The growth of the internet and, in particular, online shopping and online banking, means that there are millions of data records generated every minute. Maintaining consumer privacy and ensuring that data is safe and can’t be accessed by criminals is crucial. Data breaches can be incredibly damaging for organisations as well as individuals.
The Payment Card Industry Data Security Standard (PCI DSS) is one of many protocols developed to tackle the issue. PCI DSS helps to protect financial data (payment cards) by identifying and fixing any vulnerabilities in payment processing software. Virtually all major merchants are now PCI DSS compliant.
PCI compliance is not a legal requirement but is often a pre-requisite in being allowed to accept card payments. Fines for any data breaches are handed out by the Security Standards Council that consists of American Express, JCB International, Discover Financial Services, MasterCard, and Visa Inc.
To become PCI compliant, there are a number of steps to complete, covering six different goals.
1. Build and maintain a secure network
The emphasis of the first goal is on ensuring that access to your systems is protected. You should have a firewall policy in place to protect any data you hold and this should be tested frequently. The SSC also recommends that any vendor-supplied passwords should be changed to unique and hard to guess passwords because the default passwords supplied with software/hardware are often known or easy to guess. In addition, it is also suggested that passwords are updated once every 90 days at the very least.
2. Protect cardholder data
This second goal applies if your business chooses to store any cardholder data, either in a database or physically (paper receipts etc.) It is, however, recommended, that no card data should be kept unless absolutely necessary. If you do store card data, you must never keep PIN or CVC data.
To protect any cardholder data held on computers, passwords and authentication procedures should be used. If paper records are kept, filing cabinets/safes should be locked and secure.
Any transmission of data should also be encrypted in case it is intercepted. Encryption means that in order to see any data, a cipher is required, making it harder for hackers/cybercriminals.
3. Maintain a Vulnerability Management Program (VMP)
For this you will need to have an effective anti-virus system. You will need to continually scan software for any malicious viruses and continually update your anti-virus software so that it is able to spot and prevent newer viruses.
In terms of card payments, you need to ensure that your card payment provider is committed to continually updating their systems to prevent any security breaches.
Being proactive rather than reactive is a crucial part of prevention.
4. Implement strong access control measures
This essentially means ensuring that only those who really need it have access to any sensitive data. The fewer people who can access data, the lower the risk of it being compromised.
Any staff that require access should be given unique IDs and should follow strict guidelines with regard to authorisation and passwords.
If data is held off-site, your third-party provider must ensure sufficient security and access controls are in place.
5. Regularly monitor and test networks
You should always keep track of who accesses data and when. This helps in finding the root cause of any security breach that does happen and enables it to be fixed as soon as possible.
Regular testing also helps to ensure that the network and the data held on it is fully secure.
6. Maintain an information security policy
This should be a comprehensive document covering all of your data security procedures. It should include what your data security procedures are, who is responsible for executing them, guidelines on how to remain compliant and a fully developed plan as to what to do if you suffer a breach/malicious attack of any sort.
How software can help meet PCI DSS compliance requirements
To be PCI DSS compliant, a business needs to better handle and manage all the data it holds, especially sensitive data. It is crucial to invest in software that can monitor, detect and report on vulnerabilities - and do so in in real-time. Specialist software can reduce the need for manual intervention and can automatically notify business owners and IT teams of any vulnerabilities that it finds so that they can be treated with urgency and remedied.
Common security issues that this software can identify include:
- Injection vulnerabilities
- Weak encryption
- Insecure communication
- Cross-site request forgery
- Broken authentication or authorisation
- Error handling
- Improper access controls
It can also detect instances where any application:
- Saves data without encryption
- Leaks data in a log file
- Saves the data in the browser cache
- Sends data in a URL
- Uses insecure authentication mechanisms
- Uses an unsafe database connection.
In addition to tracking/scanning on an ongoing basis, data can be tagged as sensitive and any incorrect handling will be identified and reported instantly.
Learn more about how Paytia can help your business fulfil its PCI and GDPR obligations by scheduling a demo below.
What Is the cost of PCI non-compliance?
The emergence of most new industries and technologies brings with it an urgent requirement for...
PCI Compliance: Over the Phone Payments
We have seen a rapid growth in online payments over the past few years. The rise of ecommerce has...
Credit card payments over the phone laws: security considerations
Five years ago you could be forgiven for thinking that the use of the phone for engaging with...