The Basics of PCI Compliance

PCI Compliance

Before I get to the meat of the matter, let me finish what I began last week. It bugged me that I only knew what TJ Maxx was supposed to be fined, so I went and found out what they were fined. Rather than the roughly $100 per stolen card that was guessed at, TJX settled with Visa for about $1 per card. Rather than $45 Billion, they paid $45 Million. Still, though, that’s a lotta’ dough. Visa then went on to charge TJX’s acquiring bank $880,000 for not making sure their merchants were PCI compliant.

So there you are. Now, if you’re a big merchant and do 6 million card transactions a year, Visa will charge you $25,000 a month for each month they discover you aren’t compliant. And they have similar fines for all the not-that-big merchants.

Anyway, on to PCI DSS standards. (PCI DSS stands for Payment Card Industry Data Security Standard.) The key, easy concept is: Protect your customers’ data.

You first need to think about where your customers’ info is taken, what happens to it during the transactions, and then where does it go afterward. Here are some key questions for you to consider:

Are your terminals PCI compliant?
Do the receipts truncate the account numbers?
Is customer information winding up on your computers?
How are your firewalls?
Is data encrypted?

Now I have you thinking don’t I? Don’t freak out just yet! Below is the actual list of 12 requirements for your business to be considered PCI compliant (you can find them here on the PCI Security Website):

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Obviously these two are common sense.

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

AHA! That’s vague. Well, things like having account numbers truncated on receipts and blocked out in general on your system is one example. Also, don’t store customer identity information in a generic Excel file. Just because some database program works well for tracking your expenses doesn’t mean it’s secure enough to withstand a hacker assault. Use programs specifically created for that purpose that are listed as compliant.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Back to common sense on that one

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Yup. Common sense again.

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Aha again! Do you keep hard copy FILES on your customers? Or if electronic, can any old Tom, Dick, and Employee use the computers cardholder data is stored on?

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Here’s an easy extra for 9 and 10: If you can, have two servers that aren’t networked together. One can be for accessing the Web by the rank and file, doing business and whatnot. The other can be for cardholder information use only. That way, if a hacker breaks into the former system, your customers are still safe!

Requirement 11: Regularly test security systems and processes

There are many companies that will provide security audits for you. One great place is Security Metrics.

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security.

That’s more than enough information for one post. I’ll be back in a few days with a much shorter post providing a couple tools to immediately get on the ball with this. Meanwhile, you can check out the following links:

PCI Security Council

PCI Compliance Guide

Like this post? Then subscribe by RSS | Email