The Payment Card Industry Data Security Standard, or PCI DSS, is the single most prevalent security standard accepted by the major payment card brands for businesses that store, process, or transmit cardholder data. Meeting the requirements of this security standard is crucial for modern businesses to stay in operation.
PCI’s standard creates a solid baseline for keeping sensitive payment card data secure from theft. Failing to meet the basic requirements of the PCI security standard can have grave consequences for a business—especially when hackers take advantage of security flaws to steal payment card data.
To prevent a worst-case scenario, it’s important that you’re able to meet the basic requirements of the security standard.
Does your organization’s payment card system meet the following requirements?
- Has a strong firewall configuration that includes personal firewall software for all mobile/employee-owned computers with direct access to the system and minimizes points of entry that hackers might use.
- Free of vendor-default passwords and other stock security standards.
- Renders stored primary account numbers (PANs) and other data unreadable (via truncation, encryption, etc.).
- Does not store magnetic stripe/chip data, CVVs, PIN codes, and other authentication data.
- Encrypts all data-in-flight across public networks.
- Has strong antivirus/antimalware software that is kept up-to-date.
- Is up-to-date with all critical vulnerability patches.
- Restricts access to cardholder data on a “need to know” basis.
- Assigns every authorized user a UNIQUE ID with authentication to make activity traceable to a particular source.
- Is protected from physical access by unauthorized personnel.
- Has a system in place for tracking/monitoring all access to the network’s resources and cardholder data.
- Is periodically subjected to vulnerability scans and penetration tests by and ASV-designated entity.
Aside from these technology requirements, the organization needs to have a set of policies in place that address information security for all personnel.
That’s a lot of requirements to keep track of, which is why it can be all too easy for any organization to fall behind on PCI compliance.