What are you doing to ensure PCI compliance (Payment Card Industry Data Security)? Keeping up with PCI standards is only a small part of that process and it’s the easy part. The other part is keeping up with what the hackers are doing and ensuring against breaches. Small to medium sized companies can run their own internal cyber security but sometimes it is more efficient and even cheaper to engage a great MSSP that can guarantee they have your back.
What is PCI Compliance?
PCI compliance applies to any size merchant that accepts credit cards, processes, stores, transmits credit card transactions and data. If that’s you, then knowing what is PCI compliant can save your company money, and probably, save yourself aggravation and time.
There are 12 compliance requirements as set forth by the PCI Security Standards Council to protect your cardholder data. Payment card brands enforce compliance, while the Council governs the standards. Your acquirer, or payment brand, can identify your precise compliance requirements.
Compliance is an ongoing process. It’s not a static one-time achievement. Rather, you must remain diligent in maintaining standards and compliance.
The 3 basic adherence steps:
- Assessment – review all possible points of vulnerability
- Repair – fix the vulnerabilities, ensuring there is no unneeded data stored
- Report – documenting details and reporting to compliance entities
This is a continuous loop that when practiced routinely using current techniques will minimize and quickly eliminate vulnerabilities.
12-Point PCI Data Security Standard
- Maintain firewall configuration – based on organization’s business and compliance requirements and reviewed in advance.
- System passwords cannot be vendor defaults – no blank SA passwords!
- Stored cardholder data must be protected – know where your credit card data is processed and if/where it is stored!
- Cardholder data that travels across open public networks must be encrypted.
- Protect systems from any malicious programs, updating anti-virus and malware software programs routinely – and prove it!
- Make certain all applications and systems are secured.
- Secure cardholder data by way of need to know only.
- All system component access must be authenticated.
- Physical access to cardholder data restricted.
- Access to network systems and cardholder data is monitored and tracked.
- Routinely test security systems and all processes.
- Maintain and update an organization-wide system security protocol for all personnel.
The aforementioned are the equivalent of security best practices. Maintaining all 12 can provide basic cyber-security internally and for all client cardholder data.
Correctly answering the question, “what is PCI compliance?” must include an approach to the more sophisticated malware that threatens particular merchant and cardholder data. There is no minimizing the impact that hacked credit card data can have on any organization’s bottom line. It is also no coincidence that several large well diversified companies are acquiring an MSSP to solidify their data security.
Advanced Persistent Threats (APT) know how to find a vulnerability, a way to enter into your so-called secured firewall. It can be through an email, a file, or an application; by inserting the malware into the network your system is compromised. A Managed Security Services Provider, MSSP, maintains a set of skills designed to uniquely address the evolving and more complex attacks by cyber-criminals. Small and medium sized companies can clearly understand what PCI compliance is, but achieving the next level of cyber-security is not as straightforward.
An MSSP can offer all their research and cyber solutions an organization may need. Some offer an a la carte approach where you need not select the whole ball of wax, but just the solutions particular to your needs. Once network access is obtained, client cardholder data can be captured, passwords and account names compromised and your system is breached. They may be able to return as needed, unless fully identified and detected and the average detection takes months to identify.