What Is PCI Compliance?
What is PCI Compliance?
Any company, large or small, that accepts credit cards needs to host that data in a PCI compliant environment. But what is PCI compliance? The PCI Security Standards Council indicates that there are several requirements to create that secure environment. They are the following:
Create And Maintain A Secure Network
1. Install firewall to protect cardholder information – Usually your hosting provider will have firewalls to protect cardholder data, but if you are a company that hosts the data yourself, you must create firewall policy and configuration test on your own.
2. Do not use supplied passwords or other encryptions – Create, change and maintain your own system passwords with ones that are unique, created by your company. Using passwords a vendor may have provided leaves you open for an attack.
Protect Your Cardholder’s Data At All Costs
1. Protect your stored data – This requirement applies to companies that are storing their cardholder’s information and data. Companies who do not store data do not have to worry as they are preemptively avoiding security breaches.
For those who are hosting stored data elsewhere: Make sure that your PCI compliant hosting provider has multiple layers of defense including virtual security and physically restricted access to the storage devices.
2. Encrypt cardholder data transmission over public networks – Usually encrypted data is useless to a hacker. Encryption takes plain text and transforms it into letters and characters that are meaningless.
Regardless of encryption, sensitive data such as CVV codes and PIN numbers should never be stored.
Maintain PCI Vulnerability Program
1. Use anti virus software and update regularly – Anti virus software is great when it comes to playing defense, if you plan on hosting your data. A regularly updated anti virus program can prevent the latest threats in malware and give you piece of mind.
2. Develop secure systems and applications – Again, if you are hosting data, this will require updates and testing to identify flaws in your security system. Your hosting provider will otherwise monitor and update accordingly based on their own procedures.
Create Strong Access Control Protocols
1. Restrict access for those on a need-to-know basis – The fewer eyeballs on the information mean lesser chances for a security breach. Restrict data to only employees that need it as part of their every day jobs.
2. Assign unique credentials to each employee with computer access – Accounts should have timed logs of when a user is on and accessing information as well as updated passwords every 30 days.
3. Physically restrict access to cardholder information – In similar fashion to restricting computer access of data, the physical access of data should be monitored as well. Data centers should be fully equipped with surveillance and authentication for entry. This way the servers which host the data cannot be stolen without seeing or identifying the perpetrator.
Create And Maintain A Data Security Policy
1. Create and implement a policy that serves to protect information and cardholder data – This should include acceptable uses of computers and other technology, risk analysis, security reviews and security procedures.
In today’s fast paced world, it is no doubt that our information needs to be kept safe from hackers and identity thieves. When people ask “what is PCI compliance?” they may not be aware of what the standards are and how to implement them. If you would like to learn more about PCI compliance, the procedures and policies, please visit the PCI Security Standards Council website for more information.