What is PCI?
PCI DSS stands for Payment Card Industry Data Security Standard, a protective measure for card holders enforced by the PCI Security Standards Council. It consists of 12 standards and six groups: Building and maintaining a secure network; protecting cardholder data; maintaining a vulnerability management program; implementing strong access control measures; regularly monitor and testing networks; and maintaining an information security policy (Secure Works).
Who does PCI Compliance Apply to?
The PCI standards apply to any business or organization that accept credit card payments. This includes non-profits, schools, religious organizations, and home businesses.
What does Compliance Entail? (Security Metrics)
1. Protect your system with firewalls – Firewalls serve as the first line of defense for your network. They sift through incoming and outgoing traffic. They set up restrictions for the traffic and protect against malware and other cyber threats.
2. Configure passwords and settings – Never use default passwords on your devices like routers.
3. Protect stored cardholder data – Encrypt stored cardholder information and data with the proper algorithms.
4. Encrypt transmission of cardholder data across open, public networks – Know where all card holder information is transmitted to and always use encrypted communications when sending this information.
5. Use and regularly update anti-virus software – Update your anti-virus software and run anti-virus scans weekly.
6. Regularly update and patch systems – All software and applications always have flaws. Patches fix those flaws to help protect your network. Stay up to date on patches as they tend to be time sensitive. Hackers often share knowledge of exploitable holes with other hackers.
7. Restrict access to cardholder data by business need-to-know – Restrict access of information to only employees who need to access that information to do their job.
8. Assign a unique ID to each person with computer access – Use unique passwords for each user. Avoid easy guesses like dates, relatives, and pets.
9. Restrict physical access to workplace and cardholder data – Although cyber attacks concern us the most, protecting access to physically stored data matters just as much. Keep information in secure locations like locked offices.
10. Implement logging and log management – Logging information about actions taken on systems helps detect any anomalies that might signify a security breach.
11. Conduct vulnerability scans and penetration test – Vulnerability scans search for weaknesses in your systems that hackers might exploit. Penetration testing is like a scrimmage for your network security. The tester(s) attempts to penetrate the network through identified vulnerabilities to test the strength of the network security.
12. Documentation and risk assessments – Keep legal documentation on your company’s security practices. From contracts to policies and procedures, make sure it all is documented and easily accessible.
PCI compliance sets regulations for customers information, but they also set the standard for organizations’ network security. Almost all organizations use online payment methods for the convenience of their users. Look at churches in the United States. They set up their websites and mobile apps to allow their members to tithe via their cards rather than the classic check in the offering plate. Many churches fail to realize that since they offer online payment/giving options, PCI DSS requires them to comply with their standards. Similarly, small business owners often lack the network security required by PCI DSS. Adherence to these regulations requires a dedicated IT team that small business owners can’t afford, yet alone find the staffing for.
Managed IT services reduces the cost of IT management and staffing while still allowing for expert work and secure networks. Origami Technology provides all the services necessary to keep your network up to PCI DSS standards. If you have questions about our services or feel worried about the state of your network security, reach out to us at email@example.com.