The 12 steps to PCI Compliance
In June’s LinksConnect we introduced the importance of PCI Compliance for all Facility Managers.
Being PCI compliant ‘is a means of building customers trust and protecting your business against damaging leaks of confidential customer information'(CIO.com.au article). If your business collects credit card details, then you need to be PCI compliant.
Although the process to being PCI compliant is a complex and lengthy one, it is a necessary process.Uploading payment files to the bank on a USB stick is no longer compliant, as financial details are NOT encrypted. If that file was ever to get into the wrong hands, your organisation would face serious consequences.
PCI Consulting Australia have summed the situation up well – Without it (compliance), you may not have the protection you need to prevent your customer’s data being accessed without authorisation. A single breach could do massive damage to your business reputation as well as loss of sales and loss in profits.
The Payment Card Industry Data Security Standard (PCI DSS) is the global standard mandated by the leading Card Schemes including MasterCard & Visa. While in Australia it is not a legislative requirement yet….. with the rest of the world moving this way, its a matter of time.
The aim of the DSS is to protect the integrity of sensitive cardholder data including 15 or 16 digit C/C numbers, 3 or 4 digit security codes and other related card data. ALL businesses who accept credit and debit card payments should comply with the industry Standard.
So what are the 12 steps to achieve compliance?
The TechTarget Network has used these 12 steps as the basic requirements for achieving the Standard.
- Install and maintain a firewall configuration to protect data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored data.
- Encrypt the transmission of cardholder data and sensitive information across public networks.
- Use and regularly update antivirus software.
- Develop and maintain secure systems and applications.
- Restrict access to data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
For those organisations with IT departments, this is obviously a project to be led by the CIO. For those organisations possibly with outsourced IT, or only junior IT personnel, I suggest that you look for a project manager who is able to navigate your organisation through the 12 steps listed.
Regardless, ALL organisations should be talking to their bank to discuss their organisations particular requirements to become PCI compliant.
For those who are going to go through the project internally, there is helpful information here from the PCI Security Standards Council, which includes Self-Assessment Questionnaires.
Or if you’re ready to go down the process, here is the place we recommend you Get Started.
Even if you’re not ready to go down this journey this month, plans need to be drawn up to start soon. As in the last article we wrote, this is NOT a task that can just be forgotten about.
We look forward to hearing your stories once you’ve achieved PCI Compliance.
Get the project planned today!
References:
http://www.cio.com.au/article/400300/what_pci_compliance_/
http://pciconsultingaustralia.com.au/about-the-pci-dss/
https://www.pcisecuritystandards.org/security_standards/index.php
Compiled by Peter Kamper for Links Marketing