Are you ready to complete your PCI compliance checklist? Here are a few things you may want to look over.
The Payment Card Industry Data Security Standard (PCI DSS) was put forward as a widely accepted set of policies that have the purpose of optimizing the security of credit, debit, and cash card transactions. Cardholders must be protected against the misuse of personal information that could lead to identity theft.
The PCI compliance guidelines help you to ensure you achieve PCI DSS as stated by the four major credit card companies: American Express, Discover, MasterCard, and Visa.
In order to meet the PCI compliance checklist requirements that are needed to get PCI DSS Certification, you want to work through these six steps:
Building and maintaining a secure network sounds easier than it actually is – there are many crafty people out there. You will need to build a system without holes and then test the firewall regularly. Keeping your network private is fairly easy, though you should test how impenetrable that is as well. Make sure to anticipate any problems that you may encounter if you change hosting, servers, or methods.
The next step to take is to guarantee that all of your passwords, on every part of your system, have been altered into better, more secure passwords from the factory standard – which are often shared amongst anyone who uses a specific company. Even more significantly, you want to alter those passwords habitually so that any hacks you have not perceived won’t have admission to your (or your client’s) data for long periods of time.
The next step is the protection all stored data – if you store credit card data in the first place. Some companies and organizations don’t do this because they don’t really have a need to do so – and it costs them time and money to keep it. For many companies who don’t regularly use the same credit cards, this is a better decision because you can avoid the possible security break overall. These companies are less likely to be targeted by those who try to steal identities or credit card information as well.
If it is in your better business interests to store credit card and transaction data, a PCI compliance check requires several layers of protection and a secure and trusted data protection model – one that has both virtual and physical security in place, just in case. The physical protection will vary by business.
Another way to protect cardholder data and cross off everything on the PCI compliance checklist is to encode the broadcast of cardholder data across networks, including any open and public networks. Encryption and encoding the data makes it unreadable to hackers and unusable to anyone who may be able to see it. While this isn’t always completely foolproof, as part of a great system, it works well.
While not necessarily a part of the PCI compliance checklist before a PCI audit in some cases, this is one of the chief recommendations afterward. You must use and regularly update your anti-virus software. Regularly updating and changing this software will help to defend your data against all changes to the malware and any other changes that can pop up within your system – even the most minute changes can cause a security problem somewhere else. Even more importantly, this will help your IT team and data supervisors to keep track of PCI audits and any changes to the PCI compliance checklist that may occur.
No matter what, keeping your security systems up to date and on task at all times will be the key toward PCI compliance and will always be one of the top items on any PCI compliance checklist.
Another important item on the PCI compliance checklist is to ensure you have to know who interacts with your data, why they interact with it, and how they interact with it. Every person who does have access to the transaction information should have their own personal, unique ID (with a unique password that does not follow any pattern) that you can instantly trace back to the individuals. These accounts must follow all of the PCI best practices – which are some of the same best practices you will see on any password program: password encryption, authorization, authentication, password updates every 30 days, log-in time limits, and more.
Your company must track and monitor all access to any and all network resources and cardholder data – even if it is just accessed in passing or access that someone may never use.
Your information security policy should be extremely thorough and cover all of the bases, including all uses of technology, review procedures, and the processes for analysis, audits, and other administrative tasks.
Once you have completed a thorough examination of the checklist above and ensured that your organization meets the requirements, you can then move onto the next step, which is likely PCI DSS certification. This certification comes through the banks, but usually involves an auditor looking over your system on a semi-regular basis. Work with Cast to help audit your software and procedures to ensure that you meet all of the requirements.
Even more importantly, it will help you with network scans, checking any of your systems for existing vulnerabilities, running regular scans between audits, identifying any new problems that can pop up, and giving yourself more time to adjust for changes to the PCI compliance checklist.