How To Be PCI DSS Compliant and Protect your Business from Cyber Threats
And now the rest of the story……
How can you make sure all the Cyber attack bad guys take the target OFF your back?
The key is to make sure your business is PCI DSS compliant. Why? First, PCI compliant businesses rarely, if ever, have been successfully hacked. Second, if your business is successfully hacked, you are not liable for any fines or charges (except possibly audit fees).
Here’s how to make your business PCI DSS compliant.
Know the Requirements for PCI DSS Compliance
You need to know what you have signed up for and what is required for your business to be compliant. If you don’t, you won’t know what steps you need to take in order to secure your business.
There are two main types of PCI compliance, environment (network) and transactional.
Many businesses purchase a PCI DSS compliant POS and think that they are compliant. In reality, this kind of compliance relates only to credit card transactions and not to your business environment/network, which must also be PCI compliant.
The network environment in which your POS equipment resides is just as important an aspect of PCI compliance as your transaction system.
A detailed list of all compliance areas can be found at PCI’s Quick Reference Guide.
PCI’s quick and dirty list is as follows:
- Buy and use only approved PIN entry devices at your points-of-sale.
- Buy and use only validated payment software at your POS or website shopping cart.
- Do not store any sensitive cardholder data in computers, receipt printers, or on paper.
- Use a firewall on your network and PCs.
- Make sure your wireless router is password-protected and uses encryption.
- Use strong passwords (a mix of upper and lower-case letters, numbers and special characters). Be sure to change default passwords on hardware and software – most are unsafe!
- Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
- Teach your employees about security and protecting cardholder data.
- Follow the PCI standard.
- Assess – identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
- Remediate – fixing vulnerabilities and not storing cardholder data unless you need it.
- Report – compiling and submitting required reports to the acquiring bank and card brands you do business with.
There are two main ways to make your business more secure and PCI DSS compliant
- Hire a PCI DSS Qualified Security Assessor (QSA)
The big downside to hiring a QSA, is cost. You have to pay the QSA fees, which are generally quite expensive.
One quote I checked on, charged a base $5,000 fee plus $200 for every hour. On top of that, you have to pay for the equipment/software to fix whatever problems the QSA finds, which is also costly.
Figuring out PCI DSS compliance for yourself can seem a daunting task. However, just because you’re not hiring a QSA does not mean it cannot be done or that you have to do it without help.
Here is how to do it
- Educate Yourself
- Secure your Payment Network
- Use a Security Software that Tests for Vulnerabilities
- Fill out and turn in your PCI DSS Self-Assessment Questionnaire
This has already been generally addressed above. Here is the link again for the quick reference PCI DSS compliance guide. Although it is a bit rough to get through, it is only 33 pages and is important to read if you plan on monitoring PCI DSS compliance for yourself.
Secure your Payment Network
I recommend 3 main action steps every small business can take to make their network more secure and compliant.
1. Install a Proper Firewall
A proper firewall protects hackers from stealing information from your business.
2. Have a separate network for payment services
Separating your payment network from your other business networks means hackers cannot access sensitive card data from anywhere in your general business network. Instead, they have to hack your payment network specifically, which with the proper firewall in place will make their task much more difficult.
3. Change Usernames and Passwords every 90 days or so on all access points
Make sure you change default usernames and passwords as soon as you can, because they are rarely secure. Then, change usernames and passwords every 90 days. Most network providers have their own how-to document available detailing how to do this.
Use a Security Software that Tests for Vulnerabilities
There are various software options available that test your network and payment terminals for breach vulnerability and PCI security compliance. Check with your payment processor first, some offer free PCI DSS testing software as part of their package.
At Ignite Payments, powered by First Data, my recommended merchant services provider, we partner with TrustWave, giving our clients access to PCI compliant testing at no additional charge.
Fill Out Your PCI DSS Self-Assessment
Here at First Data we use our own online assisted questionnaire to make your experience efficient and as simple as possible at http://www.pcirapidcomply.com.
We also include TransArmor to every merchant, which turns every card number into a token, a series of blips and bleeps that mean nothing to a hacker.
All this along with Triple DES encryption and $100,000.00 Liability coverage if you are ever compromised. First Data offers the most secure system in the industry.
If A Breach Happens To You
If you suspect a breach, contact your payment processor or merchant bank and let them know that a possible security breach has been detected. They will then go over protocol and determine what should be done.
Check your state’s regulations to see who you are supposed to inform. In most cases, you must let customers know that there has been a possible security breach, usually in writing.
Generally, you also should alert your local law enforcement agency. Check with your legal advisor and/or your payment processor to be sure the cyber security and PCI DSS compliance status of your small business is an important issue.
If you follow this guide and take the necessary steps, your business will be more secure than many other small businesses out there and will be prepared should a cyber attack actually take place.
More Later…………… !