In the previous article, A Brief History of PCI Compliance, we discussed why you need to be PCI compliant and the reasons for the compliance issue in the first place.
In this article, we will offer a few tips on PCI basics. A quick word before we begin, however. This article is not intended to make you PCI compliant, only to offer a road map for getting started. The only person who can make your business PCI compliant is you (or your security partners or IT personnel). There are technologies we will recommend, but this is no replacement for diligence on your part in complying with all of the tenets of the PCI DSS format, which you can find right here.
Step 1 – Software
The first step in being compliant is the software you’re using, and not just for your point-of-sale system. Sure, the software that’s collecting payment is critical, and here at DCR we are very aware of the need for secure software. All the software we presently install may be found on the list of “Validated Payment Applications.” We have also taken steps to inform customers of ours who are using older versions of software that they need to upgrade or purchase new equipment to promote compliance. Again, the use of appropriate software alone does not make you compliant, but it’s certainly key. But the point-of-sale software isn’t the only thing that needs to be secure. Every application installed on a computer where credit card information is stored (or just passes through!) must be on the list linked above. Whether it’s the operating system, like Windows XP or Windows 7, or the program you use to stream radio, it must be validated. And these validations change all the time. For example, Windows XP will be abandoned by Microsoft for future security updates, and, as of April 8, 2014, will no longer be a PCI-certified operating system. Compliance with PCI DSS is an ongoing process, not just a one-and-done proposition. Your software will need to be monitored for compliance in an ongoing fashion. Convenient? Of course not. Important? Absolutely.
Step 2 – Network
Next is the computer network. A lot of businesses these days offer wireless internet to their customers. While that is certainly convenient, it is essential that you do not share the network that your credit cards process on with any wireless access points. The technology to steal data transmitted wirelessly is too prevalent. Moreover, anyone who connects to your wireless network may be capable of getting information from any computer connected to that network. We always place a firewall between the point-of-sale network and the modem, but it’s best to run two entirely different networks – one wireless, one secured.
Step 3 – Physical Security
Along with network security, there is a component of physical security. What it comes down to is this: who has access to computers that store or process credit cards and how do you account for it? Whether it’s a surveillance camera used to monitor the traffic in and out of your office or rotating passwords on that computer, you must be able to say who had access to your computer and when in the event of a security breach. PCI DSS has a number of requirements that address this, but the big takeaway is that you will need to place any sensitive data on a computer that is monitored and secure. Every user for that computer should have his or her own password, and the office should be kept locked. There are a myriad of other requirements, but it bears repeating that you must be able to account for any and all access to any workstation that has credit card data transmitted through it. For most, this is the biggest change to their operation as it requires that those who normally don’t get into the nuts and bolts of their computer’s operation must learn some pc security basics.
Step 4 – Rethink
As we’ve stated before, none of this makes the job of running a business any easier and, in fact, complicates daily duties quite a bit. Being PCI compliant means that business processes and habits that may have been in place for years must be reevaluated and altered to fit a more secure framework. Unlike years past, the security of your payment data must be considered a priority, in the same way you ensure your doors are locked at night and your cash is kept in a safe. If you begin to think about your credit card data in the same way you think of your physical deposit, you’re on the way to developing a preparedness for PCI compliance. In many ways, it’s more important, as gaining a reputation for being a place where consumer data is not safe can be far more costly than mishandling a day’s cash deposit.
PCI compliance is a drain on labor and time, but it is a fact of life in the digital age. There is an entire cottage industry made up of companies who promise to make you compliant, but only you, the owner or manager, can truly create a compliant atmosphere. The first step is understanding why this data should be kept safe and, with that understanding, how important the processes in which data is stored and transmitted are.
We at DCR are happy to answer basic questions about your business’s compliance, but we cannot make your business secure. Only you can do that.