The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements and guidelines that apply to all businesses that accept credit card payments, and is designed to ensure the security of those transactions. Created in 2004 by Visa, Mastercard, Discover and American Express, the PCI DSS has evolved over the years to ensure that online sellers have the systems and processes in place to prevent data breaches.
The PCI DSS Version 4.0 officially became the new standard on April 1. Coming at a critical time when cyber threats are increasingly sophisticated, this update emphasizes the need for stronger safeguards to protect sensitive cardholder data.
One of the most notable updates is the increased focus on authorization mechanisms, encouraging the use of multifactor authentication and stronger password requirements.
PCI DSS 4.0 introduces several key changes and enhancements aimed at improving the overall security posture of companies that handle payment card data. One of the most notable updates is the increased focus on authorization mechanisms, encouraging the use of multifactor authentication and stronger password requirements.
Additionally, the new standard places a greater emphasis on monitoring and logging practices, ensuring that businesses have the necessary tools and processes in place to detect and respond promptly to security incidents.
PCI compliance can sometimes seem overwhelming to the average business owner, since achieving it requires educating yourself on a variety of security protocols and processes. Fortunately, with a bit of help, you can successfully navigate these waters and achieve compliance in no time.
Businesses can use various tools to achieve PCI compliance, but a well-structured compliance checklist is critical and makes the process much easier. Here are eight mandates that every merchant should be familiar with.
Firewall: Protect cardholder data with a firewall. Every device interacting with cardholder data must have a firewall installed, protecting your network from outside attacks. This will ensure all transactions happen safely. Buy and use only approved PIN entry devices at your POS. Buy and use only validated payment software at your POS or website shopping cart.
Passwords: Immediately change default passwords on hardware and software as soon as you receive them from vendors. That includes your wireless router. For strong and unique passwords, use password management software to generate a random password or use the “three random words” method.
Data Protection: Both physical and digital cardholder information must be strictly guarded. Physical access to cardholder information should be restricted and monitored. Remember to log out when leaving a terminal and add a timeout after a short period of inactivity is detected. Digital data must be protected using firewalls.
Encryption: PCI-compliant encryption is essential. It prevents data and information from being stolen during the transfer between the issuing bank and acquiring bank, encrypting cardholder data that passes through open, public networks and confirming POS encrypts this data. Ensure peer-to-peer encryption. Make sure your wireless router uses encryption.
Antivirus Software: Install antivirus software, be sure to update it with the latest versions and regularly run a virus scan. Set up a monthly checklist/process where you download or patch your software, so you know you are up to date. Otherwise, new vulnerabilities will not be patched.
Secure Systems: Implement a security checklist that employees must follow to protect data and ensure the security of systems and applications. This checklist should address any vulnerabilities and keep all your software up to date, including firewalls, apps and POS. Test security processes and systems frequently to make sure they are still working and improve where needed. Regularly check PIN entry devices and PCs to ensure no one has installed rogue software or “skimming” devices.
Cardholder Data Access: To reduce the chance of a breach, minimize the number of employees who have access to cardholder data. Only those who need such access in order to perform their jobs should have it.
Permission ID: Assign unique IDs to each employee or user with access to cardholder details and network resources. This enables you to track precisely who logs in and when. Consider surveillance for fraudulent activity.
Develop clear information security policies in order to implement the above guidelines, and to prove and track compliance. Policies and procedures should identify how standards are maintained so that auditors can verify your compliance. Teach your employees about security and your policies.
PCI DSS 4.0 represents a significant step forward in the fight against cybercrime, providing your business with a comprehensive framework to protect payment card data and maintain the trust of your new and existing customers. Whatever the size of your business, PCI compliance is a must.
Jonathan Corona has two decades of experience in the electronic payments processing industry. As chief operating officer of MobiusPay, Corona is primarily responsible for day-to-day operations as well as reviewing and advising merchants on a multitude of compliance standards mandated by the card associations, including, but not limited to, maintaining a working knowledge of BRAM guidelines and chargeback compliance rules defined in both Visa and Mastercard operating regulations.
