Every single business, no matter whether they take 1 card payment or a billion, is faced with the daunting prospect of PCI-DSS compliance. That means everyone from the local butcher to Boots is held to the very same set of standards, despite the wildly different IT infrastructures both companies will have.
What does the complexity of your IT infrastructure have to do with PCI-DSS compliance, though? Well, in today’s online world, the answer is: a lot! Here we’ll have a quick look at how you can be sure your IT infrastructure isn’t leaving your business open to security breaches or unwelcome fines, whatever the size of your network.
What is PCI-DSS compliance and what does it mean?
The Payment Card Industry Data Security Standard (PCI-DSS) was first established in 2004 by the major credit card companies. It is a way to guarantee that every single credit card transaction is as secure as possible. Any potential lapses in security make credit companies’ business much riskier, as criminal credit activity means spending sums in credit companies’ name that credit card companies are basically unable to pay: this kind of risk negatively impacts every member of the credit chain.
Responsibility for meeting the PCI-DSS standards falls on merchants, who can be fined substantial amounts if they fail to meet the security standards. Ultimately, PCI-DSS is all about protecting sensitive cardholder information that gets processed when a cardholder makes a transaction with your business. If you use the internet to process any payments, say, or maintain any information about customer payments via computer, or even take card payments over the phone, then your whole IT infrastructure needs to be PCI DSS compliant.
Do I have to be PCI-DSS compliant?
Thankfully, PCI DSS have 12 guidelines that are meant to check your company’s PCI DSS compliance. In this article we’ll take a closer look at 6 of them to help you guarantee that your business network is secure.
As always with PCI DSS, it is important to remember that, even if you use a third-party security company, PCI DSS is ultimately your responsibility. It’s always a good idea to have a practical understanding of what constitutes PCI DSS security, and what myths have formed around it, so you don’t receive any unwelcome surprises.
1. Install and maintain a firewall configuration to protect data
Firewalls allow you to observe and restrict the way your private network interacts with the outside world. No matter how safe your own network, every time it communicates with an outside network, by visiting a website or receiving a file, say, it is vulnerable to any security compromises in that network. If a PCI security assessor runs a scan on your website and discovers potential breach points, you are liable to be fined.
PCI DSS compliance requires you to be able to scan all internet traffic coming from addresses outside your secure network. Setting up and operating a basic firewall is a great way to make sure that you have done this.
2. Do not use defaults for any of your network's passwords or parameter controls
Poor password security is an easy way to expose your business to security threats and break PCI DSS compliance, as the government recently found out. Implementing a company-wide policy on all passwords is a good way to help ensure compliance; perhaps require them to all be at least 8 characters long, with a mix of numbers, symbols, and upper and lower case letters, avoiding simple phrases and obvious sequences: instead of ‘abcd1234’ use something like ‘h4pPy_b1RTHd4y’ - or use a password manager such as 1Password.
Remember: PCI compliance is not a one-off certification that ensures you are secure for the next 365.
3. Protect stored data
It is important to remember that some credit card information can be stored without breaking PCI DSS compliance, so long as it is protected, while some absolutely cannot. Authentication data like that found in a card’s magnetic strip, the CVV number, and PIN data can never be stored. This means no email correspondence should ever mention a customer’s authentication data, as email leave traces that count as storage. To ease up repeat transactions and record keeping, cardholder data including account numbers, cardholder names, and card expiration dates can be stored if protected.
So what counts as protection? Simply, taking every other precaution mentioned in this post. It is good practice to only store cardholder data when it is legally or commercially required, so as to minimise scope for oversights.
If your business takes payment information over the phone, it is essential that your IT infrastructure can reroute calls to secure telephone payment platforms in customer contact centres. With this in place, customers are securely connected over the telephone with direct approval to their bank at the point of payment: you don’t receive any vulnerable data from the customer, and the customer is assured that they are making direct contact with their bank.
4. Encrypt cardholder data when it is sent across public networks
If your customers pay for any services via your website, it is extremely important that they don’t send any sensitive data to you without encryption. Your network needs to have encryption with an SSL certificate and security protocols (such as TLS, IPsec, or SSH) in place if you want to avoid potential security breaches and fines. Third party payment processors can help you ensure compliance with this guideline.
5. Make sure data can only be accessed on a strictly need-to-know basis
It is important that data can only be accessed by those in your organisation who absolutely need access to it. On top of that, it’s important that your network can track and log who is accessing data when and why. There are some simple ways your IT infrastructure can guarantee this for PCI DSS compliance:
- Assign a unique ID to each person with computer access.
- Track and monitor all access to network resources and cardholder data.
- Restrict physical access to cardholder data.
All these are the responsibility of your IT infrastructure, including restricting physical access: any servers that process cardholder information, encrypted or not, need to be securely located and accessible only by those who require access.
6. Don't forget about the cloud!
As cloud storage technologies become increasingly commonplace, the PCI DSS guidelines stress that all networks need to be aware of how the cloud can risk security compromises. Put simply, companies are often unaware of who controls the data stored in the cloud, and how to restrict what ends up in the cloud: a stray word document on one computer that includes sensitive cardholder information could end up automatically shared with everyone inside your network.
To ensure PCI-DSS compliance, you need to ensure that your IT workers, your cloud service provider, and your PCI-DSS assessor can all demonstrate the arrangements of your cloud storage exactly. The PCI-DSS give 3 models for how cloud storage can be controlled:
- Software-as-a-Service (SaaS) which gives your IT network very limited control over the specific configuration of the cloud.
- Platform-as-a-Service (PaaS) which gives your company some control over the configuration of the cloud
- Infrastructure-as-a-Service (IaaS) which gives your company full control over operating systems, storage, applications, and components like firewalls operating across your cloud storage.
While SaaS saves your company from spending resources maintaining an active cloud, it makes it impossible to guarantee whether or not your IT infrastructure is PCI-DSS compliant. If you are dealing with cardholder data, aim for PaaS if IaaS would be too resource heavy, so that you can assure assessors and users exactly what is happening with their private information.
Immervox can help you maintain all aspects of your IT infrastructure, making sure you know you are PCI DSS compliant. If you want to learn more about how to simply take control of your IT infrastructure, and be sure what’s being kept in your company’s cloud storage, get in touch.