The Payment Card Industry Data Security Standard (PCI DSS) requires that merchants protect cardholder data. Failure to provide proof of compliance could result in payment of extra fees or more serious penalties, especially in the case of a data breech.
If your organization collects, stores, or transmits credit card data, you are hopefully aware of this requirement and have become PCI compliant. If not, then starting the process as soon as possible is strongly recommended due to the risks involved.
The requirements are commonly triggered when an organization has a website form with credit card payment fields. The computer systems where the forms are located are subject to significant extra security requirements. Surprisingly, most website hosting providers do not provide PCI compliant configurations by default. And if the servers are located within the local data center, the organization is completely responsible for completing the extra security configuration work.
Not all of the security requirements are related to the computer network. "Social engineering" of staff members, where hackers gain access through phone conversations and other offline methods, is a growing threat that is also addressed by the PCI guidelines.
Outsourcing all credit card processing to a third party is one solution for minimizing the burden of PCI compliance. Another option is to call for assistance! Terminal's PCI compliance experts can help you understand and complete the compliance process.
How to Achieve PCI Compliance
The first step in achieving PCI compliance is to determine your organization's level. There are 4 levels based on the number of transactions processed. The second step is determining what must be submitted for validation. Usually, that involves one of several Self-Assessment Questionnaires (SAQ) - selected based on the systems and methods used to process transactions - and possibly an external scan of the network.
The Self-Assessment Questionnaire asks organizations to confirm they have the following in place:
- Network firewall
- Secure, patched network with anti-virus protection
- Encryption of data sent over public networks
- Restriction of data to employees based on their need to know
- Tracking of all network access to cardholder data
- Retention policies, including locked physical access and paper shredding
- Maintaining of information security policies
- Training of staff in PCI compliance
Automated scans of the network may also be necessary, and include the following requirements:
- Scanning done externally by an approved vendor, and internally
- Testing each quarter, and after significant network changes
- Submitting additional information as requested
- Fixing network vulnerabilities, and retesting
Recent PCI Changes
In December 2015, there was a new mandate to migrate web hosting systems away from SSL and Early TLS. That work must be completed by June 2018.
Also, just last month PCI DSS released version 3.2. This includes additional requirements including two factor authentication for system administrators, even when logging in locally on a trusted network. Also, requirements for testing processes and submitting evidence of controls have been strengthened.
For those who have achieved PCI compliance, Terminal's experts are available to ensure continuing compliance with ongoing changes to the PCI landscape. Terminal is also ready to assist merchants who have not yet begun the compliance process. Please contact us for more information.