How Does it Feel to be a PCI Bodyguard?
What does PCI Mean?
In security terms, it means that your business adheres to the Payment Card Industry (PCI) Data Security Standard (DSS) requirements for security management, policies, procedures, network architecture, software design and confidentiality.
In operational terms, it means that you are protecting your customers’ payment card data during every transaction and that you are protecting yourself as the merchant. As a merchant, you are trusted by consumers to keep their sensitive data safe. Not fulfilling your duty could result in a significant loss in sales and relationships. In addition, you could incur fees or lose your ability to accept payment cards.
Restricting Access is Critical
Restrict access to cardholder data environments employing access controls such as RBAC (Role Based Access Control).
Limit availability to only those individuals whose job requires such access.
Formalize an access control policy that includes a list of who gets access to specific cardholder data.
Deny all access to anyone who is not specifically allowed to access cardholder data.
Implement Strong Access Control Measures
Access control allows merchants to permit or deny the use of physical or technical means to access PAN (Primary Account Number) and other cardholder data. Access must be granted on a business need-to-know basis.
Physical access control entails the use of locks or restricted access to paper-based cardholder records or system hardware.
Logical access control permits or denies use of PIN entry devices, a wireless network, PCs, and other devices. It also controls access to digital files containing cardholder data.
What Should You Secure?
In a word, everything. As a merchant, you are responsible for the protection of cardholder data from the point of sale/contact throughout the payment system you use.
Best practices for maintaining data safety are as follows:
- Do not store any credit/debit cardholder data
- Comply with PCI standards by protecting card readers (including PCs, laptops, mobile devices) from unauthorized use or removal
- Never post your username or password where others could find the information
- Choose a unique password with a combination of special characters, numbers, and letters
- Protect merchant networks and wireless access routers
- Use appropriate firewalls for all computers and networks
- Use a secure username/password for access to the network(s)
- Destroyed paper records containing card data
- Paper data should be destroyed immediately if it contains the cardholder’s name/number, card expiration date, or dollar amount
- Receipts that show truncated data (first/last four of cardholder number) should be stored in a secure environment and destroyed after an appropriate length of time (typically one to three years)
What are Data Thieves After?
They want cardholder data. By obtaining the Primary Account Number (PAN) and sensitive authentication data, a thief can impersonate the cardholder, use the card, and steal the cardholder’s identity.
Sensitive cardholder data can be stolen from many places, including the following:
- Compromised card readers
- Paper stored in a filing cabinet
- Data in a payment system database
- Hidden camera recording entry of data
- Secret tap into a wireless or wired network
Everything indicated below is sensitive cardholder data:
Anything on the back side of the card and the CID must never be stored. Everything else must be stored for a legitimate business reason, and that data must be protected. PCI DSS explains this in further detail. Read more here.
Quick Tips to Remember
- Don’t store any sensitive cardholder data in computers or on paper
- Use a firewall on your network and PCs
- Protect wireless router(s) with passwords and encryptions
- Keep all usernames/passwords strictly confidential
- Regularly check PC to make sure rogue software or ‘skimming’ devices have not been installed
- Teach your employees about data security
- PCI Security Standards
- Visa (Risk Management)
- What do you do if you are compromised (Merchants)
- List of Qualified Security Assessors (QSAs)
- List of Approved Scanning Vendors (ASVs)