Can you count how many times your credit card has been scanned by a small business in the last ten days? The seven-square inches of plastic filling up our wallets are 21st century keys to not just our finances, but also a bevy of sensitive personal information. And yet, it’s not uncommon to see consumers handing their credit cards to businesses that consist of little more than an iPad and a card-scanner purchased from Best Buy. Whether you’re just worried about the security of your financial information or considering hosting this data at your small- or medium-sized business, understanding how it’s stored and regulated is crucial.
Although Payment Card Industry (PCI) compliance is mandated by law in only two states (Nevada and Washington), credit card companies have the authority to impose on violating entities fines ranging from $5,000 to $100,000 per month. These fines are often brought to the card issuer and eventually passed along to the merchant, who could face increased transaction fees or even a termination of their processing services altogether.
There may be a few more zeros on those penalties than you might expect for a small- to medium-sized business, but it’s important to note that merchants are divided into levels based on the number of transactions they process during a one-year period. A Level 1 merchant processes over six million transactions per year; Level 2, between one and six million; Level 3, between twenty thousand and one million; and Level 4, fewer than twenty thousand. Regardless of the vendor level, there are six “control objectives” everyone must follow when handling cardholder data. Let’s take a look.
Creation and maintenance of a secure network
It may seem like a no-brainer, but PCI standards mandate certain network security minimums for vendors with access to credit information. Firstly, compliant companies must implement a firewall with customized settings. A business cannot simply buy off-the-shelf protection and expect to achieve adequate data security. Protocols must be configured specifically to the organization, and after they’ve been completed they need to be adequately tested, one connection at a time.
As an extension of the first tenet, all default settings and passwords relating to network security must be changed before being introduced ‘into the wild.’ This includes everything from router firmware passwords to eliminating workstation ‘Guest’ accounts. Starting from the moment all these are updated, firewall and router settings and passwords must be updated every six months in order to quell compliance concerns.
Cardholder data protection
Any data leaving your secure network and moving through open and public traffic obviously needs added protection. PCI compliance requires that this information be encrypted with proprietary cryptographic methods; therefore, you alone hold the key to deciphering the sensitive information. However, this only applies to certain types of information and cardholder authentication data like PIN numbers, CVVs, and security codes, and should never be stored -- encrypted or otherwise.
Implementation of strong access control measures
If the added security burden of storing cardholder data locally is unavoidable, increased levels of storage security must be met. Protocols will need to be created to specify exactly who has access to PCI information and under what circumstances. Once those decisions have been finalized, both physical and digital protection measures must be implemented to cover every single person in the organization. Passwords pertaining to data access for those who have been granted it should follow strict requirements and must be updated every 30 days. Physical protection measures such as server room keys and hands-on access to card scanners must be closely monitored by high-level staff to avoid tampering.
Vulnerability management program
In any industry, threats from cyberattacks evolve as quickly as the measures created to prevent them. As a PCI compliant organization, you will need to prove that your antivirus and data storage applications are regularly patched and updated. Whether it’s your managed services provider or a capable in-house staff, someone needs to keep a record of all previous updates and future check-ins.
Regularly monitored and tested networks
A prevention-only framework isn’t just overly optimistic, it’s dangerous. Users with access to sensitive information must have all their network actions tracked and logged in case of future security breaches. Even if someone accidentally violated protocol, these logs could clarify what went wrong and how to amend policies to avoid future problems. Logs of these actions need to be reviewed daily for any abnormalities. And although penetration and vulnerability tests are generally offered by IT service providers during the network setup process, PCI-compliant business owners will need to run these diagnostics at least four times a year to ensure the ongoing security of their hosted data.
Maintenance of an information security policy
Information security policies (ISP) are vital because they cover every type of stored information and access point. An effective ISP includes scenarios for every acceptable interaction between your business infrastructure and physical, as well as digital, copies of regulated data. More thorough and inclusive than access control measures, ISPs should outline what happens when a staff member or technology that is not usually part of secure data workflows interacts with PCI data, and what the procedure is for those requests. As dictated by PCI compliance standards, your company’s ISP must be reviewed at least once a year to make sure it is still viable.
Take note that there is a certain level of ambiguity within these standards. What we’ve provided here is closer to guidance on what you should be achieving rather than wasting too much time on how you should get there. After consulting with a Managed Services Provider on the minutiae of day-to-day PCI compliance and the rest of the six “control objectives,” a Qualified Security Assessor will perform an audit to grade your individual compliance measures. From then on, merchants must complete an annual Self-Assessment Questionnaire to maintain compliance.
To describe PCI compliance as complex is a colossal understatement. Unlike typical data security procedures, these six control measures put you under the thumb of not one, but two powerful players: cyberattackers and credit card companies. At Onsite Computing, we bear that burden for you. We take a holistic approach to your security measures and go far beyond just PCI compliance to provide total protection. Call us today to learn more.