What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that can help small merchants to protect customer card data located on payment cards.
When your payment card data is breached, the fallout can strike quickly. Your customers lose trust in your ability to protect their personal information. They take their business elsewhere. There are potential financial penalties and damages from lawsuits, and your business may lose the ability to accept payment cards. A survey of 1,015 small and medium businesses found 60% of those breached close in six months. (NCSA)
What is PCI Compliance?
Your passwords are vital for computer and card data security. Just like a lock on your door protects physical property, a password helps protect your business data. Also be aware that computer equipment and software out of the box (including your payment terminal) often come with default (preset) passwords such as "password" or "admin," which are commonly know by hackers and are a frequent source of small merchant breaches.
Change your passwords regularly. Treat your passwords like a toothbrush. Don't let anyone else use them and get new ones every three months.
Seek help. Ask your vendors or service providers about default passwords and how to change them. Then do it!
Make them hard to guess. The most common passwords are "password" and "123456." Hackers try easily-guessed passwords because they're used by half of all people. A strong password has seven or more characters and a combination of upper and lower case letters, numbers, and symbols (like !@#$&*). A phrase can also be a strong password.
Don't share. Insist on each employee having their own login IDs and passwords - never share!
Ask an expert. Ask your payment terminal vendor or merchant bank where your systems store data and if you can simplify how you process payments. Also ask how to conduct specific transactions (for example, for recurring payments) without storing the card's security code.
If you don't need card data, don't store it. Securely destroy/shred card data you don't need. If you need to keep paper with sensitive card data, mark through the data with a thick, black marker until it is unreadable and secure the paper in a locked drawer or safe that only a few people have access to.
Limit risk. Rather than accepting payment details via email, ask customers to provide it via phone, fax, or regular mail.
Tokenize or encrypt. Ask your merchant bank if you REALLY need to store that card data. If you do, ask your merchant bank or service provider about encryption or tokenization technologies that make card data useless even if stolen.
Keep a list of all payment terminals and take pictures (front, back, cords, and connections) so you know what they are supposed to look like.
Look for obvious signs of tampering, such as broken seals over access cover plates or screws, odd/different cabling, or new devices or features you don't recognize.
Protect terminals. Keep them out of customers' reach when not in use and obscure their screens from public view. Make sure your payment terminals are secure before you close your shop for the day, including any devices the read your customers' payment cards or accept their personal identification numbers (PINs).
Control repairs. Only allow payment terminal repairs from authorized repair personnel, and only if you are expecting them. Tell your staff too.
Call your payment terminal vendor or merchant bank immediately if you suspect anything!
Often, software has flaws or mistakes made by programmers when they wrote the code, also called security holes, bugs or vulnerabilities. Hackers exploit these mistakes to break into your computer and steal account data. Protect your systems by applying vendor-supplied "patches" to fix coding errors. Timely installation of security patches is crucial!
Ask your vendor or service provider how it notifies you of new security patches, and make sure you receive and read these notices.
Which vendors send you patches? You may get patches from vendors of your payment terminal, payment applications, other payment systems (tills, cash registers, PCs, etc.), operating systems (Android, Windows, iOS, etc.), application software (including your web browser), and business software.
Make sure your vendors update your payment terminals, operating systems, etc. so they can support the latest security patches. Ask them.
E-Commerce Merchants. Installing patches as soon as possible is very important for you too Also look out for patches from our payment service provider. Ask your e-commerce hosting provider whether they patch your system (and how often). Make sure they update the operating system, e-commerce platform and/or web application so it can support the latest patches.
Follow your vendor's/service provider's instructions and install those patches as soon as possible.
You use outside providers for payment-related services, devices and applications. You may also have service providers that you share card data with, that support or manage your payment systems, or that you give access to card data. You may call them processors, vendors, third parties, or service providers. All of these impact your ability to protect card data, so it's critical you know who they are and what security questions to ask them.
Know who to call. Who is your merchant bank? Who else helps you process payments? Who did you buy your payment device/software from and who installed it for you? Who are your service providers?
Keep a list. Now that you know who to call, keep company and contact names, phone numbers, website addresses, and other contact details where you can easily find them in an emergency.
Confirm the security of your service providers. Is your service provider adhering to PCI DSS requirements? For e-commerce merchants, it is important that your payment service provider is PCI DSS compliant too!
Privilege abuse means a person using someone else's access and privileges to gain access to systems or data that person is not authorized to have access to. Privilege abuse is the top action leading to breaches - about 55% of all incidents reported.
Access control is all important. Set up your system to grant access only based on a "business need-to-know." As the owner, you have access to everything. But most employees can do their job with access only to a subset of data, applications, and functions.
Limit access to payment systems and unencrypted card data to only those employees that need access, and only to the data, applications an functions they need to do their jobs.
Keep a log. Track all "behind the counter" visitors in your establishment. Include name, reason for visit, and name of employee that authorized visitor's access. Keep the log for at least a year.
Securely dispose of devices. Ask your payment system vendor or service provider how to securely remove card data before selling or disposing of payment devices (so data cannot be recovered).
One of the easiest ways for hackers to get into your system is through people you trust. You need to know how your vendors are accessing your system to make sure it's not opening up any holes for hackers.
Ask how to limit use of remote access. Many remote access programs are always on by default. Reduce your risk - ask your vendor how to disable remote access when not needed, and how to enable it when your vendor or service provider specifically requests it.
Disable it when done.
Use strong authentication. If you must allow remote access, require multi-factor authentication and strong cryptography.
Ensure service providers use unique credentials. Each one must use remote access credentials that are unique to your business and that are not the same ones used for other customers.
Systems and software are extremely flexible and offer a wide range of functions and features. Hackers write viruses and other malicious code to exploit those features and coding mistakes, so the can break into your systems and steal card data. Using up-to-date anti-virus software helps to protect your systems.
Install anti-virus software to protect your payment system. It is easy to install and can be obtained from your IT partner.
Set the software to "automatic update" so you always get the most recent protection available.
Run periodic scans. Regularly run full system scans, since your systems may have been infected by new malware that was released before your anti-virus software was able to detect it.
New vulnerabilities, security holes, and bugs are being discovered daily. It's vital to have your Internet-facing systems tested regularly to identify these new risks and address them as soon as possible. Your Internet-facing systems (like many payment systems) are the most vulnerable because they can be easily exploited by criminals, allowing them to sneak into your systems.
Talk to a PCI scanning vendor. These vendors can help you with tools that automatically search your network to find vulnerabilities and provide you with a report if, for example, you need to apply a patch.
A sure way to better protect your business is to use secure payment solutions and trained professionals to help you.
Use secure payment terminals and PIN entry devices. The PCI Council approves payment terminals that protect PIN data. Make sure your payment terminal or device is on the list of PCI-approved PTS devices for equipment that provides the best security, and supports "EMV chip."
Use secure software. Make sure your payment software is on the list of PCI-validated payment applications.
Use qualified professionals. Make sure the person installing your PA-DSS validated application does it correctly and securely.
The internet is the main highway used by data thieves to attack and steal your customers' card data. For this reason, if your business is on the internet, anything you use for card payments needs extra protection.
Isolate usage. Don't use the device you take payments with for anything else. For example, don't surf the web or check emails or social media from the same device or computer that you use for payment transactions.
Protect your "virtual terminal." If you enter customer payments via a virtual terminal (a web page you access with a computer or a tablet), minimize your risk - don't attach an external card reader to it.
Protect wi-fi. If your shop offers free Wi-Fi for your customers, make sure you use another network for your payment system (this is called "network segmentation").
Use a firewall. A properly configured firewall acts as a bugger to keep hackers and malicious software from getting access to your computers and information.
Your data is vulnerable when it travels to your merchant bank, and when it's kept or stored on your computers and devices. The best way to keep it safe is to make it useless even if it's stolen by hiding it, and removing it altogether when it's not needed. While this can be more complex to put in place, in the long run, it can make security much easier to manage.
Use PCI devices that encrypt card data. The PCI Council approves payment terminals that protect PIN data and payment terminals and "secure card readers" that additionally encrypt card data.
Use secure PCI encryption solutions. Ask whether your payment terminal encryption is done via a Point-to-Point Encryption solution.
Upgrade your solution. Reduce your risk - consider getting a new payment terminal that uses both encryption and tokenization technology to remove the value of card data for hackers.