PCI Made Easy

1. Know your risk

Ignorance is not bliss in the case of PCI compliance. Credit card hackers depend on naive business owners to keep their crime organizations running strong. Understanding the risk involved in accepting payment cards is necessary to the continued health of your business.

Becoming PCI compliant is not only about protecting your business, but also the corporate brand. More importantly, however, is the importance of protecting your customers and their card data. Fully understanding your business environment is a good place to start when implementing a successful PCI compliance plan to secure your information.

Assess your business environment – where is the information?

The primary goal of assessment is to identify all technology and process vulnerabilities posing a risk to the security of cardholder data that is transmitted, processed or stored by your business. Study the PCI DSS (http://www.pcisecuritystandards.org/) for detailed requirements. It describes IT infrastructure and processes that access the payment card infrastructure.

Determine how payment card data flows from beginning to end of the transaction process – including PCs and laptops which access critical systems, storage mechanisms for paper receipts, etc. Check the versions of personal identification number (PIN) entry terminals and software applications used for payment card transactions and processing to ensure they have passed PCI compliance validation.
It is important to note that your liability for PCI compliance also extends to third parties involved with your process flow, so you must also confirm that they are compliant. Comprehensive assessment is a vital part of understanding what elements may be vulnerable to security exploits and where to direct remediation.

Although PCI compliance is a mandatory standard set forth by the major credit card brands, it is best to approach it as a means to strengthening security, instead of simply meeting compliance standards. While being compliant does not make an organization more secure; being more secure is likely to make an organization compliant.

Key Steps include:

• Install and maintain a Firewall with PROPER configurations
• Use personal firewalls on mobile computers (know the data, encrypt the data)
• Use a compliant Payment Application
• Do NOT store prohibited data
• Check the PCI SSC website
• Ensure regular system updates are installed
• Use Anti-Virus on every computer
• Change passwords often
• Use unique user IDs for all employees
• If you NEED wireless, it needs to be PROPERLY configured
• If you NEED remote access, use two-factor authentication

Continually monitoring and updating your security approach is essential. Being security centric means that the organization is interested in its own security, and takes appropriate steps to identify and remediate threats and vulnerabilities.

Key Steps include:

• Perform quarterly Approved Scanning Vendor (ASV) Vulnerability Scans
• Complete an Annual Penetration Test
• Aggregate and review device and system log reports
• Implement File Integrity Monitoring

Much of the Data Security Standard (DSS) is comprised of creating policies that protect your environment.  Just as you have policies that pertain to food handling, you also need to create a policy that protects your customer’s information.  The first step in executing a proactive information security strategy is to create a solid, enforceable, Information Security Policy (ISP). The main goal of an Information Security Policy is to protect data by defining procedures, guidelines and practices for handling and using information within your organization. The policy can only be successful through proper enforcement by your organization. It is a compliance tool meant to aid in the discovery and elimination of threats and vulnerabilities. With appropriate implementation, a security policy will be vital to the long-term health of your organization.

Keep in mind, an Information Security Policy should enable, not disable, the company to do what it does best. There are a few things to remember:

• The business owner/operator needs to own the process of creating an ISP for their organization
• Security is about protecting your organization and your customers
• Anytime you make decisions about your organization you must think about how it impacts security
• If security isn’t a primary concern, you need to rethink the priorities and goals of your organization

Key Steps include:

• Develop and maintain an Information Security Policy
• Train and Educate EVERYONE in your organization

Once you have completed the steps detailed above you need to validate your compliance.  For most merchants there are a couple of things to do in order to accomplish this. Typically merchants that fall into Levels 2, 3, or 4 will validate compliance by furnishing to their acquirer/processor with the following:

• Quarterly Vulnerability Scans - This includes running quarterly vulnerability scans on your network through an Approved Scanning Vendor (ASV). This scan will scan for possible vulnerabilities and may require remediation if detected.

• Self-Assessment Questionnaire (SAQ) – The SAQ was developed by the PCI Security Standards Council as a tool to help merchants review and ultimately validate their compliance with the Payment Card Industry Data Security Standard (PCI DSS). To ensure compliance with these requirements, merchants that are not required to undergo an on-site audit must validate compliance by completing an annual SAQ.

There are multiple versions of the SAQ to meet various payment processing scenarios (learn more about your validation type). Once completed, the Attestation of Compliance (AOC) and SAQ must be submitted to your acquiring bank/processor after implementing the required action steps to achieve compliance. It is important to note that you must be able to answer “yes” to all questions in order to be compliant.

Contact SecureConnect