If you accept credit card payments, you must comply with the Payment Card Industry Data Security Standard. Often called simply, “PCI,” your ability to comply with these standards can maintain your status as a compliant company that accepts credit cards. PCI compliance is not a legal standard, but it is an industry standard that will be necessary to protect your business from expensive litigation in the increasingly compromised age of major data breaches. Here are five solutions that will help you with CPI compliance:
Your company needs to have a policy regarding firewall configuration. This policy should include the methods and processes for testing firewalls.
In addition to firewalls, you should put access control lists in place on all of your devices. Add a DMZ (demilitarized zone, otherwise known as a perimeter network) for all your services that interact with the Internet. Put access controls in place in the DMZ to make sure all of your connections are from approved entities.
If your software came with passwords, change all of them. Use only internally-generated passwords.
Treat every security threat like you would auto accidents. Find out who is at fault and move quickly to initiate repairs.
According to Powerhouse Call Center Consultants, you must use very high-level encryption of credit card data. In addition, you will need a rigorous decryption method. Use a decryption key that only an identifiable and recognized party has access to for receiving data. Never store encrypted data such as pin numbers or card validation numbers. Frequently the best solution for your encryption needs is a third-party software solution.
Make sure to limit access to any physical location that contains servers or any other storage devices that contain credit card data. Use a badge system to allow access, and consider a manned security checkpoint. Also, use closed-circuit television.
You must have anti-virus software in place on your network. This should include not only include detection and quarantine functions, but also malware removal. Create a policy regarding anti-virus updates. A staff member should regularly check to see if updates have been installed, and this person should stay abreast of notices about new types of threats. Create a protocol for testing your anti-virus protection. Don’t’ rely on the anti-virus software vendor for all of your testing and updates. Be proactive.
Each person who has access to any part of your network must have an ID that is unique. Restrict all IDs based on a need-to-know clearance. Monitor all access and record the IDs that access your systems.
PCI compliance is not merely a matter of adhering to the Payment Card Industry Data Security Standard requirements. Compliance requires internal vigilance and a proactive effort to push security to the level of redundancy. Insist on multiple security measures that overlap, and monitor your network constantly to identify problems and vulnerabilities.