While the days and nights of August are hot, our IT team isn’t sweating it — at least not this month, as they’ve finished the annual Level 1 Payment Card Industry (PCI) Audit two months ahead of the deadline. The Level 1 Audit is the deepest dive that a group of outside security auditors will do on a payment system to be sure it’s secure, and it’s a very time-consuming process that occurs every August for us.
In fact, every time our team finishes one audit and we pass, I think they should get to take a break and relax. But the reality is, as soon as they finish one audit, the team already needs to look ahead to next year’s standards. As challenging as it is, the process is designed to help everyone. It’s all about the safety and security of merchants who rely on processors to have the tightest security measures in place to protect consumer data.
Having processes like end-to-end monitoring and analytics, along with metrics and logs across the full stack, are extremely helpful to get a bird’s-eye view of what’s going on in your company.
Depending on which card brands you accept, all merchants processing from one to six million payment card transactions per year and service providers processing, storing or transmitting more than 300,000 card transactions per year are required to be audited for PCI compliance. A Level 1 Audit is also required for licensing in both the U.S. and the EU.
It takes several team members to focus on an audit like this. Every year ours spends countless hours to get ready for the week-long, onsite audit, which is backed with a full stack of policies and procedures that our IT and entire organization follows. Each year, the PCI Security Standards Council establishes new objectives and standards. We’re currently following the PCI 3.2 Audit, but are already setting our sights on the upcoming 4.0 standard. This new standard is based on perceived threats and what processors need to do to avoid them.
As we began our focus on next year’s audit, we sat down with our IT Director to carve out the top three ways to stay ahead of the game for the 2021 PCI Audit, and hope it will help you narrow down what to focus on too.
Become a Cyber Security Champion
One of the most important things to work on is cyber security and protecting yourselves. You must be proactive and not reactive, especially when mitigating issues before they have an impact on a business. Think of it as a series of locked doors or barriers that you must go through to get into general systems. It takes many doors to get into our network, because like many processors, we use a content delivery network (CDN), which uses a geographically distributed group of servers working together to provide the fast delivery of internet content.
The CDN basically is a cloud application that adds a layer of protection on all transactions that pass through it, including our merchant portal or other loaded internet content like HTML pages, JavaScript files, stylesheets, images and videos. By implementing these security barriers as designated endpoints per web application, you’re providing a level of security that ensures a company’s web application firewall (WAF) rules are based on the web application’s needs.
Strengthen Standard Operating Procedures
You may have noticed that when logging into your bank account, there is a request for an additional code or password. It is now a requirement for all business line applications to implement a dual-factor authentication (DFA), which is a second layer of security requiring a user to go beyond presenting a username and password. It doesn’t have to be just for banking accounts either. We’re looking at implementing this to all our apps and other programs inside the office to increase security. It’s something that’s becoming very common in the industry as an added layer of strength and stability.
Knowledge is also a security strength and developers can stay on top of the latest secure coding practices through the Open Web Application Security Project (OWASP). This free and open security community offers products freely like articles, mythologies, documentation, tools and technologies in the field of web application security. It’s a great resource and tool to help make sure security is built in from the start.
Our company takes advantage of online security training yearly with some members of the team training on a monthly basis. Even the end user can help with security awareness by knowing there are security risks based on their actions. We send out regular reminders of current malicious cyber activity to our staff warning them about what they should look out for. You can access this type of information through the Cybersecurity and Infrastructure Security Agency website. They provide national cyber security system alerts highlighting incident reports, vulnerabilities and announcements. By keeping the line of communication transparent our staff can be aware of what to watch out for.
Make the Most of Monitoring and Controls
You want to make sure you see the full picture of your infrastructure’s health to stop security issues before they happen. Having processes like end-to-end monitoring and analytics, along with metrics and logs across the full stack, are extremely helpful to get a bird’s-eye view of what’s going on in your company. Our IT team forces updates instead of waiting for me to update them. This keeps us ahead of any potential issues and we’re able to solve them before the end user is impacted. Staying up to date on hardware and software provides an edge on the latest application and system services, such as Cyphers. Payment processing and cardholder data (CD) is any personally identifiable information associated with a person who has a credit or debit account. One of the main goals of PCI Data Security is to protect cardholder data that is processed, stored or transmitted by merchants. That data should always be on a separate domain and/or provider for maximum security.
While this process is very time consuming, it’s also very necessary to protect the health and safety of a merchant’s business. Failing to be PCI compliant can cost you in fines ranging between $5,000 and $500,000 and you could face serious consequences. If you’re not PCI compliant you could lose your merchant account- meaning you won’t be able to accept credit card payments at all. Every year the process seems overwhelming, but a skilled IT team can pull this together. I’m proud of ours for their dedication in getting this done year after year — and if you find yourself stuck, we’re here to help, just ask.
Cathy Beardsley is president and CEO of Segpay, a global leader in merchant services offering a wide range of custom financial solutions including payment facilitator, direct merchant accounts and secure gateway services. Under her direction, Segpay has become one of four companies approved by Visa to operate as a high-risk internet payment services provider. Segpay offers secure turnkey solutions to accept online payments, with a guarantee that funds are always safe and protected with its proprietary Fraud Mitigation System and customer service and support. For any questions or help, contact sales@segpay.com or compliance@segpay.com.