How to Keep Customer Card Data Safe with PCI-DSS
If you run any business that accepts any of the branded payment cards, it is necessary to comply with all the 12 requirements stated by PCI-DSS. PCI-DSS stands for Payment Card Industry-Data Security Standard. PCI-DSS applies to any business that accepts or store any information related to the payment card. The payment cards may be credit cards or debit cards. It is vital to note that incapability to meet PCI-DSS requirements may result in termination of payment card processing privileges.
12 Requirements By PCI-DSS So To Protect A Cardholder’s Information
- Installation and maintenance of a firewall
- Development and maintenance of safe and secure systems
- Restricting access to cardholder data by business need-to-know
- Assignment of a unique or special ID to each person who gets an access to computer
- Restricting physical access to the information that belongs to cardholder
- Regular update of antivirus software
- Using own system passwords rather than ones provided by vendors
- Encrypting the data before its transmission on public channels
- Protecting and safeguarding the stored cardholder data
- Performing regular testing of installed security systems and processes
- Tracking and monitoring network access along with an access to cardholder information
- Maintenance of updated information security policy
The smart way to meet these requirements and thus, securing your network is through a layered approach. You can use a combination of strong and powerful tools that provide rich functionality and have excellent reporting capabilities.
However after the use of good software tools, there still remain certain common areas where organisations find it very difficult to meet compliance standards. They are listed as follows. Even more, a solution is provided along with to help you get them fixed.
The updated penetration testing requirements by PCI DSS need both network layer and application layer evaluations.
Tip: It is vital to perform this testing at least once a year and also after any significant changes is made. Also, the testers performing Penetration Testing need to be professionally qualified.
Updated PCI-DSS requirements lists quarterly scans as mandatory after any significant changes are made. The scans need to be performed both from an internal as well external perspective. Such a scanning is referred to as vulnerability scanning.
Tip: After performing a scan, you must fix vulnerabilities and rerun the scan. Also, record keeping is a necessary task to be performed. You must not ignore maintenance of records for each scan.
PCI-DSS requirements specify that critical security patches need to be applied within one month of a release. It aims at providing high security by the rectification of any known vulnerabilities.
Tip: You must use automation to make the process easier. System configuration management software may be used for tracking patches and reporting non-compliance.
Last word: It is critical to note that compliance is a continuous process that must be carried throughout the year.
Image Courtesy: Flickr's Creative Commons