credit card

Something we find on a regular basis are small businesses who take credit cards, but are unaware of the IT security requirements required by the merchant service industry. The merchant service industry (Payment Card Industry) has been successful in creating industry standards and enforcement mechanisms to ensure compliance.

Payment Card Industry (PCI) security is about protecting customers, and the banking system, when processing and storing information on transactions carried out using credit or debit cards.

There are no Federal laws concerning PCI compliance. There are some state laws, so be sure you understand what those are.

The distinction between “processing and storing” is important. If you use a third party like Square or Intuit, then processing compliance is largely done by these companies. However; if you store any credit card info in your office, either on paper or digitally, you do need to be careful to reduce your risk of being out of compliance, and in some states (like Oregon), running afoul of the law.

(PCI) compliance generally centers around how your business operates within the standards set by the industry’s governing body, the PCI Security Standards Council (PCI SSC).

The major weakness we find in security planning is considering it a ‘point in time’ project rather than an ongoing process. PCI DSS best practices recommend a comprehensive security management system that monitors and improves security over time.

Here’s a brief Synopsis for PCI DSS requirements and how you can start building and maintaining a secure network:

PCI DSS Requirements:
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Goals: Protect Cardholder Data

PCI DSS Requirements:
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

Goals: Maintain a Vulnerability Management Program

PCI DSS Requirements:
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications

Goals: Implement Strong Access Control Measures

PCI DSS Requirements:
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Goals: Regularly Monitor and Test Networks

PCI DSS Requirements:
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Goals: Maintain an Information Security Policy

PCI DSS Requirements:
12. Maintain a policy that addresses information security for employees and contractors

As you can see, this is a lot to wade through in terms of requirements and building best practices. It certainly can look overwhelming for someone who has dealt with these systems before. Upward Technology is a Managed Service Provider who can help you through this process. We care about protecting consumer information and we want to help build better businesses when it comes to security. Need help? Contact Upward today!