We get asked a lot about PCI-DSS compliance and credit-card security in general. Here’s the answers to the most frequent questions:
What risks are involved with handling credit-card data electronically?
You can be fined up to $500,000 per data breach, and costs range between $90 to $304 per individual customer record compromised. Due to California reporting requirements, it is very possible your company will end up on the nightly news, and you can be sued by customers.
What are the 12 mandated security requirements?
1. Configure and maintain a perimeter firewall to isolate network traffic to credit-card processing equipment
2. Have strong passwords (not equipment defaults) for all systems and other security parameters
9. Physically secure data and systems
3. Secure data at rest on hard-drives and memory
4. Encrypt cardholder data and customer information in transit across unsecured networks
5. Maintain up-to-date anti-virus software
6. Develop, maintain and update systems and applications
7. Restrict permissions to sensitive data to employees who require access
8. Maintain separate authentication credentials for each employee with access rights
10. Keep and review access logs for resources and data
11. Perform regular testing of procedures and systems
12. Develop, implement and train staff on your security policy
What are the benefits of being PCI-DSS compliant?
1. Credit card companies will absolve you of financial responsibility for some kinds of data breaches if you maintain PCI compliance.
What are the different requirements for various businesses?
There are four levels determined by the number of transactions you make per year of a single type. For example, if you process 5,000,000 Visa and 3,000,000 MasterCard transactions, annually, you are only required to complete level 2, even though together you process more than the 6,000,000 transaction limit for level 3.
How to Get Started
1. Identify the individuals that will be responsible for PCI compliance in your organization and assemble a team that includes members from each area.
2. Determine your merchant level (1-4).
3. Determine which SAQ your organization will need to complete.
4. Evaluate whether your organization will try to achieve compliance internally or engage with a Qualified Security Assessor (QSA).
5. Engage with an Approved Scanning Vendor (ASV) to start the required external IP vulnerability scans.
6. Make sure that your organization has an Information Security Policy and that it is being enforced.
7. Immediately address any significant deficiencies discovered during the assessment or scan.
8. Retain record of self-assessments, scans, and follow-up activities. Be prepared to provide these documents upon request.
What should you do if breached?
In the event of a security incident, merchants must take immediate action to:
1. Contain and limit the exposure. Conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise
2. Alert all necessary parties. Be sure to notify: * Merchant Account Provider * Visa Fraud Control Group at (650) 432-2978 * Local FBI Office * U.S. Secret Service (if Visa payment data is compromised)
3. Provide the compromised Visa accounts to Visa Fraud Control Group within 24 hours.
4. Within four business days of the reported compromise, provide Visa with an incident report.
Header Image Courtesy JungleCrow Creative Commons 3.0