When it comes to payment solutions, your company has many options to accept payment. However, some options are much riskier than others. When it comes to accepting payments, your company should offer a solution that adheres to PCI DSS requirements. According to Verizon’s 2015 PCI Compliance Report, 80% of all businesses could not pass a PCI compliance checklist.
The report also stated that 69% of customers would not conduct business with a company that’s been subject to a data breach. Does your business store, process, or transmit cardholder data? Then your company needs to keep that information from falling into the wrong hands. Following 12 practices of the PCI compliance checklist can help to keep customer’s data safe.
Build and Maintain a Secure Network
Requirement 1: To protect cardholder data – install & maintain firewall configuration.
A firewall acts as a filter between a business’s network and the rest of the Internet. This firewall would separate cardholder information from the rest of your network. PCI DSS standards require that firewalls and network routers are regularly tested every six months.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Finding a default password is easy. To illustrate, it’s just a matter of looking up the brand-name of the item online and searching for the default password. To keep entities from unauthorized access to data, PCI-DSS standards require the immediate changing of passwords.
Protect Cardholder Data
Requirement 3: Stored cardholder data must be protected.
PCI DSS requires stored cardholder data to adhere to the standards of protection at all levels. This would cover how cardholder data is documented is protected, as well as how it is encrypted. This would include data encryption, masking, hashing, and truncation.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Public networks are not remotely secure and can be susceptible to hacking. Only networks that implement strong cryptography and security protocols should transfer cardholder data. Subsequently, wireless networks that transmit cardholder data must also protect the transmission of this information with strong encryption methods
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software or programs
This requires the deployment of anti-virus software on computers that would access the network. This software must be capable of protecting computers from viruses, and malware, as well and detecting and removing all known types of malicious software.
Requirement 6: Develop and maintain secure systems and applications
Regularly update anti-virus software. This prevents data malicious individuals or software compromising data.
Implement Strong Access Control Measures
Requirement 7: Limit access to system component and cardholder data to only those individuals whose job requires such access
The fewer people that have access to card data, the more likely that it will adhere to PCI DSS standards. To put it another way, cardholder data is a valuable asset. Therefore PCI DSS protocol works to prevent unauthorized access.
Requirement 8: Assign a unique ID
Before all network users can access the system, they must log into it with an assigned unique ID. This helps to record when a user accesses cardholder information.
Requirement 9: Restrict physical access to cardholder data
To protect the storage of cardholder data unauthorized personnel, and visitors, should not be able to access the systems or data where it is stored. Furthermore, upon termination, all keys and access cards should be returned or disabled.
Regularly Monitor and Test Network
Requirement 10: Track and monitor all access to network resources and cardholder data
When an authorized user accesses the system, log and tracks all actions. This creates a log of access times. These logs should be reviewed daily and audits retained for at least a year.
Requirement 11: Regularly test security systems and processes
Test the system regularly to assure PCI DSS compliant security protocols are in place. Run network vulnerability scans on a quarterly basis. Upgraded or modified machines, on the system, are also subject to a test.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel
Establish a security policy that adheres to PCI compliance. Then, communicate this policy to all personnel. This is regardless whether they are authorized to have access to cardholder information or not. Review and update this policy on a regular basis.
Firewalls and access cards are a great investment for your company, yet they are only as good as your security team. Educate and test employees on proper protocol. Regular software updates will also keep data safe.
IVR Technology built our phone payment solution, Compass Pay, with data security in mind. In fact, we recently achieved PCI Level 1 Compliance. This is the highest level of security compliance that a service provider can receive.