?

PCI, or PCI DSS, stands for Payment Card Industry Data Security Standard. It was enacted in 2006 by the PCI Security Standards Council, which includes major credit card companies including Amex, Discover, Visa and Mastercard. Due to the rise in E-commerce and the subsequent rise in account breaches, it was put into place as a set of guidelines to ensure that customers account information is safe and to protect these companies against heavy losses. PCI has six goals, each with separate requirements for merchants and businesses to follow.

WHAT CAN NON-COMPLIENCE COST

Noncompliance can be a very costly thing. These fines on the regulatory side can be between $5,000 to $100,000 dollars per month depending on the violation. The fines are collected every month until compliance is reached. On top of that, your business will most likely face steep penalties from the card providers to cover their damages as well. While these charges may be manageable for big businesses, for small to mid-size businesses, these can be death sentences.

HOW TO REMAIN COMPLIENT

As stated before, the PCI SSC put together a list of 6 goals for your business with 12 steps to follow. They wanted to make these as easy as possible to implement as the goal is not levying fines but protecting businesses, customers, and themselves from cyber criminals.

GOAL 1- BUILD AND MAINTAIN A SECURE NETWORK

The first goal is to “build and maintain a secure network.” This involves setting up security measures such as firewalls to protect data from being leaked. It also requires businesses to use custom passwords and change them regularly to further keep your network safe from intrusion. This is a very easy to manage step that can be implemented either in house or with a compliance forward MSP such as Delval Technology Solutions.

GOAL 2- PROTECT CARDHOLDER DATA

This goal is about protection of the data when sending through a network. We all know how credit card processes work at this point. It starts with the vendor and the information is transmitted to the financial institution for processing and approval. Different vendors have different networks, so encryption is the focus of this goal. Card information should only

be stored for necessary regulatory, business or legal purposes. When you do keep the data, you must block out key information such as cardholder name and the first 12 digits of the card. By properly encrypting your data, you can protect yourself and your customers from data-thieves and keep yourself within PCI compliance.

GOAL 3- MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM

No network is impenetrable. In fact, the best offense against being hacked is awareness and defense. A proper vulnerability management plan is key to this. Always make sure your anti-malware and anti-virus software is up to date and running. Regular tests and assessments should also be run in order to spot any new vulnerabilities and ensure your network is

properly protected.

GOAL 4-IMPLEMENT STRONG ACCESS CONTROL MEASURES

A big part of securing your network and maintaining compliance is making sure that only approved parties within your enterprise can access credit card data. This has to operate on a need-to-know basis, making sure that your employees only have the least amount of relevant card data to do their jobs. If it does not have to be seen, it should not. In addition, you need to employ robust passwords, which are defined as at least seven digits and have numbers, letters, and characters. Multifactor Authentication needs to be in place, making sure that anyone trying to access the system is verified via a second step. Finally, just as you have to separate your trash from your recycling and put it out to the curb on a certain day, you have to follow specific rules for holding and disposing credit card data. Unless otherwise stated by law, you must dispose of this information after 90 days, and must be destroyed after that point.

GOAL 5- REGULARLY MONITOR AND TEST NETWORK

This may seem like goal 3, but this refers to your transaction network. Any endpoint or transactional system you are using needs to be monitored and tested on a regular basis. Transaction logs must be put on a central server and kept for one year. These logs should be reviewed daily to ensure that any potential breaches can be identified. On top of this, penetration tests should be run regularly to find vulnerabilities within your system.

GOAL 6- MAINTAIN AN INFORMATION SECURITY POLICY

We make plans for everything we do. We have maps and routes for trips, plans to meet friends, blueprints for buildings and just about every other facet of our lives. Your network needs a plan that is both thorough and easy to follow. You must have protocols for how to handle every part of the process of completing a transaction, for how to store, process and dispose of data, and to protect your network. Having this policy not only helps you and your team follow proper steps, but also helps any regulators looking track your work, making everyone involved life easier.

In the end, Paul had to shut down his business over this issue. Had he partnered with a focused MSP such as Delval Technology Solutions, or followed these guidelines, he would still be fulfilling orders. Don’t be Paul. Follow these simple guidelines, align yourself with a great MSP who can handle your compliance issues, and remove a major headache for doing business. You can thank us later!