What Every Business Should Know About PCI Compliance

Transcription

1 What Every Business Should Know About PCI Compliance

2 As technology advances, identity thieves are also finding easier ways to steal vital information such as credit card data. Businesses that accept credit card payments are especially prime targets. Becoming PCI compliant is the most important thing you can do to protect your customers and your company s reputation. What is PCI Compliance? To become PCI (Payment Card Industry) compliant, your business must adhere to a set of specific security standards created by the PCI Security Standards Council. These standards are designed to protect credit card information during and after a financial transaction. As the world grew more interconnected through technology, there was a growing need to create a compliance system that would make the global implementation of data security measures fast and easy. A Quick History of PCI DSS For many years, five of the world s biggest credit card brands (Visa, MasterCard, American Express, Discover and Japanese Credit Bureau) had their own respective compliance programs. As the world grew more interconnected through technology, there was a growing need to create a compliance system that would make the global implementation of data security measures fast and easy. Thus, these five major credit card brands joined forces to form the PCI Security Standards Council. This council created a body of security standards known as the PCI Data Security Standards (PCI DSS). The first version of the standard was released in The latest version of the standard (version 2.0) was released in October 2010 and became effective January 1, 2011.

3 What Types Of Businesses Need To Be PCI Compliant? Any business that accepts, transmits or stores cardholder data must comply with PCI standards. Aside from merchants, service providers that facilitate credit card transactions must also comply. The PCI Security Standards Council categorizes merchants into different groups. Visa, for instance, assigns merchants to a specific level according to the number of transactions they process every year. Level 1. More than 6 million transactions annually. Level 2. Between 1 million and 6 million transactions annually. Level 3. Between 20,000 and 1 million transactions annually. Level 4. Fewer than 1 million total transactions and fewer than 20,000 e-commerce transactions annually. As one would expect, the higher the level, the more stringent the data requirements will be. A small, local shop processing 10,000 orders a year will find compliance to be an easier task compared to a Fortune 500 company that processes 10,000 orders a day. As one would expect, the higher the level, the more stringent the data requirements will be. A small, local shop processing 10,000 orders a year will find compliance to be an easier task compared to a Fortune 500 company that processes 10,000 orders a day.

4 Understanding the PCI DSS To completely grasp the full breadth of the PCI standards, one will need to read all 75 pages of the PCI DSS document. Fortunately, the objectives of PCI compliance are succinctly explained by the 12 specific requirements known as the Digital Dozen. These 12 requirements are further grouped into six categories. CATEGORIES Build and maintain a secure network PCI DSS REQUIREMENTS 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. 3. Protect stored cardholder data. Protect cardholder data 4. Encrypt transmission of cardholder data across open, public networks. Maintain a vulnerability management program Implement strong access control measures 5. Use and regularly update anti-virus software on all systems commonly affected by malware. 6. Develop and maintain secure systems and applications. 7. Restrict access to cardholder data by business need-toknow. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes.

5 Common Myths Being PCI compliant means our system is completely hack-proof While being PCI compliant tremendously enhances your data security, it does not make your network invincible against hackers. Successfully completing a system scan or a PCI assessment is not a guarantee that your system will be impermeable to threats. PCI compliance should be a continuous effort. It s your organization s responsibility to remain vigilant and dutiful in observing data security measures. PCI compliance is for the IT staff to figure out Yes, your IT department handles the technical and operational aspects of your system, but PCI compliance is everyone s job. Noncompliance will affect not only your IT team, but your entire organization. There should be a clear set of information security policies that everyone in your company must learn and follow. My business is too small to bother with PCI compliance It doesn t matter if you process only five credit card transactions in a year or even fewer than that. Any merchant that accepts credit card payments, no matter how small, is required to be PCI compliant. Becoming PCI compliant is such a long and complicated process The steps toward PCI compliance are already the best practices in data security. The PCI DSS is very detailed and designed to help businesses achieve compliance in the most efficient manner. PCI compliance is only for e-commerce businesses The PCI DSS clearly states that compliance is required from every organization that stores, transmits, or processes credit card information. This includes retail point-of-sale services and even mail/phone orders. We don t need to be PCI compliant since we don t store credit card information Your system may not store credit card information, but if it processes or transmits credit card data over a network (Internet, telephone, fax, etc.), you still need to be PCI compliant. The only way to avoid PCI compliance is if credit card information never passes through your own servers. Successfully completing a system scan or a PCI assessment is not a guarantee that your system will be impermeable to threats. PCI compliance should be a continuous effort. It s your organization s responsibility to remain vigilant and dutiful in observing data security measures.

6 My hosting provider and the payment gateways I use are PCI compliant. This automatically makes my business PCI compliant. Using PCI compliant hosting providers and payment gateways are only a small part of adhering to PCI standards. One must remember that there are other PCI requirements that need to be met outside of the Web environment. After all, PCI guidelines don t just cover network security, but the physical security of data as well (e.g. encrypting card holder data, controlling access to data, employee training programs, etc.). Making Your PCI DSS Compliance Successful Don t procrastinate Some merchants wait until their business grows bigger or until their bank advises them to become PCI compliant before they start taking action. The best time to start planning your PCI compliance is now. Start as early as possible. The moment your business decides to accept payment cards is the moment you should begin planning your PCI compliance project. One must remember that there are other PCI requirements that need to be met outside of the Web environment. After all, PCI guidelines don t just cover network security, but the physical security of data as well. Create a clear-cut plan PCI compliance is a company-wide effort. The roles of each department should be clearly defined. Create a core team and ensure that this team receives adequate support from senior management. Develop a project plan that clearly outlines objectives, success parameters, budget limitations, risks, milestones and target dates. Limit your scope Identify what constitutes the cardholder data environment and set specific boundaries. If you fail to segregate your system components adequately, your entire network will be subject to PCI assessment. Defining your scope prevents you from going beyond project estimates. If you don t need it, don t store it It is absolutely important to identify all your assets and data flow for business operations. It s difficult to protect information that you don t even know exists. Knowing all assets helps you recognize what type of information should be stored and what type should be discarded.

7 Your organization should have a clear idea of what qualifies as cardholder data and accordingly, which part of that data should be protected and which part could be disposed of. Dutiful documentation is vital This simple yet important requirement is often overlooked. Religiously documenting all implemented controls provides repeatability and reproducibility of intent. Documents also serve as evidence of implementation effectiveness. Business Benefits of PCI Compliance Increased security Protection from costly penalties Boost in customer confidence Enhanced credibility and reputation Religiously documenting all implemented controls provides repeatability and reproducibility of intent. Documents also serve as evidence of implementation effectiveness. What Are The Penalties For Non-Compliance? Non-complying organizations can be hit with hefty penalties that could run up to thousands of dollars. Consistent violators may have their transaction fees increased. A credit card company could even go as far as revoking a merchant s ability to accept their credit cards. Can PCI Compliance Be As Easy As 1-2-3? If you ask BullsEye Telecom, the answer is yes. Our company is a recognized world leader in PCI DSS enablement. In fact, we have a strong partnership with Mako Networks the first network management company in the world to be PCI DSS certified. Together with Mako Networks, Bullseye Telecom will fully manage your PCI compliance and ensure that implementing the required standards is quick and easy.

8 Why Choose BullsEye Telecom? For more than a decade, BullsEye Telecom has consistently been the leading provider of voice, data and wireless solutions. In 2005, Inc. Magazine recognized us as one of the fastest-growing privately held companies in the country. Our strong commitment to excellence has helped us achieve continued success over the years. PCI Enablement with BullsEye Telecom: A simple and cost-effective solution BullsEye Telecom has a strong partnership with Mako Networks the world s first PCI DSS certified network management company. Together with Mako, we offer world-class security technologies to protect your data and keep threats at bay. By utilizing a cloud-based Centralized Management System, we can: In 2005, Inc. Magazine recognized us as one of the fastestgrowing privately held companies in the country. Our strong commitment to excellence has helped us achieve continued success over the years. Help you implement the same architecture across large numbers of geographically distributed retail locations. Provide you with more security and PCI compliance than MPLS (Multiprotocol Label Switching) alone. Give you a complete, fully managed security solution Allow you to quickly and easily lock down computer and payment networks A cloud-based system is easy to deploy and it offers the convenience of centralized logging and reporting PCI compliance doesn t have to be expensive or difficult. Talk to BullsEye Telecom and discover a cost-effective solution today. Talk to us!