Below, we outline the 12 items the Payment Card Industry Security Standard Council (PCI SSC) recommends, in addition to our own best practices, to meet PCI DSS compliance. We recommend thoroughly reading through the official quick reference guide from the PCI Security Standards Council for even more details.
Some of these items may not apply to your business, depending on its breadth and size, but in a world where hackers are only getting smarter and technology is advancing daily, it's important to stay on top of safeguarding your business.
1. Install and maintain a firewall configuration to protect cardholder data.
A firewall is a customizable piece of software that allows you to control who can access your computer networks. Installing one allows you to deny traffic to and from outsiders, ultimately providing a protective layer from malicious intent.
A potential pre-step would be confirming whether you already have a firewall in place (how to check this depends on the type of systems you’re using). If you’re running things relatively solo, you can learn how to set up a firewall or outsource the work to a trusted resource. If you’re a larger business, you’ll likely have an internal team or dedicated team member to perform this task.
2. Create your own, unique passwords.
If you’re still using the default passwords provided by the systems or vendors, you’re putting your business at serious risk, as those passwords are the easiest way for a hacker to access your systems. Why? Because the defaults are widely known. Think about it, if everyone using system X initially gets set up with the same password, what is stopping a hacker from doing the same to learn that default password?
The PCI SSC provides typical default passwords that must be changed in the guide, such as 1234, admin, guest and more. Review them and make sure none of your passwords match these values, even if the defaults provided by your vendor were different.
3. Protect stored cardholder data.
Cardholder data is not limited to just credit card numbers. It also includes cardholder names, expiration dates and CVV numbers. The PCI SSC requires sensitive data on the magnetic strip or chip must never be stored after authorization and that if the card number is stored, it must be rendered as “unreadable” and only the first six or last four digits of the number can be displayed. You can do this process in a few ways, but we recommend doing it via tokenization, which Merchant Account Providers typically provide.
4. Encrypt the transmission of cardholder data across all open, public networks.
Hackers may be able to intercept cardholder data transmitted over open, public networks. Using encryption, like tokenization, prevents them from viewing that data. As we previously mentioned, your provider can provide encryption services. When assessing your options, make sure you’re only considering level-1 PCI compliant providers.
5. Protect all systems against malware and regularly update anti-virus software or programs.
Malware refers to malicious software that can expose vulnerabilities in your business’s system configuration. Hackers often get users to download malware via email phishing. Anti-virus software must be used on all systems commonly affected by malware to protect against current and developing threats.
If you come across a phishing email, a best practice is to delete it twice; once from your inbox and again from the trash in your email client. If the email is highly realistic and has specific information about you, other employees or customers, flag it up to your security team by screenshotting the email. Never forward the email, as you risk having someone else click a potential virus link.
6. Develop and maintain secure systems and applications.
Your systems and applications can contain security vulnerabilities, allowing hackers access to cardholder data. Establishing processes to identify vulnerabilities, maintaining secure coding practices (if applicable to your internal staff) and managing change control will eliminate the susceptibility of your business to data breaches.
7. Restrict access to cardholder data on a need-to-know basis.
If an employee doesn’t need to have access to customer information, don’t grant it. An easy way to do this is by utilizing a system that offers control over employee access to data and vital functions, such as payments, at your business.
8. Identify and authenticate access to system components.
In addition to PCI prohibiting shared passwords, we believe unique passwords also provide your business with the ability to maintain employee accountability, delegation and limitations to employee access and visibility, as well as add practicality to your password protocols.
9. Restrict physical access to cardholder data.
If you have a lot of onsite visitors (customers, partners, etc.), you must restrict physical access to devices, systems, data and hard copies. Physical access for onsite employees should also be restricted on a need-to-know basis. Using a visitor log for non-traditional retail businesses is a good way to keep track of the foot traffic at your office. It’s also a good idea to periodically inspect key fobs and card readers to weed out tampering.
10. Track and monitor all access to network resources and cardholder data.
Without a tracking system that creates activity logs, determining the cause of a data compromise is difficult. Make sure all your systems have activity logs in place and that those logs have a time and date tracking feature. A Virtual Terminal with an activity log can track every user login, their types of activities and the times those activities occurred.
11. Regularly test security systems and processes.
New technology is constantly being created, so the malicious opportunities for hackers are ever evolving. You should put in place a process for regular testing to ensure your business’s systems remain solid and that any new vulnerabilities are brought to light.
12. Maintain a policy that addresses information security for all personnel.
A strong policy sets the standard for your business and all employees. This policy should be maintained and published for all team members to view, and you should hold training sessions at least annually to refresh your staff on the existing policies and educate them on new ones.
Failure to maintain PCI compliance could be costly to your business and even cause you to close your doors. Maintain compliance by following these steps and working with a PCI-level 1 Merchant Service Provider.
Are you unsure if one of these PCI DSS compliance checklist items applies to your business? We’d love to answer your concerns – post a question below and we’ll get back to you.