‘Tis the season for online shopping! For online and eCommerce businesses, the holiday season is when businesses really ramp up. But during the hustle and bustle, it can be easy to let cybersecurity fall by the wayside. But with so much cardholder data exchanged, being lax on protecting your data can be a costly mistake. In this post, we’ll walk you through how to be PCI DSS compliant and protect your customers’ precious data, saving your business from fines, losses, and major headaches.

PCI DSS Requirements

The Payment Card Industry Data Security Standard (or PCI DSS) is the required set of standards with which businesses who accept card payments must comply, no matter their size. It is generally mandated by credit card companies, and must be validated annually. There are twelve basic requirements:

1 | Install and Maintain a Firewall 

First, your organization should install and maintain a firewall to act as the first line of defense for their network– and by extension, their cardholder data. Firewalls work by restricting incoming and outgoing network traffic according to rules configured by the organization. Once set, configuration rules should be reviewed bi-annually for vulnerabilities. Your organization should also install routers if applicable. 

2 | Don’t Use Supplier Defaults

When setting up usernames, passwords and other security parameters, we know it can be tempting to use vendor-supplied defaults. Doing so leaves you with less to remember (or forget and have to reset later). However, most of these parameters are easy to guess, and some are even published online. For that reason, you’ll need to create your own usernames, passwords, and other security parameters to remain PCI DSS compliant. Per this requirement, you’ll also need to maintain an inventory of all your systems, configuration/hardening procedures, and follow them each time you introduce a new system into your IT infrastructure.

3 | Protect Stored Cardholder Data

Requirement #3 may be the most important PCI requirement of the twelve, and it has to do with tracking and protecting your customers’ cardholder data. First, you must know what information you’re going to store, where you’re going to store it, and for how long. You’ll also need to encrypt all stored data with an industry-accepted algorithm (or truncated, tokenized, or hashed) and maintain a strong encryption key management process. This requirement also includes rules about how to display credit card numbers (primary account numbers or PANs).

It’s not uncommon for businesses to store unencrypted card data without knowing it– if you suspect this might be you, a card data discovery software might be a worthy investment.

4 | Encrypt Public Data Transmissions

Just as you must encrypt stored cardholder data, per requirement 3, you must also encrypt cardholder data when it is transmitted across an open, public network like the internet or via bluetooth. Also, anytime cardholder data transmission is about to take place, always know where you will send the data, or from whom you will receive it.  The transmission of cardholder data is necessary to process transactions. However, this transmission presents a prime opportunity for cybercriminals to steal the data. That’s why it’s required to encrypt the data before transmission using a secure version of transmission protocols such as TLS, SSH, or others. 

5 | Use & Update Antivirus

Another key requirement is ensuring that stored cardholder data is protected from malware. For this reason, you must have antivirus software deployed on all systems, including workstations, laptops, and mobile devices, that employees use to access your systems both locally and remotely. In addition to using antivirus software, you must also ensure that it is up to date so that your systems are getting the best protection possible. Make sure that your antivirus solution is equipped with the latest updates, always active, and generating an auditable log. If you haven’t found an antivirus solution yet, be sure to check out our iSAFE Enhance Antivirus.

6 | Maintain Secure Systems & Apps

Having defined processes in place is key to keeping your systems and applications secure– that’s why it’s the sixth requirement. To be PCI DSS compliant, your organization must create and implement a process to find and classify security vulnerabilities in your payment systems through dependable, external sources. Once you discover a problem in your card environment– including your operating systems, firewalls, routers, switches, app software, databases, or POS terminals– it’s time to deploy a patch according to your outlined process.  Doing so will allow you to fix security issues before they snowball out of control. 

7 | Restrict Cardholder Data Access

Chances are, not everyone in your organization needs access to your customers’ cardholder data. Allowing access to anyone and everyone puts your organization at risk of a data breach. To comply with requirement 7, you’ll need to implement role-based access control (RBAC) which allows you to grant access to cardholder data on a need-to-know basis. Keep a documented list of all your users who need access and their roles, including the definition of their role, their current and expected level of access, and the data resources for each user to perform operations on card data.

8 | Assign Unique IDs to Internal Users

Shared or group usernames and passwords aren’t just a security no-no; they can make you PCI DSS non-compliant. Per requirement 8, every employee authorized to access your systems must have a unique identifier and complex password. For remote access, two-factor authentication is required. That way, your organization can maintain accountability for all those with access to cardholder data. 

9 | Restrict Physical Access to Data

Beyond protecting your data virtually, you’ll need to protect the physical location of your cardholder data as well. Keep access logs to the physical location of cardholder data, including removable or portable media, detailing who enters and exits, and hold on to those logs for at least 90 days. Alternatively, use video surveillance to track who enters and exits the location. Be sure to implement an access process to distinguish who has access and who does not. Destroy any media your business no longer needs to prevent it from falling into the wrong hands. 

10 | Track & Monitor All Access

According to requirement 10, all your organization’s systems must set a correct audit policy and send the logs to a centralized syslog server. The logs must be reviewed every day for suspicious activity. The information contained in audit trail records must meet a certain standard, and time synchronization is also required. That audit data must be secured, and must be maintained for no less than a year.

11 | Test Regularly

A key part of any IT plan is regular testing to ensure everything is running smoothly and there are no vulnerabilities. PCI DSS compliance is no exception. The following activities are required for compliance:

• Perform a wireless analyser scan quarterly to detect and identify all authorized and unauthorized wireless access points.
• Scan all external IPs and domains exposed in the CDE at least quarterly by a PCI Approved Scanning Vendor (ASV).
• Conduct an Internal vulnerability scan at least quarterly.
• Conduct an exhaustive Application penetration test and Network penetration test on all external IPs and domains at least yearly or after any significant change.

12 | Maintain an Info Security Policy

Finally, your organization must maintain an information security policy, which should be reviewed yearly and given to all employees, vendors, and contractors to read and acknowledge. Your organization must also perform an annual, formal risk assessment, user awareness training, employee background check, and incident management.

What if we don’t comply?

Unfortunately, PCI DSS compliance isn’t something that your business can afford to ignore. Non-compliance can be a costly mistake– your payment processor or credit card company incurs fines for working with PCI non-compliant merchants, which they will then pass on to you to recoup their losses. These fines can start at $5,000 per month and go all the way up to $100,000 per month, depending on the extent of the negligence. Also, banks and credit card companies won’t want to work with non-compliant businesses, so you may lose your relationship with yours. Even if you keep the relationship, your transaction fees may increase due to the risk you pose. 

Get Help from Professionals

Keeping cardholder data safe, and your business PCI DSS compliant, can come with a lot of moving parts. There are many potential pitfalls that could result in a costly data breach, both for your company and your customers. If it all seems a bit overwhelming, don’t worry– iSAFE is here to help. Ask how our managed services package can help you protect your data and keep your systems secure.

About iSAFE

Most business owners, entrepreneurs and IT managers are anxious and frustrated with computer technology because they don’t know how to make their systems secure while keeping their employees productive. Managing computer technology yourself or in-house leads to lower productivity, greater expense, cyber attacks, and ultimately, data loss. At iSAFE, we manage computer technology for our customers so you can focus on running your business and accomplishing your goals. If you’re ready for someone to completely manage your IT infrastructure, secure your data and networks, and support your staff, then iSAFE Complete Managed Services is for you. Learn more about our services or sign up today