Leading the industry with its comprehensive PCI compliance initiative, BHI SecureConnect has developed action steps that can be applied to any franchise business that processes credit cards.
We specialize in implementing customized PCI compliance solutions that ensure strong network security throughout organizations. As security breaches continue to threaten businesses of all sizes, business owners should be equally concerned with information security as they are with market security.
Listen to this valuable webinar on PCI compliance if you're interested in learning more about action steps for compliance, security best practices, and the importance of applying them to your organization.
Topics covered include:
Security Breach Overview
Terms to know
What is the PCI DSS and how it affects your business
What is the difference between a router and a firewall?
A firewall is a physical device that sits between your network (including your back office computer, POS terminals, etc.) and the Internet. This can often be confused with a router of a modem.
Firewalls are devices that control computer traffic allowed into and out of an organization’s network, and into sensitive areas within its internal network.
Deny traffic from un-trusted networks
Prohibit public access
Routers are hardware or software that conencts two or more networks.
What types of data can’t be stored?
According to PCI DSS Requirement 3, if there is a legitimate reason to store cardholder data, a merchant can do so, however only certain items may be stored (and must be stored in a secure manner). Here are the “don’ts” of data storage:
Never store any track data (referred to as full track, track, track 1, track 2, or magnetic stripe data)
Never store the card-validation code or value (three- or four-digit number printed on the front or back of a payment card used to validate card-not-present transactions).
Never store the personal identification number (PIN) or PIN Block
If required for business purposes, the cardholder’s name, Primary Account Number (PAN), expiration date, and service code may be stored as long as they are protected in accordance with PCI DSS requirements.
How do we complete the required information the credit card processor requests to prove we are PCI compliant?
The Self-Assessment Questionnaire is a validation tool put out by the PCI SSC and is intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are multiple versions of the PCI DSS SAQ to address various payment processing scenarios.
Depending on your merchant level, the SAQ is used by merchants and service providers that are not required to undergo an on-site data security assessment, and may be required by your acquirer or payment brand. Your acquiring bank (credit card processor) can confirm, but typically all level 2, 3, and 4 merchants and service providers must complete a PCI Self-Assessment Questionnaire on an annual basis.
You can access the SAQ resources on our website in the PCI Compliance Resources section under the PCI DSS Self-Assessment Questionnaire Resources heading. Otherwise you can visit the PCI Security Standards Council website.
What is logging?
Logging data is the process of capturing, assembling, retaining and reviewing critical system events. The ability to track user activities is critical for effective forensics and vulnerability management in the instance that something goes wrong. Determining the cause of a security breach is very difficult without system activity logs. Within the restaurant environment, systems like your back office computer and POS terminals should include logging if they are part of the payment environment. As laid out by the PCI DSS, at minimum the system logs must contain records of the following items:
Type of event
Date and time
Success or failure indication
Origination of event
Identity or name of affected data, system component or resource
What is multi-factor remote access?
PCI requires that in order to gain remote access into any environment that processes credit card transactions utilizes “two-factor” authentication. Two-factor authentication is a security process in which the user provides two means of identification, one of which is a username and password, and the other of which is a PIN number that is valid only for a small period of time and only sent to the users contact information (e-mail, phone, or SMS text message) on file. Our remote access solution uses these alternative methods ensuring your network is PCI compliant.
These guys work with you. Every time I’ve talked with anybody from SecureConnect, even if I don’t know what I’m talking about, they work with me and are very user friendly. I’ve had nothing but compliments and good things to say. It is the above and beyond that really makes a business.