This webinar presented by BHI SecureConnect discussed key steps in successfully implementing a PCI compliance initiative that meets PCI DSS requirements and ensures strong network security throughout an organization. In addition, proper procedures were identified to incorporate ongoing education and training of PCI compliance on a regular basis.
Listen to this valuable webinar on PCI compliance if you're interested in learning more about security best practices and the importance of applying them to your organization.
I don't have any devices on my network that hold or store credit card information, so I don't see any risk for my business.
Your organization processes and transmits payment cards, so you are responsible for ensuring security measures as required in the DSS. The risk for an organization using a standalone terminal is less, but not nonexistent. Just because it’s a terminal doesn’t mean it is impossible to hack. What you need to do is much less but there are still areas of the DSS that should be addressed (these include physical security requirements).
In determining what level my organization is, do we look at individual restaurant transactions or the company's total transactions from all locations?
Ultimately, your acquiring bank will determine what merchant level you are. There are often different caveats that an acquirer will look at depending on your organization’s structure. If you operate more than one concept and have several merchant IDs with an acquirer, they will most likely look at the overall company to determine a merchant level. Speak to your acquirer to find out which level’s requirements your organization must follow.
Are there any requirements for anti-virus coverage on systems?
Anti-virus has become somewhat outdated. The DSS calls anti-malware any spyware, Trojans, virus or worm that can infect your system. There are an estimated million new pieces of malware produced a year. It is important to put in place a level of protection such as application whitelisting. This needs to be in every aspect of the payment environment where it is commonly attacked (Linux, OSX, Windows). From a security standpoint anti-malware should be on every workstation server that you have. Look to a vendor to manage the process, or find a software base that allows centralized control to ensure ongoing protection. What the DSS requires is really the bare minimum when you look at how complex malware has become. What you should do for your organization is a couple steps above those DSS requirements.
What should we do with credit cards or debit cards that customers leave or forget at a store?
The key is having a clear policy/process in place. There should be an organizational standard that addresses exactly what the procedure is for any employee that finds a payment card (i.e., give it to the manager on duty or put it in a specified, protected location). The Information Security Policy should address this so all employees and managers are clear on the procedure. A customer’s trust is important to your business, so taking the proper steps to securing their information is vital.
In follow up to the last question, should we destroy the card?
It is probably not best to destroy the card immediately, but it is a good idea to call the issuing bank to determine the best course of action. As an executive in your organization, you need to have a clearly written policy and be consistent with that policy. Follow-through must be achieved every time. In addition, you should definitely have a designated location to secure the card. Take the best possible precautions.
How do I know if my system will accept SecureConnect?
SecureConnect is a suite of services that starts with a managed firewall, private VPN and additional offerings. All of the services can be implemented within one store location or 10,000 store locations. SecureConnect is agnostic to vendors and implementations of technology which allows us to meet the needs of any merchant. We have not yet found a situation that we haven’t been able to work with. Every implementation has a project manager that oversees the process and leads discovery. Everything is done in a customized approach to ensure the best integration into your retail environment.
If we are using a company (i.e., WAND, RDS)for our Point of Sale (POS) system, what is the process from there?
The merchant is responsible for every aspect of compliance. You need to have documentation in place that describes which vendors you use and what you use them for. In the case of a breach on something outsourced, you are still responsible. Just like anything else that happens in your organization (i.e., employee falls, bad food), you as the owner are responsible.
What are the requirements for paper receipt handling and storage?
There are still paper and documentation requirements in different cities, states, etc. It is important to understand what the law dictates. From a compliance standpoint you can print card numbers/account numbers on receipts although it is not recommended. There are local laws in areas of the country that dictate whether that information can be printed. It is important to understand you must not only consider compliance standards, but also local laws. There are certain states that enforce the DSS as law (Nevada, Minnesota, etc.). Following receipt laws is just as important as following PCI requirements.
What is the process for dial up versus high speed?
Standalone terminals have entirely separate standards. Dial up is not a major attack factor, but that’s not to say it couldn’t be breached. What you need to do for a Dial up terminal is much less, but there are still requirements that need to be addressed. Physical standards (leave a card, visitors, retention policies, paper receipts) are all considerations for those that use dial up. Those using high speed Internet will also have a network to be concerned with. It is not only about what you are doing operationally, but what are you doing to make sure the policies stay in place.
How often are vulnerability scans run for a level 4 merchant using SecureConnect? Are they scheduled automatically?
SecureConnect provides quarterly scanning. Once we have the targets, we schedule them in an automated system. Although they are automatic, all scans are evaluated and certified by a member of the Information Security team at BHI and then archived on the mySecureConnect portal. This is different from most Approved Scanning Vendors (ASV) that submit them to you automatically without being reviewed. If you use our validation services, you can submit the quartlery scans and the Self-Assessment Questionnaire (SAQ) to your acquirer in the mySecureConnect portal.
These guys work with you. Every time I’ve talked with anybody from SecureConnect, even if I don’t know what I’m talking about, they work with me and are very user friendly. I’ve had nothing but compliments and good things to say. It is the above and beyond that really makes a business.