Understanding PCI Compliance

Date: July 15, 2009
Duration: 60 minutes

Listen to this valuable webinar on PCI compliance to learn more about what makes your business data so valuable, best practices, and most importantly, how to protect your business and your customers from becoming victims of a security breach. Topics covered include:

  • Security Breach Overview
  • Terms to know
  • What is PCI DSS and how it affects your business
  • Risks of non-compliance
  • Secuirty vs. Compliance
  • What to do for compliance

Webinar Recording

View the Webinar from July 15, 2009 on PCI Compliance. Please note the webinar recording is in a Windows Media Video (.wmv) file.

View PCI Compliance Webinar


Q & A (Question and Answer)

  1. What is the difference between a router and a firewall?
  2. What types of data can’t be stored?
  3. What is logging?
  4. I’m a small merchant, so I don’t have to worry about PCI compliance, right?
  5. What is multi-factor remote access?

What is the difference between a router and a firewall?

A firewall is a physical device that sits between your network (including your back office computer, POS terminals, etc.) and the Internet. This can often be confused with a router of a modem.

  • Firewalls are devices that control computer traffic allowed into and out of an organization’s network, and into sensitive areas within its internal network.

    • Deny traffic from un-trusted networks
    • Restrict connections
    • Prohibit public access

  • Routers are hardware or software that conencts two or more networks.

What types of data can’t be stored?

According to PCI DSS Requirement 3, if there is a legitimate reason to store cardholder data, a merchant can do so, however only certain items may be stored (and must be stored in a secure manner). Here are the “don’ts” of data storage:

  • Never store any track data (referred to as full track, track, track 1, track 2, or magnetic stripe data)
  • Never store the card-validation code or value (three- or four-digit number printed on the front or back of a payment card used to validate card-not-present transactions).
  • Never store the personal identification number (PIN) or PIN Block

If required for business purposes, the cardholder’s name, Primary Account Number (PAN), expiration date, and service code may be stored as long as they are protected in accordance with PCI DSS requirements.

What is logging?

Logging data is the process of capturing, assembling, retaining and reviewing critical system events. The ability to track user activities is critical for effective forensics and vulnerability management in the instance that something goes wrong. Determining the cause of a security breach is very difficult without system activity logs.

Within the restaurant environment, systems like your back office computer and POS terminals should include logging if they are part of the payment environment.

As laid out by the PCI DSS, at minimum the system logs must contain records of the following items:

  • User Identification
  • Type of event
  • Date and time
  • Success or failure indication
  • Origination of event
  • Identity or name of affected data, system component or resource

I’m a small merchant, so I don’t have to worry about PCI compliance, right?

Regardless of the size of your business, as the risk owner, you have a fiduciary and legal obligation to protect cardholder data at your business, and to ensure, or validate, that the measures you have taken are effective. While required validation varies based on the size of the business, all merchants are required to comply with the PCI Data Security Standard.

What is multi-factor remote access?

PCI requires that in order to gain remote access into any environment that processes credit card transactions utilizes “two-factor” authentication.

Two-factor authentication is a security process in which the user provides two means of identification, one of which is a username and password, and the other of which is a PIN number that is valid only for a small period of time and only sent to the users contact information (e-mail, phone, or SMS text message) on file. Our remote access solution uses these alternative methods ensuring your network is PCI compliant.

Learn More
Case Studies
Packages
PCI Compliance
PCI Questions
SecureConnect Blog
Webinars
Why SecureConnect
SecureConnect Scoop
About Us
Approved Scanning Vendor
Careers
Press Releases
Privacy Policy
Site Map
Terms of Use
Next Steps
Call Direct: 888.949.7328
Email Us
mySecureConnect Login
Receive Communications from us
Request a Free PCI Consultation
Send Informational Packet
Sign Up
Follow SecureConnect
Follow us with RSS feed RSS feed
Follow us on Twitter Follow Us
Follow us on Facebook Like us
Follow us on Facebook Company Photos
Visit our profile on Linkedin Follow us on LinkedIn