PCI DSS or Payment Card Industry Data Security Standard is a set of security controls that are used for measuring security of businesses involved directly or indirectly in the Payment Card Industry. All businesses that store, process and transmit cardholder data come under this category and it is obligatory upon them to comply with the standard. Organizations compliant with PCI DSS have lesser risk of suffering security breaches that can result in information theft of valuable customers. PCI SSC or PCI Security Standards Council was originally formed by American Express, Discover, Master Card, Visa and JCB and develops programs and standards for maintaining the security issues of payment card systems.
1. Check your Merchant Level
As a first step, you need to verify and check your merchant level by consulting the clearing house or bank handling your credit card transactions. Merchants are categorized into four types based upon their VISA card transaction over past 12 months. VISA is only used as a benchmark here and the same rule applies to companies accepting other credit cards such as MasterCard, American Express, etc.
Level 1 merchant processes over 6 million VISA transactions per year or is designated Level 1 by the VISA company.
Level 2 merchant accepts between 1 and 6 million VISA transactions annually. This includes in-person and online.
Level 3 merchant will process between 20,000 and 1 million VISA transactions per year.
Level 4 merchant, considered a small merchant, takes in fewer than 20,000 VISA payments per year.
2. Understand Penalties Resulting in Violation of PCI DSS
Noncompliance to PCI DSS will result in sanctions, fines and lesser privileges from credit card processors and banks. If there is an actual loss of cardholder data as a result of noncompliance, businesses can face heavy fine, high fees and increased sanctions. Such businesses can also face lawsuits and government trial for failure in protection cardholder data of customers.
3.Learn About Best Security Practices
As a business, it is important to familiarize yourself in detail about the 12 requirements of PCI DSS. These requirements fall under 5 basic security controls i.e. network security, data protection, vulnerability management, access control, monitoring and control, and information security policy. PCI DSS v 3.0 and v 3.1 have been released while v. 3.2 is expected to be released soon this year.
4.Build and Maintain a Secure Network
Unless you are a business operating in an IT industry, you should never install your network yourself if it has to store, process or transmit cardholder data. Rather, you should hire services of a trusted and experienced vendor that can help you install and update the system free of vulnerabilities. For maintenance purpose, you need to develop long term relationship with your network security provider.
Always keep your firewalls operational and updated. Immediately change vendor-provided passwords and never allow any employee to disable firewalls. Develop a password policy for your organization with clear instructions to employees on how to keep a strong password and how often to change it, according to vendor instructions.
5.Protect Cardholder Information
If your company processes credit cards manually, all receipts must be secured in locked files with limited access. If you store cardholder information in your network, keep it encrypted and protected behind company firewall.
6.Create a Vulnerability Management Program
Develop a program that does not allow employees to add new software to the system without prior permission as it could compromise your system information. Protect your network and systems with company approved anti-virus software.
7.Implement Access Control
Every employee should be given access to only information that is needed to perform their job duties. Limited password access should be practiced throughout the organization on this principle. This will help narrow down the loopholes in case a data breach occurs and will make investigation easier. Every network user and terminal should be given unique ID so that entry point in case of data breach can be identified.
8.Monitor and Test your Network
A good security program always requires regular monitoring and maintenance. Regular scans must be conducted for monitoring cardholder data flow through your network. Tests can be conducted either by your IT staff or your vendor in times of lesser usage such as late night or in real time when system usage is at the fullest. Maintain test results log.
9.Develop an Information Security Policy
This policy document should cover in detail all the security measures your organization needs to take to secure its customer data and to comply with PCI DSS. A PCI-compliant security policy requires to be developed by someone with years of experience in infosec or by trained staff dedicated to write and maintain such a policy. Once it is developed, it needs to be revised only when your network is updated or expanded.
10.Assess, Remediate and Report PCI DSS Compliance
Now that all requirement of PCI DSS are implemented, you need to assess your network and business processes periodically to look for any variations or noncompliance. In case of any changes, update your security program and vulnerability management plan. Remediate the vulnerabilities either by acquiring new equiment, software or by training and conduction employee infosec awareness sessions. Submit periodic reports of your ongoing compliance to credit card companies and your bank.