It is easy enough these days to set up an online store and sell your products and services online. But before you do this, take time to ensure that you do everything right. Why? As soon as you charge credit cards or debit bank accounts of your customers you incur a variety of risks.
Of course, you have heard of hackers breaching databases of large retailers, stealing customer information, credit card information, event social security numbers.
This is why you have obligations as a merchant to take measurements to secure data and limit the exposure to fraud. So, how do you meet your operational needs while protecting your payment data and satisfying your regulatory compliance obligations?
In short, if your organization processes, stores, or transmits cardholder data, then the people, processes, and technology within your organization that interact or are exposed to payment card information are subject to the Payment Card Industry Data Security Standard (PCI DSS). This is where PCI compliance comes in. To comply, you’ll need to ensure your organization has the necessary security measures in place to sufficiently protect sensitive payment data.
The PCI DSS is an industry standard for securing cardholder data around the world. All organizations that process, store, or transmit cardholder data must adhere to the PCI DSS if they want to use cards from the major payment card brands that created and adopted the standard.
The PCI DSS consists of 12 requirements within 6 categories, each made up of several more specific, related controls for a grand total of more than 300 security checks.
1. Build and Maintain a Secure Network and Systems
This outlines requirements for network security. Specifically, it requires organizations to install and maintain firewalls and routers, and not to use vendor-supplied defaults. All of the controls in this category are about securing your network and implementing proper network security mechanisms. At WEEcommunicate we maintain a secure and PCI compliant web server network that will give you peace of mind as a merchant.
2. Protect Cardholder Data
This is a data security category. It’s concerned with the protection of the data elements themselves, regardless of their form. That could be data in storage, in transit, in processing, or even in physical form, such as paper records like invoices or receipts. When transmitted or stored data encryption is an appropriate measure for obfuscation.
WEEcommunicate encrypts all data transmissions with the required protocols, regularly reviewed and checked. We do not store any payment related information such as credit card numbers on any of our servers to protect our clients.
3. Maintain a Vulnerability Management Program
This category is concerned with application security, so it details how an organization should protect its systems against malware, viruses, coding exploitations, and other items that affect application security. Potential solutions here could include antivirus software and security filters. WEEcommunicate maintains a solid security standard on the web servers. Of course, it is important for our clients to maintain their internal network to eliminate any potential weaknesses.
4. Implement Strong Access Control Measures
The first two requirements here address identity and access control measures. Identity refers to how to authenticate a user, and access control determines the user’s permission or access level to certain resources within your environment, specifically to cardholder data. The third aspect covers controls for physical access, such as requiring locks, cameras, etc., to prevent unauthorized physical access to a server room or data center. The WEEcommunicate security team recommends that our clients check system access privileges of all users based on job descriptions to avoid data to be presented to non-authorized users.
5. Regularly Monitor Test Networks
This requirement is not so much concerned with implementing new security mechanisms as it is maintaining your existing ones and ensuring they are sufficient. You need to be able to monitor your own network and detect security incidents if and when they occur. You also need to test your security systems and coding to ensure they are secure and functional, update and patch applications, and keep up with threat management for malware and viruses.
6. Maintain an Information Security Policy
This is essentially a policy that sets the tone for your entire organization’s information security strategy. It needs to address all your employees and reflect your attitude toward PCI compliance and overall data security. This includes training programs and continuing education to ensure proper practices.
Now that we’ve established a list of high-level controls for PCI DSS compliance, let’s take a closer look at each of the 12 requirements and what it means.
1. Do you have a firewall or similar security measure in place to safeguard the system(s) in which you store, process, or transmit cardholder data?
2. Is that firewall regularly updated and maintained?
3. Have you replaced default passwords and vendor-supplied security parameters with unique and sufficiently strong alternatives?
4. Are those passwords protected and safely stored to minimize their risk of exposure?
5. Do you have sufficient security controls in place to protect cardholder data stored within your internal systems?
6. Are you securing cardholder data when it is in transit?
7. Are you at least using an approved method of encryption to protect it?
8. Is it being protected when traveling across open networks?
9. Does your organization have antivirus software or other virus-prevention programs?
10. Is that software or program up to date?
11. Do you have regularly scheduled reviews of that software to ensure that you always have the most recent version?
12. Is your organization using the most recent version?
13. Does your organization have secure systems and applications?
14. Are those systems and applications being maintained?
15. If not, do you plan to develop secure systems and applications in compliance with the PCI DSS?
16. Is access to cardholder data restricted within your internal systems?
17. Is this restricted access based on an individual’s need to know or need to handle that data to complete everyday tasks?
18. Does the need to complete those tasks outweigh the risk of giving the individual(s) in question access to that data?
19. Does every person within your organization have a unique user ID for computer access?
20. Are those unique IDs enabled with permissions/access-control measures managed by a system administrator?
21. Are those permissions/access-controls consistent with business-need-to-know (e.g., marketing interns aren’t allowed to view the cardholder data of customers)?
22. Does your organization restrict physical access to computers, servers, or other systems where cardholder data can be processed, stored, or transmitted?
23. Do you have a system in place to log and monitor all visitors to facilities where cardholder data can be accessed?
24. Is all media physically secured, safely stored, and not inappropriately distributed or accessible?
25. Do you have a process for regularly reviewing your organization’s networks to prevent exploitation?
26. Are these processes logged?
27. Are these logs stored and secured to provide reliable audit trails?
28. Are your systems frequently tested to discover any vulnerabilities?
29. If vulnerabilities are discovered, are they being addressed and maintained over time?
30. Do these tests occur any time new software is introduced or configurations are changed?
31. Do these tests include internal and external network vulnerability scans and penetration testing at the required intervals?
32. Are you monitoring critical system files to ensure they’re not illicitly accessed or modified?
33. Does your company have an internal information security policy?
34. Does this policy cover the requirements of the PCI DSS?
35. Are those requirements being sufficiently addressed?
36. Is your policy reviewed annually and/or whenever changes to your internal systems occur?
37. Does this policy include measures for identifying and monitoring the PCI compliance responsibilities of service providers?
38. Do you have an incident response plan that can be executed immediately in the instance of a breach?
39. Does your website show complete contact information of your organization in the footer?
40. Do you publish Terms and Condition of the use of website and data privacy statements?
41. Do customers have the ability to contact your organization for any questions regarding data safety and privacy?
You have surely many more questions about this topic. Check out these helpful links for further information, or use your search engine for more research about this topic: