If you accept credit card payments, you must comply with PCI standards. Brien Posey explains what all the data security requirements actually mean for you.
Any organization that accepts credit card payments is required to be PCI (payment card industry) compliant. Since this requirement applies regardless of the size or scope of the organization, it's worth talking about a few of the things you should do to become PCI compliant.
1: Familiarize yourself with the requirements
The first step is to familiarize yourself with the requirements. The PCI Security Standards Council (SSC) provides the official requirements and supporting documents. You can also download a handy quick reference guide, which tends to be easier to understand than the unabridged documentation.
2: Don't stop at generic compliance
One of the most important things you need to know about PCI compliance is that adhering to the PCI DSS (data security standard) might not be enough. The PCI SSC is responsible for establishing and maintaining the PCI DSS, but every card provider (Visa, MasterCard, American Express, etc.) has its own compliance program. So each credit card provider is free to augment the PCI standard as it sees fit. To be truly PCI compliant, your organization must adhere to the data security requirements for each type of card it accepts.
3: Create good documentation
Several of the PCI DSS requirements revolve around documentation. In some cases, the requirements focus on the documentation of procedures. In other cases, they center on the use of audit logs. Each organization is responsible for determining the documentation requirements and adhering to them. The documentation requirements include:3.6 Fully document and implement all appropriate key management processes and procedures for cryptographic keys used for encryption of cardholder data. 5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. 9.4 Use a visitor log to maintain a physical audit trail of visitor information and activity. Retain the log for at least three months unless otherwise restricted by law. 10.2 Implement automated audit trails for all system components for reconstructing these events: all individual user accesses to cardholder data; all actions taken by any individual with root or administrative privileges; access to all audit trails; invalid logical access attempts; use of identification and authentication mechanisms; initialization of the audit logs; creation and deletion of system-level objects. 10.3 Record audit trail entries for all system components for each event, including at a minimum: user identification, type of event, date and time, success or failure indication, origination of event, and identity or name of affected data, system component or resource. 10.7 Retain audit trail history for at least one year; at least three months of history must be immediately available for analysis. 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach.
4: Don't forget about paper
Although most of the PSI DSS requirements focus on information systems, PCI compliance is not just concerned with cyber security. Because the purpose of PCI compliance is to safeguard cardholder data, it's as much about protecting paper as it is about protecting electronic data. For example, requirement 9 contains several guidelines that pertain to data that's stored on paper:9.6 Physically secure all paper and electronic media that contain cardholder data. 9.7 Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data. 9.9 Maintain strict control over the storage and accessibility of media that contains cardholder data. 9.10 Destroy media containing cardholder data when it is no longer needed for business or legal reasons.
5: Be aware of wireless network complications
Many of the PCI standards focus on the isolation of cardholder data. Understandably, several of these requirements center around the proper configuration and vulnerability testing of wireless networks. Although not always practical, some organizations may find it easier to achieve compliance if they use a wired network rather than relying on wireless hardware.
Organizations that continue to use wireless hardware are required to test for the presence of unauthorized wireless access points at least quarterly. It is also worth noting that PCI standards prohibit the use of WEP encryption.
6: Protect your administrative accounts
PCI-compliant organizations are not allowed to use generic, built-in administrative accounts. Instead, each employee must have his or her own account when performing administrative tasks. That way, the audit logs will specify who performed each action rather than simply indicating that an action was performed by "administrator."
7: Be careful about outsourcing
Although the PCI standards focus primarily on merchants who accept credit cards, the requirements for an organization to be PCI compliant can also extend to partners and service providers if those organizations are exposed to cardholder data. According to requirement 12.8, if cardholder data is shared with service providers, those service providers are required to be PCI compliant.
8: Have an incident response plan
Requirement 12.9 of the PCI standards requires organizations to have a formalized plan for dealing with security breaches. The plan must be something that can be put into effect immediately if a security breach is detected, and it should allow for a forensic analysis of the breach.
9: Look for loopholes
If an organization is unable to comply with a specific PCI mandate due to a legitimate technical or business-related limitation, it may be granted an exemption so long as it has taken measures to mitigate the risks that the requirement was designed to prevent. In most cases, however, the workaround must be reviewed by a qualified security assessor (QSA) to be accepted.
10: Don't panic if you're a small business
Adhering to all the PCI requirements can be a major challenge, especially for smaller businesses. Although PCI generally requires merchants to submit an onsite data security assessment report, obtaining the report might be cost prohibitive for smaller organizations. Likewise, such a security assessment is likely overkill for merchants who rely solely on a point-of-sale or imprint device.
Because of this, PCI outlines a number of situations in which merchants can avoid the requirement for an onsite data security assessment and instead submit a self-assessment questionnaire. PCI has created a number of questionnaires that are designed for various scenarios. To find out more about the self-assessment questionnaires, check out these instructions and guidelines. You can download the actual questionnaires from the PCI SSC documents library.