What it means to be PCI compliant
Understanding what it means to be PCI compliant is the first step towards becoming compliant. Merchants need to understand what protocols are necessary and why they should consider becoming PCI compliant. It’s quite likely that a merchant is required to become compliant. If the company receives, stores, or processes the Primary Account Number (PAN) or the principle credit card number of a customer, then PCI compliance is a necessity. These numbers are no longer than 19 and no less than 16 numerals in length. This isn’t the only piece of information that is protected. Should a merchant obtain other information, such as the CVV or CVC number of a credit card, this information is also under PCI compliance protection.
Each different merchant level will have different PCI compliance requirements. The merchant must evaluate the level of relevancy to their PCI guidelines. Different credit card companies have particular PCI guidelines in addition to the DSS standard. These guidelines need to be adhered to or the merchant risks being in violation of compliance altogether. Some credit card companies follow the standard practices towards PCI compliance but also have their own set policies that often favor the customer. Complying with the DSS standard but not credit card company standard could result in some potential problems in the future. Should these issues become problematic; the merchant will also be subject to audit of the particular credit card company. This is why it is imperative that the merchant evaluates and assesses their PCI compliancy in direct relation to the companies as well as regulated standards.
Amongst the most common PCI compliancy components is the infrastructure of the system that maintains and operates the personal information. As with the case with Chase Manhattan this past, holiday season, PCI security is not just the problem of those maintain and collect this information. Resulting from the situation where the Target retail chain was hacked and thousands of customer information was accessed; Chase has issued warnings to merchants. The warning stated that they would have to become fully PCI compliant to their standards should the businesses want to continue accepting Chase credit and debit cards.
In this, merchants and service providers are expected to comply with an infrastructure that is compliant with the standards set with the Payment Card Industry: Data Storage Standard (PCI DSS). This standard documents in writing, the procedures and requirements that are to be set when taking, storing, or accessing payment card information. Some of the standards that are explained are that in regards to firewalls, access, data encryption, and security measures to be taken.
All PCI compliant merchants must have and maintain an enterprise firewall system to protect cardholder data. This firewall is the first line of defense against hackers or those who wish to steal privileged information within the system. This firewall should not only protect the stored information but also transferred information as well.
Most merchant systems for card payments are supplied by a vendor that provides everything from the point-of-sale system to the scanners used for payment. These systems are usually set to a default configuration that is meant to be streamlined for installation and maintenance. They are also common amongst all other similar systems making the default an easy target for hacking into. Merchants should customize passwords and security parameters that are unique to the system. Only authorized personnel should be allowed to access these systems to make changes.
The protection of cardholder data is certainly something that should go without saying. While many companies and merchants do their best to protect this data, it often goes missed. Hackers and identity thieves are constantly looking to find ways to infiltrate a system. It’s important to maintain compliance by staying one step ahead of those who want to perform malicious acts. Stored data such as credit card numbers and purchase data should be maintained only as long as it is needed to provide customer service. This service should only be directed towards the possible credit back to the card or use for verification of the purchase. Beyond this, the information should never be stored.
With networking technology becoming the standardized norm, the importance of ensuring that the transfer of information is protected is at an all-time high. The reality is that this information, at any given point, can be intercepted once the data has transferred beyond the internal structure of the network. In short, if a customer uses a debit card to purchase something even as small as a snack item from a convenience store then that data leaves the internal infrastructure to get to the secure network of the issuing bank. This data must be encrypted so that only the sending and receiving authorities can understand the data.
Proficient Security Suite
Aside from the firewall, having a sufficient security suite installed not only on network server components but also end user workstations will provide for greater protection of the data that is being transferred on the system itself. Many of the tools used to provide security breaches in the system are in the form of malware and programs that hide themselves within the system itself. The malicious programs are similar and can go undetected. Having an updated anti-virus and security software suite will help in the detection of these programs.
Maintenance and Security
Having a dedicated team of system engineers at the ready to continually maintain and operate the system is an ideal way to ensure that the system is compliant. It is the job of these professionals to make certain that the systems in place are secure and maintained properly. Many are exclusively trained and experienced in the methods of PCI compliancy. Keeping the system maintained and up-to-date will keep the intrusion rate low and the protection of the system itself intact. Part of this maintenance is the administration of accounts. Administrators of the system should provide limited access to those who are trusted. This could include managers and executives. All employees with access to the system should be aware of the network policies not only assigned to them but to the company and PCI compliance as a whole. Monitoring and violations of these policies should be strictly enforced.
Keeping Data Restricted
Merchants will need to keep cardholder data on a need-to-know basis. This includes payment options and checkout services. In most cases, the cardholder details are not necessary when simply swiping or registering for payment. The full card number doesn’t need to be displayed only the acceptance results are necessary. In terms of usage for the merchant, the card should either be accepted for payment or not. Should a card be declined, it is up to the customer to figure out the reason why.
Use Only Approved Scanning Vendors
Once the technical specifications have been put into place, any equipment and additional software should be provided only be an approved vendor. Approved Scanning Vendors (ASV) will provide an assessment of the network by conducting safety checks. The purpose of the scanning assessment is to determine any potential leaks in security and vulnerabilities
One of the most common problems with PCI compliance is that most companies only remain compliant long enough to pass any reviews or when a system audit occurs. This practice is a hindrance and could jeopardize the system as a whole. Maintaining compliancy is a job that should be conducted regularly and reviewed continually. This may seem like a costly practice but rest assured that it is more costly should a class-action lawsuit or federal investigation find its way to a merchant’s doorstep because of a lack of proper compliance protocols being exercised.