Security Standards and Services

The 12 Mandated PCI Compliance Policies: Is Your Organization Doing All It Can?

If you work as a merchant in the payment card industry (PCI) pipeline, then you know that dealing with PCI compliance is a challenge. Sorting through the many rules and regulations is time-consuming and painstaking work; however, the time spent is worth it when you realize that PCI compliance helps provide shelter for you in case there is a breach. We studied the 12 mandated PCI compliance policies and have come up with a few tips for coping with this issue. Let’s start with the basics.

PCI DSS

Payment Card Industry Data Security Standards (PCI DSS) comprises the globally accepted policies and procedures of the payment card industry. The Payment Card Industry Security Standards Council developed and maintains these standards. The payment card industry and all merchants, retailers and other organizations of any size that accept payment by credit cards and process, store, or transmit cardholder financial information or authentication data must follow the accepted standards. The following make up the 12 best practices.

Use Only a Secure Network

Your network must include a robust firewall intended to protect cardholder data while stored in your care. This includes placing a firewall between wireless networks and the environment that holds cardholder sensitive data. Remember, a firewall and a secure network are only as strong as the password protections and security policies that you create and maintain. Never use default passwords or default security parameters. Multi-level authentication and a mandatory protocol that requires changing passwords on a prescribed schedule provide the best protection against network intrusion.

Protect Cardholder Data

There are two times that security standards require organizations to provide cardholder sensitive data protection. First, you must undertake best efforts to safeguard cardholder data while stored on your network. Second, you must encrypt cardholder sensitive data when transmitting it across open, public networks. Encryption makes the data unreadable and unusable by cyber intruders who do not have the appropriate encryption keys. In addition, organizations must not save sensitive card validation codes or pin numbers after validation even if encrypted.

Manage System Vulnerabilities

An organization cannot safeguard cardholder sensitive data if its own network is at risk. At a minimum, maintain and update anti-virus software on the network. Systems and applications residing on the network must also contain security measures intended to minimize intrusions and identify threats. IT staff must make applying security patches and/or software and operating system updates a priority. Ransomware and other malicious cyber threats continue to proliferate, so organizations must fortify networks with protections against more than just viruses.

If you outsource sensitive data to a third-party hosted provider, a managed service provider must take responsibility for maintaining a secure environment with respect to the data.

Strong Access Control Features

Restricting access to the network and to certain file storage areas goes a long way toward protecting sensitive data. Access to cardholder sensitive data should release only on a business’ need-to-know basis. Assign each person with access to network computers a unique identifier (login ID). This feature allows the organization to track individual computer usage and track unauthorized access to network files and programs.

Restrict to as few individuals as necessary the ability to physically access cardholder data. The fewer people who have authorized access to sensitive data the easier it is to control unwanted intrusions.

Monitor, Track, and Test Networks

Every organization with PCI DSS responsibilities must track user access, conduct threat assessments, and test potential unauthorized access to the networks and, specifically, to cardholder data.

Adopt and Maintain Information Security Administrative Policies

The administrative policy must address information security procedures with respect to each member of the organization’s staff. Each staff member must understand his or her responsibility with respect to maintaining information security. Each staff member must understand the steps required of him or her should a breach occur.

To learn more about PCI compliance, read the “PCI SSC Quick Reference Guide” (PDF)