PCI DSS Guidance
Sometimes all it takes is a little understanding to get a feel for the PCI DSS. The details of this can be complex and time consuming, but a little guidance can help you understand the necessity.
The PCI DSS applies to any merchant who collects, stores, or transmits credit card information. This is a series of 12 requirements created by the five major credit card companies to ensure a certain level of standardized security measures.
The PCI DSS allows a certain amount of sensitive information storage on your site, but generally encourages merchants to keep such data storage to a minimum. There is also information that you are forbidden to store at all. But for everything that you do store you are required to add protection for it. The details of this can be complex and time consuming, and as such, many companies have chosen to delay PCI compliance.
A merchant can find a lot of PCI DSS guidance from different sources. This could include the PCI SSC (Payment Card Industry Security Standards Council) website. Here you can find some helpful documents like the Self Assessment Questionnaire (SAQ). This tool is an efficient means to find out where your compliance efforts are sufficient, and where you need to spend more time. On top of that, though, the SAQ is the perfect way to prove that you are taking the proper steps toward PCI DSS compliance.
Sometimes all it takes is a little understanding to get a feel for these requirements and realize that, complex though they may be, they are also in the best interest of your company. It only takes a little extra guidance to see that.
You begin by installing a firewall. All systems that contain sensitive information must be guarded against unauthorized users. Internet users can try to access your system through e-commerce, employee access points, or employee e-mail. Firewalls are necessary to protect your system against many otherwise unprotected avenues of access.
When you install a new security system you must be sure to change vendor supplied passwords or other security parameters. These passwords are practically public domain as far as the hacker community is concerned. Passwords must be strong well guarded.
The third requirement of the PCI DSS seems, at first, to be fairly broad. It simply states that you must protect cardholder data. In fact, though, there are quite a few individual security controls in this requirement, including encrypting stored data, keeping stored data to a minimum, and other guidelines of what can and cannot be stored at all. There are even guidelines that deal with the storage and protection of encryption keys.
The next requirement is similar, and states that you must also guard information by encrypting it for transmission. Hackers will often attempt to intercept, modify, or divert data while it is in transit.
Anti-virus software is also necessary. Malicious attacks or accidental infections by viruses can cause severe damage to a system. You need to have a program that can defend against all types of malicious software, and you must keep it continually up to date.
You must all make sure that your systems and applications are up to date with the necessary security patches. Sometimes there are known exploits in a system which can lead to severe breaches. These must be sealed as quickly as possible.
Access to your systems must be limited as well, which includes digital and physical access. Only those with a business need-to-know should have any access. And on top of that, each person with access should be assigned a unique ID. This way you can more readily track and log actions taken on a system and discover the source of any problems.
Monitoring and tracking are necessary for a couple reasons. One is to help you detect any problems and know how to react to them. Another is that this is a good way to show your compliance with the PCI DSS. You should also document your testing procedures for the same reason.
Finally, all the PCI DSS guidance in the world isn't worth much if you're not providing the same guidance to the rest of your company. In order to ensure the right level of security for the PCI DSS one must make sure that everyone in the company understands their own responsibilities to protect consumer information, and, by extension, the entire company.
Andy Eliason is a writer for Main10, Inc. If you'd like to learn more about the PCI DSS, or becoming PCI compliant, visit Braintree Payment Solutions.
The PCI DSS allows a certain amount of sensitive information storage on your site, but generally encourages merchants to keep such data storage to a minimum. There is also information that you are forbidden to store at all. But for everything that you do store you are required to add protection for it. The details of this can be complex and time consuming, and as such, many companies have chosen to delay PCI compliance.
A merchant can find a lot of PCI DSS guidance from different sources. This could include the PCI SSC (Payment Card Industry Security Standards Council) website. Here you can find some helpful documents like the Self Assessment Questionnaire (SAQ). This tool is an efficient means to find out where your compliance efforts are sufficient, and where you need to spend more time. On top of that, though, the SAQ is the perfect way to prove that you are taking the proper steps toward PCI DSS compliance.
Sometimes all it takes is a little understanding to get a feel for these requirements and realize that, complex though they may be, they are also in the best interest of your company. It only takes a little extra guidance to see that.
You begin by installing a firewall. All systems that contain sensitive information must be guarded against unauthorized users. Internet users can try to access your system through e-commerce, employee access points, or employee e-mail. Firewalls are necessary to protect your system against many otherwise unprotected avenues of access.
When you install a new security system you must be sure to change vendor supplied passwords or other security parameters. These passwords are practically public domain as far as the hacker community is concerned. Passwords must be strong well guarded.
The third requirement of the PCI DSS seems, at first, to be fairly broad. It simply states that you must protect cardholder data. In fact, though, there are quite a few individual security controls in this requirement, including encrypting stored data, keeping stored data to a minimum, and other guidelines of what can and cannot be stored at all. There are even guidelines that deal with the storage and protection of encryption keys.
The next requirement is similar, and states that you must also guard information by encrypting it for transmission. Hackers will often attempt to intercept, modify, or divert data while it is in transit.
Anti-virus software is also necessary. Malicious attacks or accidental infections by viruses can cause severe damage to a system. You need to have a program that can defend against all types of malicious software, and you must keep it continually up to date.
You must all make sure that your systems and applications are up to date with the necessary security patches. Sometimes there are known exploits in a system which can lead to severe breaches. These must be sealed as quickly as possible.
Access to your systems must be limited as well, which includes digital and physical access. Only those with a business need-to-know should have any access. And on top of that, each person with access should be assigned a unique ID. This way you can more readily track and log actions taken on a system and discover the source of any problems.
Monitoring and tracking are necessary for a couple reasons. One is to help you detect any problems and know how to react to them. Another is that this is a good way to show your compliance with the PCI DSS. You should also document your testing procedures for the same reason.
Finally, all the PCI DSS guidance in the world isn't worth much if you're not providing the same guidance to the rest of your company. In order to ensure the right level of security for the PCI DSS one must make sure that everyone in the company understands their own responsibilities to protect consumer information, and, by extension, the entire company.
Andy Eliason is a writer for Main10, Inc. If you'd like to learn more about the PCI DSS, or becoming PCI compliant, visit Braintree Payment Solutions.
Use the feedback form below to submit your comments.
Use the form below to email this article to your friends.
- PCI Compliance Makes Good Business Sense
- Taking PCI DSS Compliance Seriously
- What are the Benefits of PCI Compliance?
- What is PCI DSS?
- Achieving PCI DSS Compliance
- PCI DSS For The Greater Good
- Credit Card Data Encryption - Getting Started
- How to Process Credit Cards
- Get The Best Balance Transfer Credit Cards
- Avoiding Key Working Capital and Credit Card Processing Mistakes
- Credit Card Processing
- Enjoy Wireless Credit Card Processing Today
- Small Online Business Needs Credit Card Processing
- Great Credit Card Processing Should Have Great Tech Support
- Choosing the Best Business Credit Card Processor
- Don't Be Shy About Looking Into Credit Card Processing
- Online Credit Card Processing And Your Hard Earned Money
- Merchant Credit Card Processing Services: Easy, Cheap and Necessary
- Banks Are Not the Source for Credit Card Processing
- Requirement of a Credit Card Processing Service in Business