By: Calvin Weeks, Eide Bailly LLP
By now, you’ve probably heard of some big name credit card data breaches. They’re becoming more and more common, and hackers are finding more creative and sneaky ways to steal the information. In fact, since 2005, more than 900 million records have been breached. These information thefts can happen anywhere in the process of using a card – from PoS devices, to mobile devices and even wireless hotspots. Hackers are everywhere trying to gain access to this information.
To combat these nasty attacks, the Payment Card Industry (PCI) Security Standards Council developed the PCI Data Security Standard (PCI DSS). The standard was created to ensure businesses are doing their part in protecting cardholder data. The standards put in place apply to all businesses that process, store, and transmit cardholder data. In other words, if you’re a business who processes transactions with credit and debit cards, listen up!
To begin with, there are important steps that operate in an ongoing cycle that can help you stay compliant. You will need to:
- Assess – Analyze your processing methods and IT to see if there are any problems that could lead to a leak in data.
- Repair – If problems are found, you will need to take the necessary steps to fix them.
- Report – You will need to document any details about the repair process and what you have found, and submit compliance reports.
There are six main goals of the PCI DSS, which each have certain requirements within that act as a guide to make sure you are compliant. They are as follows.
- Build and Maintain a Secure Network and Systems – Because many payments and transactions are facilitated on devices and computers that are connected to different networks, there is a need for security. Network security systems can help prevent criminals from virtually accessing these records. Building a trusty firewall and staying away from default passwords can help keep criminals at bay.
- Protect Cardholder Data – Businesses who process card payments need to protect the data stored on the cards – after all, these are your customers and you care about them! Some ways to do this include limiting data storage time, encrypting data messages and never sending data across networks that are unprotected.
- Maintain a Vulnerability Management Program – When you maintain a vulnerability management program, you are regularly finding any issues in your payment card system. To do this, you should regularly update all anti-virus programs and develop and maintain secure systems and applications.
- Implement Strong Access Control Measures – Not everyone in your business needs to access data. This includes both physical data, as well as records stored on the network. Access should be restricted to only those who need to the information as it pertains to their job.
- Regularly Monitor and Test Networks – This one goes without saying – make sure everything is in tip top shape! Tracking and monitoring access to resources and data makes it easier to detect where something went wrong if something were to happen to your data. You should also continue to test all security systems to make sure there are no holes or changes that make it easier for hackers to get in.
- Maintain an Information Security Policy –Having a good security policy in place ensures all employees know and understand what is expected of them when it comes to cardholder data and keeping it secure.
The PCI Security Standards Council sets this general standard, but it is also important to remember that each card brand, such as Visa or MasterCard, have some of their own standards to follow as well.
Compliance with the PCI DSS is verified by reports which are usually completed by an outside assessor. The reports contain a summary of findings, information about your business, card payment structure and information about important external relationships.
Your customers are one of your best assets – without them, where would your business be? Keeping their payment card data safe is important for them, and the reputation of your business. Following and complying with the PCI DSS will keep your customers happy and safe, and your business looking great.
*The PCI Security Standards Council website was used in creating this blog. It contains even more in depth and specific information. Check it out here.