Written by Travis Wilson, One Step Blogger | 6 MIN READ
The Holidays are here, and shoppers are throwing their payment cards left and right to capture that elusive holiday gift for their loved ones. These last 2 months can make up 20% of a retailer’s year, but if PCI compliance is not on your shopping list you could end up leaving your customers open to attack and be hit with huge fines.
While cyber attackers are getting smarter, and their attacks more frequent, PCI Compliance has declined in recent years. With the average total cost of a data breach of around 4 million dollars, it’s hard to justify not taking action on this issue as soon as possible.
We wanted to help you get a sense of what you need to do in order to become PCI Compliant, so using the PCI DSS version 3.2.1 and the PCI Security Standards Council’s Quick Reference Guide we wanted to outline the 6 goals that you need to set to become PCI Compliant.
THE 6 GOALS YOU NEED TO SET:
1.Build and Maintain a Secure Network and Systems
This goal seems simple enough, right? But for many, building a network that is up to PCI standards can be a challenge. Many retail companies don’t have a dedicated IT team and rely on the owner’s own limited knowledge or help from friends in the industry, this can lead to many issues as new threats come into practice and your system needs updates. If you are not sure if you are up to the task of building and maintaining your own network, an IT Managed Services provider might be your best option.
There are two important factors that play a part in the PCI Compliance of your network. The first is that you need to have a Firewall in place to protect your cardholder data. This device will control access to your network. You also need to make sure that you are not using the vendor-supplied default system passwords. These passwords are meant to be changed out as soon as you can to provide the greatest security for your customers… also please don’t use one of these
2.Protect Cardholder Data
Once you have your secure network in place your main focus needs to always be protecting cardholder data. This may seem pretty self-evident. Far too often retailers are not taking the proper care to secure cardholder data, which includes anything printed, processed, transmitted, or stored in any form.
Cardholder data should only be stored when absolutely necessary to perform your business. When you do have to store it you must protect that data. Use data encryption to render data unreadable by people that do not need it and make sure that you never hold on to PAN unless it is totally unreadable except by that are “need to know.” Encryption doesn’t stop at information storage. You must be able to encrypt cardholder data when transmitted. This will ensure that your customer’s data is safe when traveling through open or public networks. Make sure you use strong cryptography and security protocols for maximum security.
3.Maintain a Vulnerability Management Program
Technology is ever-evolving, as technology advances so do the attackers that want to utilize it to find weaknesses in your network. In order to protect yourself and your customers, you need to make sure that you continually check and update your systems as needed.
One of the quickest but often put-off ways to keep your systems secure is to make sure that you have and regularly update your anti-virus software and programs. The anti-virus industry takes the time to find problems so you don’t have to, but this means that they need software updates to include the new threats it finds. You need to make sure that you don’t click the update later button on your screen when you see it.
All of your vendor-provided systems and applications also routinely need to be updated in order to maintain secure systems and applications. To do this you must check for and install security patches for these systems in a timely manner. Failure to do so can leave you with holes in your security net.
A Very Special Offer For You This Holiday Season →
4.Implement Strong Access Control measures
Your customer’s personal account numbers, or PAN, are one of the items that need to remain “Need-to-know.” In order to keep this information safe, you need to implement Access Control measures that permit or deny access. In order to remain secure, make sure you document all procedures and policies to ensure that all authorized employees know how to safely access it. These policies should also include the procedures to restrict physical access to cardholder data, and any other storage for physical data that you may have on hand, including server access and hard drives of computers that store data.
To assist in the access control measures that you are putting in place, identify and authenticate access to components. Do this by creating and assigning unique IDs that your employees will input when using any computer system that is used to store or transmit cardholder data. This will allow you to keep track of who is using your terminals at any given time and make it easier to track down who caused an issue if one should arise.
5.Regularly Monitor and Test Networks
Testing and monitoring activity on your networks is extremely important in order to stomp out malicious individuals trying to access your customer’s information through new and improved attacks. Make sure that you are able to track access to network resources. Use logging and keystroke software that tracks user activity and helps you quickly and easily find discrepancies in reports if anything seems out of sorts.
You need to also regularly test all systems and processes on a regular basis. This is especially true after installing and implementing new software or technologies. Sometimes new systems can leave vulnerabilities that were not open before. Make sure you test these new additions often after implementation and check for security patch updates from the vendor.
6.Maintain an Information Security Policy
Placing systems and procedures in place does no good if the people that have to follow them, don’t know what to do. This is why you need to put into place and maintain a policy that addresses information security that can be distributed to all employees. For best results make the policy as easy to understand as possible, and do yearly updates to the policy and update it after any major changes happen to your systems. Create a team or put a person in charge of following up on the plan updates, and make sure to include a crisis management section that will help you manage breaches if or when they happen.
While getting up and running with PCI compliance is a huge undertaking, it is a necessary one. The cyber-attacks that put your company in danger are only getting more complicated, more frequent, and more costly. Make sure you look at PCI compliance, not as a one-time setup, but rather a continuous process of assessing, repairing, and reporting issues that can cause harm to your company. The attackers are not going to take it easy on you so you should not make it easy for them. Contact One Step Secure IT to see how we can help.