PCI Compliance. Security information you need to know.

PCI Compliance

All credit card processing companies require small businesses to comply with PCI Compliance (Payment Card Industry Compliance). These industry-standard guidelines address the security of the payment system at large and recommend data security protocols. 

For most small businesses that process only a handful of credit card payments, whether daily or weekly, certain technical and operational control must be implemented to make their organizations compliant.  Nowadays, many small businesses accept credit cards as a form of payment and unlike many retailers that have a credit card machine, the majority of small businesses that are service-oriented only run the card via an online portal.

Below, you will find many of the required provisions fall under regular IT security measures that are implemented to protect your data against cybercriminals.  In addition, these measures and controls are necessary for safe computing, even if you do not process any credit cards in your office.

These PCI Compliance requirements are based on the following processes:

  • Securing your network:
    • Controlling the internet traffic. It includes using reputable Firewalls in your business to assess data packets coming to or leaving your network.
    • Closing all the open ports on your firewall, and having a secure network and workstations.
    • Have commercial-level anti-virus and anti-malware programs installed on your network and workstations. 
  • Protect cardholder data:
    • Do not store a clients’ information on your device or network unless it is encrypted
    • Only allow authorized people to have access to clients’ information
    • Have a secure transmission. This includes having secure wireless and restricting the technology and access to a minimum for devices that transmit the customers’ data.
  • Vulnerability management requirement:
    • Maintaining patch management, updating your operating system and all the third-party applications on all the nodes in your network regularly
    • Having only appropriate applications on the device performing credit card transaction
    • Using the latest antivirus, which is updated regularly. This also includes the credit card processing program that uses appropriate Security Layer encryption.
  • Access control:
    • Implementing a password policy
    • Enabling Multi-factor authentication for emails and applications online
    • Having a safe and secure environment from which the devices handle credit card processing.  This could mean locks and accessibility limitations to non-authorized staff.
    • Not allowing allow any media, such as USB drives, to be brought to the premises.     
  • Test networks:
    • Collect and monitor logs. Logs need to be examined for any alerts and warnings.
    • Perform regular vulnerability scanning, intrusion detection, and prevention.  These tests should be performed at least once a year to pass the PCI requirements.
  • Information security policy:
    • Maintain an information security policy. This requires policy and procedure documentation, as well as risk assessment
    • Implement Employee Awareness Training- this is to make sure employees are informed about how to prevent becoming a cybercrime victim and keep the client’s information safe and stay in compliance with the PCI requirements.
    • Employ an incident response plan.  In case there is a breach what to do and who to inform. 

Additional tips:

Refer to the PCI Security Council for further information. Their website is: www.pcisecuritystandards.org

You can also use alternative payment options, such as Paypal to accept credit cards. This way, the link is given to the client to access the website and pay directly.  You will not need to get their credit card information in this instance.

CEO Computers can assist you with all the above steps. We are here to help and can be reached at 818-501-2281

 

CPI Compliance

 

Posted in IT Blog