What does it mean for you?
On June 30, 2015, compliance with the latest Payment Card Industry Data Security Standard (PCI DSS) is mandatory. This is the first update to the standard since 2011 and was originally set to occur in January of this year, but was pushed back for six months to give companies sufficient time to implement the changes and routines necessary for compliance.
PCI DSS, commonly referred to as simply PCI, was implemented to enhance cardholder data security and establish a consistent data security standard throughout the globe. There are twelve requirements for PCI compliance that vary from protecting and restricting access to stored cardholder data to maintaining information security policies. PCI also applies to everyone involved in the transaction processing including merchants, processors, issuers, service providers, acquirers, and anyone who handles sensitive cardholder or authentication data.
The goal of PCI, as outlined in the Payment Card Industry Data Security Standard V3.1, is to implement these security practices into business-as-usual (BAU) activities as part of an overall security strategy. In addition to monitoring ongoing security practices, responding to security failures as quickly and appropriately as possible is crucial to remaining PCI compliant.
The latest version of PCI — technically PCI 3.1 as per the PCI Security Standards Council — puts more emphasis on merchants to secure their POS devices – likely resulting from the massive surge of data breaches in 2014. New requirements include training employees to forbid any unauthorized individuals from tampering with POS machines, regularly inspecting any terminals for changes, and immediately reporting any inconsistencies or irregularities.
Simple Steps to Improve Security in accordance with PCI 3.0
There are a number of things a merchant can do to ensure they’re compliant by the end of the month. The official guide to PCI 3.0 lists the necessary requirements in much greater detail, but here are a few things you can do to improve your security today.
Do not use vendor-supplied defaults for system passwords and other security parameters
The majority of default passwords, including “password”, “12345”, and “qwerty” are typically set up during the installation or download phase of hardware or software. They are not intended to be used in an ongoing manner and the first thing any merchant should do is create their own secure password. When it comes to password strength, length is more important than complexity. A sixteen-character password that’s easy to remember will trump a more complex six characters. If you are restricted by password length to eight or twelve characters, then it’s important to choose complexity. A password manager can also generate secure passwords for you and store them in an encrypted container or in the cloud.
Protect all systems against malware and regularly update anti-virus programs
This is an important step that can be implemented in an afternoon. Ensure that all systems containing sensitive information are not compromised by updating your antivirus, running an anti-malware program, and educating your employees on safe internet usage. You may need to enforce administrative privileges on employee workstations to prohibit downloads and installs or you may simply need to whitelist just the sites that are relevant to work, blocking social media and other personal websites. A variety of free security tools can be found online with a simple search.
Restrict access to cardholder information
Restricting access to sensitive information physically and electronically is important. This doesn’t just mean allowing certain employees to access a computer network or enter a data room; it also means ensuring that you, yourself, do not allow sensitive cardholder information to be stored out in the open. If you accept credit card orders over the phone, train employees to shred any information written down once the transaction is complete. If you need to store it, keep it in a locked room, or better yet, in a locked safe or security container.
Maintain a security policy
This last step is critical and perhaps the most important. You may have the most security system in place, but if the employees are not trained on proper security protocols, you could be vulnerable to a very costly data breach. Regularly educating both yourself and your employees on the latest security policies will ensure that you are as prepared as possible against the ever-evolving threat of data theft. Following security blogs or subscribing to data security newsletters are great ways to stay informed.
While this overview and security guide are not intended to serve as a comprehensive examination of PCI, implementing the steps above and familiarizing yourself with the rules and regulations of the industry will bring you one step closer to being fully compliant with the standard.
The best method, in addition to reading the guide linked below, is to get in touch with your merchant services provider or independent sales office (ISO) and inquire about PCI compliance. If you are a client of Advanced Merchant Group or would like to learn how AMG helps merchants become PCI compliant, you may call us at 877.997.9473 or contact us through our support page.
For further reading:
Stay up-to-date with the latest PCI news and information.
This PDF guide is available directly from PCI Security Standards Council, LLC. and is a very comprehensive overview of what PCI DSS requires.