opinion

Creating a PCI Compliance Checklist

Creating a PCI Compliance Checklist

The Payment Card Industry Data Security Standard refers to a set of guidelines and standards for businesses to ensure the security of their credit card transactions. Created by Visa, Mastercard, Discover, and American Express in 2004, this standard applies to companies of any size that accept credit card payments, and has evolved over the years to ensure that online sellers have the systems and processes in place to prevent data breaches.

Business owners know that ecommerce transactions have been significantly on the rise over the past few years, and there are no signs of that slowing down. What accompanies this trend is a rising concern about the security of customer data when it comes to online payment transactions. If you collect, transmit, process or store any credit card transactions, you are ultimately liable for any information you collect, and therefore are subject to consequences should that information be compromised. That’s where PCI compliance comes in.

If you collect, transmit, process or store any credit card transactions, you are ultimately liable for any information you collect, and therefore are subject to consequences should that information be compromised.

PCI compliance can be overwhelming to the average business owner because the reality is that you must educate yourself on a variety of security protocols and processes. Fortunately, with a bit of help, you can successfully navigate these waters and achieve compliance in no time.

Companies can use various tools to achieve PCI compliance. However, having a well-structured compliance implementation checklist is critical and makes the process much easier. There are 12 mandates that every merchant should be familiar with:

FIREWALL

Protect cardholder data with a firewall. Every device interacting with cardholder data must have a firewall installed, warding your network against outside attacks. This will ensure all transactions happen safely.

PASSWORDS

Immediately change passwords as soon as you receive them from the vendors. Have different passwords than those provided. Make it unique, use password management software to generate a random password, or use three random words for each.

DATA PROTECTION

Protect stored cardholder information, both physical and digital. Writing down physical data requires a strict process to prevent it from being in a situation where it is not protected, while digital data must be protected using encryption and firewalls.

ENCRYPTION

PCI-compliant encryption is essential to preventing data and information from being stolen during the transfer between the issuing bank and acquiring bank. Encrypt cardholder data that passes through open, public networks and confirm this at the point of sale (POS).

ANTIVIRUS SOFTWARE

Install and update antivirus software. If you’re not frequently updating to the latest versions, potential vulnerabilities will not be patched. Regularly use the virus scan option and set up a repeatable checklist process that you carry out monthly to scan and download whatever is needed.

SECURE SYSTEMS

Implement a security checklist to ensure secure systems and applications. This process can be implemented to address any vulnerabilities and keep all your software up to date, such as firewalls, antivirus software, apps and POS.

CARDHOLDER DATA

Keep employees’ access to cardholder data minimal to reduce the chance of a breach. Only those with a legitimate “need to know” should access cardholder data.

ID PERMISSIONS

Grant ID permissions to users with access to cardholder details. Assign unique IDs to each employee who needs access, enabling a way to track precisely who logs in and when.

PHYSICAL ACCESS

Physical access to cardholder information should be restricted and monitored. Remember to log out when leaving a terminal and add a timeout after a short period of inactivity is detected.

PERMISSIONS

Track permissions to cardholder data and network resources. Track who is logged in at what times and consider surveillance for fraudulent activity.

SECURITY PROCESSES

Test security processes and systems frequently. Create a security process checklist that employees must follow to protect data, regularly test that this process is still working and improve where needed.

SECURITY POLICY

Develop an information security policy to determine the guidelines and a method for proving and tracking compliance. Policies and procedures should identify how standards are maintained for auditors to verify your compliance.

To make these mandates easier to implement, businesses can follow these tips for meeting compliance requirements:

  • Buy and use only approved PIN entry devices at your POS.
  • Buy and use only validated payment software at your POS or website shopping cart.
  • Do not store any sensitive cardholder data.
  • Use a firewall on your network and PCs.
  • Make sure your wireless router is password-protected and uses encryption.
  • Use strong passwords. Be sure to change default passwords on hardware and software; most are unsafe.
  • Regularly check PIN entry devices and PCs to ensure no one has installed rogue software or “skimming” devices.
  • Teach your employees about security and protecting cardholder data.
  • Follow the PCI Data Security Standard.
  • Ensure peer-to-peer encryption.

Whatever the size of your business, PCI compliance is a must. It can save you the cost of a data breach and build customer confidence and loyalty. To learn more about PCI compliance, contact a trusted payment processor for assistance.

Jonathan Corona has over 15 years of experience in the electronic payments industry. As MobiusPay’s COO, Corona is primarily responsible for day-to-day operations as well as reviewing and advising merchants on a multitude of compliance standards set forth by the card associations. MobiusPay specializes in merchant accounts in the U.S., EU and Asia. Follow them @MobiusPay on Twitter, Facebook and IG.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

Best Practices for Payment Gateway Security

Securing digital payment transactions is critical for all businesses, but especially those in high-risk industries. Payment gateways are a core component of the digital payment ecosystem, and therefore must follow best practices to keep customer data safe.

Jonathan Corona ·
opinion

Ready for New Visa Acquirer Changes?

Next spring, Visa will roll out the U.S. version of its new Visa Acquirer Monitoring Program (VAMP), which goes into effect April 1, 2025. This follows Visa Europe, which rolled out VAMP back in June. VAMP charts a new path for acquirers to manage fraud and chargeback ratios.

Cathy Beardsley ·
opinion

How to Halt Hackers as Fraud Attacks Rise

For hackers, it’s often a game of trial and error. Bad actors will perform enumeration and account testing, repeating the same test on a system to look for vulnerabilities — and if you are not equipped with the proper tools, your merchant account could be the next target.

Cathy Beardsley ·
profile

VerifyMy Seeks to Provide Frictionless Online Safety, Compliance Solutions

Before founding VerifyMy, Ryan Shaw was simply looking for an age verification solution for his previous business. The ones he found, however, were too expensive, too difficult to integrate with, or failed to take into account the needs of either the businesses implementing them or the end users who would be required to interact with them.

Alejandro Freixes ·
opinion

How Adult Website Operators Can Cash in on the 'Interchange' Class Action

The Payment Card Interchange Fee Settlement resulted from a landmark antitrust lawsuit involving Visa, Mastercard and several major banks. The case centered around the interchange fees charged to merchants for processing credit and debit card transactions. These fees are set by card networks and are paid by merchants to the banks that issue the cards.

Jonathan Corona ·
opinion

It's Time to Rock the Vote and Make Your Voice Heard

When I worked to defeat California’s Proposition 60 in 2016, our opposition campaign was outspent nearly 10 to 1. Nevertheless, our community came together and garnered enough support and awareness to defeat that harmful, misguided piece of proposed legislation — by more than a million votes.

Siouxsie Q ·
opinion

Staying Compliant to Avoid the Takedown Shakedown

Dealing with complaints is an everyday part of doing business — and a crucial one, since not dealing with them properly can haunt your business in multiple ways. Card brand regulations require every merchant doing business online to have in place a complaint process for reporting content that may be illegal or that violates the card brand rules.

Cathy Beardsley ·
profile

WIA Profile: Patricia Ucros

Born in Bogota, Colombia, Ucros graduated from college with a degree in education. She spent three years teaching third grade, which she enjoyed a lot, before heeding her father’s advice and moving to South Florida.

Women In Adult ·
opinion

Creating Payment Redundancies to Maximize Payout Uptime

During the global CrowdStrike outage that took place toward the end of July, a flawed software update brought air travel and electronic commerce to a grinding halt worldwide. This dramatically underscores the importance of having a backup plan in place for critical infrastructure.

Jonathan Corona ·
opinion

The Need for Minimal Friction in Age Verification Technology

In the adult sector, robust age assurance, comprised of age verification and age estimation methods, is critical to ensuring legal compliance with ever-evolving regulations, safeguarding minors from inappropriate content and protecting the privacy of adults wishing to view adult content.

Gavin Worrall ·
Show More