• (800) 846-4472
pci compliance, data security



What does it take to be PCI compliant?

The 12 basic PCI standards every business must follow

PCI-DSS (Payment Card Industry Data Security Standard), is a security standard developed by the major card brands (Visa®, MasterCard®, Discover®, American Express® and others) to help merchants protect credit cardholder data.  If you accept credit cards, you are required to be PCI compliant to protect your customers’ data, and to safeguard against the threat of a data compromise also known as a breach.

There are 12 standards in the PCI-DSS.  Each standard is further developed into a series of action steps that merchants who take credit cards must achieve.  For the purposes of this article we are going over the 12 standards at a high level, and have broken the standards down into their six subgroups.  Each requirement has sub-requirements that must also be followed.

1. Build and Maintain a Secure Network

  • Standard 1:  Install a firewall.
    • This will better enable you to protect card data. This helps to protect your network from intruders.  All other standards build on this initial step.
       
  • Standard 2:  Schedule password changes.
    • Passwords should be changed every 90 days.  Once established, keep to that schedule.  When you update the passwords, use complex passwords with numbers, letters, and even special symbols like “!@&.”  Never use factory default passwords like “Password1,” which a hacker can guess easily.  Hackers use specific strategies to guess your passwords, don’t make it easy on them!

2. Protect Cardholder Data

  • Standard 3:  Protect any stored data. 
    • Ensure that your POS software s card numbers and data and is otherwise encrypting data and storing it in a compliant manner.
       
  • Standard 4:  Encrypt data.
    • Ensure that your software is encrypting data during processing of the transaction.

*Helpful tip:  Using a POS system that has been certified for the safe handling of data can help you meet these two requirements.  Check with your POS dealer.

3. Maintain a Vulnerability Management Program

  • Standard 5:  Use anti-virus software.
    • Use the anti-virus software that is likely included with your internet subscription or was included with your POS or desktop computer.  Keep your anti-virus up to date and always on.  This is a simple step to help maximize the cyber security at your business.
       
  • Standard 6:  Update your software.
    • Keep your systems secure by regularly running vendor-supplied  software updates..  Most, if not all software updates are provided directly to your system and do not require any additional purchase.  Simply, allow your computer to update when restarting, and ensure that your systems are in top shape.  When in doubt, ask your POS reseller if there are any missing patches or software updates.

4. Implement Strong Access Control Measures

  • Standard 7: Restrict access to your POS.
    • Only allow access to customer data by those who have a legitimate business need for it.  The customer data that you use when processing transactions or maintaining a customer database  is viewed like gold to hackers and data thieves.  You wouldn’t let just anyone have the code to your safe or a key to the business--  don’t allow just anyone at your business to access sensitive customer data either.
       
  • Standard 8:  Provide unique IDs.
    • Everyone who accesses your POS system should have their own unique log in credentials.  Do not allow your employees to share these credentials. If you allow employees to share logins a hacker need only gain access to one login, to have access to the entire system. Having unique logins for every employee also allows you to pinpoint problematic users as well.
       
  • Standard 9:  Secure your physical computers.
    • Keep physical access to your POS system and any other computing device that holds cardholder data and information restricted.

5. Regularly Monitor and Test Networks

  • Standard 10:  Monitor networks.
    • Monitor your networks to ensure that the steps you have taken in standards 1-9 are reflected by the data that your computer has logged.  Are the appropriate IDs logged in on the appropriate dates? Is there any program running on the POS system that is not authorized? Are the firewalls still configured properly and antivirus running correctly? And so on.
       
  • Standard 11:  Test your security.
    • Perform standards 1-10 and then go back and make sure that each step is working: open the anti-virus icon and make sure that it has recently updated, make sure that the computers that run your business have been allowed to restart and receive the updates.
    • Additionally, vulnerability scans from an Approved Scanning Vendor should be run at minimum once per quarter. These scans are automated, non-intrusive scans that assess your network and web applications from the external facing IP address. The scan identifies vulnerabilities that a hacker could use to gain access into your network.

6. Maintain an information security policy

  • Standard 12:  Maintain an information security policy.
    • While you may have a physical security policy mandating that the last person at your business locks the door and sets the alarm, it is just as important to create an information security policy.  Then, train your employees to follow it.  When processing credit cards, data security can be just as important and impactful to your business as physical security.
    • A company’s information security policy ensures that there is a process to protect sensitive data for all personnel.  A company’s security policy should identify the process for how, and how often a risk assessment is. You should also identify a process for training all staff on the security policy, administering user accounts, and making sure that all employees have read and understood the security policy. You should also create  a process for engaging third party service providers, and an incident response plan. What do you do in the event of a breach? You can document this process so that employees can refer to it in the unfortunate event of a breach. There will also be a process for administering user accounts and authentication management.

Ready to get started?

If you aren’t sure how to execute any of these steps, you are not alone.  Many services have been developed since the dawn of PCI-DSS to assist merchants with the steps.  Additionally, since many merchants are required to document the steps that their business is taking via the “Self-Assessment Questionnaire” (SAQ) many merchants experience analysis paralysis and don’t even start. 

We recommend that you get started and take advantage of a PCI compliance assistance service.  By comparison to the do it yourself method, which will not allow you to check off all of these standards anyway, if you are required to perform vulnerability scans from an Approved Scanning Vendor, the services designed by experts to help merchants comply with PCI-DSS are actually quite affordable.  How much is your time worth?  Are you the only one at your business who can do what you do?  Then allow an expert in PCI to assist you with PCI-DSS security and compliance. 


Vantiv Integrated Payments offers a solution to help you with PCI compliance and it is built on the award winning POS integrations, service and support that Vantiv Integrated Payments is already known for.  Contact us to learn more.


Visa, MasterCard, American Express, and Discover are registered marks belonging to one or more unaffiliated third parties that do not endorse or sponsor Vantiv Integrated Payments, LLC. 


The foregoing is provided for information purposes only, and is not legal advice. You should review your compliance obligations with your own legal or other advisors.


At Your Fingertips

Download the EMV Handbook

The impending shift in liability for card-present fraud is driving a transition to EMV. Are you ready? This handbook can help you prepare.

Get ready for EMV. We can help.

Vantiv Integrated Payments is ready for EMV and has the technology and a network of providers that merchants need to enter the new era of payments.

Find a local POS Provider

This free service helps you find a POS provider who can help you identify and implement the best EMV solution for your business.


 
 
Thank you for your interest in
Vantiv Integrated Payments.
We just need a little info to get started.