Whether you are a large or small business, if you are a merchant who accepts credit card payments or a service provider to merchants, your organization is responsible and must protect payment cardholder data.
With security breaches and cybercrimes considered commonplace, adhering to PCI Data Security Standards (DSS) are critical to keeping your customers’ personally identifiable information (PII) safe and secure.
Payment card data can be compromised through various methods, including malware that exploits vulnerabilities in your enterprise system/website/point of sale terminals or using illegal skimming devices. Becoming PCI DSS compliant ensures significant reduction in the risks of a cardholder data breach at your organization.
Organizations know that this is a process and not just a once-a-year event. RSI Security can help you get through this process so that you have the peace of mind that your data is secure and more importantly that your customer's data is secure.
By identifying the security vulnerabilities and creating an effective card data security environment you can significantly reduce the risks of a payment cardholder data breach at your organization.
PCI compliance helps you to demonstrate an ongoing commitment to enhance the shopping experience for your customers - and a genuine desire to protect their data by preventing payment card data security breaches.
PCI compliance helps protect against loss of customers, brand erosion, litigations and huge monetary losses.
PCI Security Standards Council (PCI SSC), comprised of the payment card brands, MasterCard Worldwide, Visa Inc, American Express, Discover Financial Services and JCB International, has defined the following goals and requirements a merchant or service provider organization must meet in order to be PCI compliant.
Each of the following goals is critical to protecting the cardholder data at your organization. Each goal involves securing the payment card data, payment card processing applications and host systems within your environment by developing and implementing administrative policies, standards, procedures and awareness to physical and electronically protect the card data environment. Achieving these goals increases the card data security posture and significantly reduces the risks of exploitation by internal and external threat actors.
Network Perimeter and Systems security is critical to protecting cardholder data.
In the past, theft of financial records required a criminal to physically enter an organization’s business site. Now, many payment card transactions (such as debit in the U.S. and “chip and pin” in Europe) use PIN entry devices and computers connected by networks. By using network security controls, entities can prevent criminals from virtually accessing payment system networks and stealing cardholder data.
A secure network provides the required layer in an organization’s defence-in-depth model for information security at the perimeter and systems layer of a card data environment. A secure network prevents and deters intruders and unauthorized users away from your card data environment.
Cardholder data refers to any information printed, processed, transmitted or stored in any form on a payment card. Entities accepting payment cards are expected to protect cardholder data and to prevent their unauthorized use – whether the data is printed or stored locally, or transmitted over a public network to a remote server or service provider.
PCI Standards help you achieve this goal by rendering card data unreadable by unauthorized users.
Security vulnerabilities in systems and applications may allow criminals to access PAN and other cardholder data. Vulnerability management is the process of systematically and continuously finding weaknesses in an entity’s payment card infrastructure system. This includes security procedures, system design, implementation, or internal controls that could be exploited to violate system security policy.
Many vulnerabilities and malicious viruses enter the network via users’ e-mail and other online activities. Anti-virus software must be used on all systems affected by malware to protect systems from current and evolving malicious software threats.
All critical systems must have the most recently released software patches to prevent exploitation. Entities should apply patches based on a risk-based vulnerability management program. Secure coding practices for developing applications, change control procedures and other secure software development practices should always be followed.
Access control allows merchants to permit or deny the use of physical or technical means to access PAN and other cardholder data. Access must be granted on a business need to know basis.
To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities.
Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted.
Physical and wireless networks are the glue connecting all endpoints and servers in the payment infrastructure. Vulnerabilities in network devices and systems present opportunities for criminals to gain unauthorized access to payment card applications and cardholder data. To prevent exploitation, organizations must regularly monitor and test networks to find and fix vulnerabilities.
Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management.
Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security is maintained over time. Testing of security controls is especially important for any environmental changes such as deploying new software or changing system configurations.
A strong security policy sets the tone for security affecting an organization’s entire company, and it informs employees of their expected duties related to security. All employees should be aware of the sensitivity of cardholder data and their responsibilities for protecting it.
Speak with a PCI expert by filling out the form at the top of the page.