PCI Compliance is often ignored by small businesses, mainly because it’s a pretty technical concept with a lot of moving pieces and parts. Much of the information that was available was written in a manner that was aimed at people with a technical background in networking. Recently, the PCI Security Standards came out with information that is tailored to small business people who are not network engineers. Here is what they have to say on PCI Compliance.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that can help small merchants to protect customer card data located on payment cards. As a small business, you are a prime target for data thieves. Your customers’ card data is a gold mine for criminals. There are three main ways you sell your goods or services: 1. A customer walks into your shop and makes a purchase with their card. 2. A person visits your website and pays online. 3. Someone calls your shop and provides card details over the phone, or sends the details in the mail or via fax. If you accept credit card payments in any of these ways, you need to make sure you are protecting your customers’ card data. Here are 12 measures to take in security basics:
1. Use strong passwords and change default ones
Your passwords are vital for computer and card data security. Just like a lock on your door protects physical property, a password helps protect your business data. I also like to be aware that computer equipment and software out of the box (including your payment terminal) often come with default (preset) passwords such as “password” or “admin”. These are commonly known by hackers and are a frequent source of small merchant breaches.
2. Protect card data and only store what you need
IF YOU DON’T NEED CARD DATA, DON’T STORE IT. You should securely destroy/shred card data you don’t need it. If you need to keep paper with sensitive card data, mark through the data with a thick, black marker until it is unreadable and secure the paper in a locked drawer or safe that only a few people have access to. You need to do this for PCI compliance!
3. Inspect payment terminals for tampering
You might have heard of “skimming devices”, especially on gas pumps. They sweep up your customers’ card data as it enters a payment terminal, thereby capturing customer information. It’s vital that you and your staff know how to spot a skimming device, what your payment terminals should look like, and how many you have. You need to regularly check your payment terminals to make sure they have not been tampered with. If there is any suspicion that a terminal has been tampered with, DO NOT USE it, and report this immediately to your merchant bank and/or terminal vendor.
4. Use trusted business partners and know how to contact them
You probably use outside providers for payment-related services, devices and applications, thereby sharing card data with them. They may be called processors, vendors, third parties, or service providers. All of these impact your ability to protect your card data, so it’s critical you know who they are and what security questions to ask them.
5. Install patches from your vendors
Software can have flaws that are discovered after release, caused by mistakes made by programmers when they wrote the code. These flaws are also called security holes, bugs or vulnerabilities, thereby allowing Hackers to exploit these mistakes. They break into your computer and steal account data. Protect your systems by applying vendor-supplied “patches” to fix coding errors. Timely installation of security patches is crucial! It is important that you know how your software is being regularly updated with patches and who is responsible (it could be you!). Also, some patches install automatically when they become available. If you’re not sure how patches get added or who is responsible, make it a point to ask your vendor/ supplier. This is part of PCI compliance.
6. Protect in-house access to your data
ACCESS CONTROL IS ALL IMPORTANT. Set up your system to grant access only based on a “business need-to-know.” As the owner, you have access to everything. But most employees can do their job with access only to a subset of data, applications, and functions.
7. Don’t give hackers easy access to your systems
ASK HOW TO LIMIT USE OF REMOTE ACCESS. Many remote access programs are always on, or always available by default, meaning the vendor can access your systems remotely all the time (this also means that hackers can access your systems too since many vendors use commonly-known passwords for remote access). Reducing your risk can be done by disabling remote access when it’s not needed, and enabling it when it is.
8. Use anti-virus software
Hackers write viruses and other malicious code to exploit software features and coding mistakes, so they can break into your systems and steal card data. Using up-to-date anti-virus (also called) software helps to protect your systems.
9. Scan for vulnerabilities and fix issues
There is daily discovery of new vulnerabilities, security holes, and bugs. It’s vital to have your Internet-facing systems tested regularly to identify these new risks and address them as soon as possible. Your Internet-facing systems (like many payment systems) are the most vulnerable because they can be easily exploited by criminals, allowing them to sneak into your systems.
10. Use secure payment terminals and solutions
A sure way to better protect your business is to use secure payment solutions and trained professionals to help you. Choose safe hardware, software and professionals, and make sure they are set up securely.
11. Protect your business from the Internet
The Internet is the main highway used by data thieves to attack and steal your customers’ card data. For this reason, if your business is on the Internet, anything you use for card payments needs extra protection. A firewall is equipment or software that sits between your payment system and the Internet. It acts as a barrier to keep traffic out of your network and systems that you don’t want and didn’t authorize. Firewalls are configured (in hardware, software, or both) with specific criteria to block or prevent unauthorized access to a network. Firewalls are often included in the router “box” provided by your Internet provider.
12. For the best protection, make your data useless to criminals
Your data is vulnerable when it travels to your merchant bank, and when it’s kept or stored on your computers and devices. The best way to keep it safe is to make it useless even if it’s stolen by encrypting it whenever you store it or send it, and removing it altogether when it’s not needed. While this can be more complex to put in place, in the long run, it can make security much easier to manage.
What can I do to be PCI Compliant?
If all of this information is overwhelming, we can help! Compliance is the best way to protect your business and your customers’ card data. We can do an assessment to see where you’re at and where you need to go to be in compliance, and can also help with your Self-Assessment Questionnaire (SAQ) if you would like us to. As a Qualified Integrator Reseller (QIR) we would love to help protect you. Look here for more information on Network Security. Just give us a call at 952-544-6463, or email at: firstname.lastname@example.org.
For more information on PCI-DSS Compliance: https://www.pcisecuritystandards.org/.