PCI Compliance: What You Need to Know About Accepting Credit Cards
This article about PCI compliance should be read by any merchant who accepts credit cards. It is particularly relevant if your POS system stores credit card data. Some POS systems may retain credit card data without you being aware of it. Should the computer with the POS system be stolen, or hacked, your company could be liable if those stolen credit cards are used. Read on for more details and tips on keeping data secure.
All merchants, no matter how small, who accept credit cards or debit cards are required to comply with a security standard called the Payment Card Industry Data Security Standard (‘PCI DSS”, or just “PCI”). Failure to do so can result in significant fines, legal risks, or even loss of card-processing privileges. Here are some key things you should know about PCI:
1. Know your real goal (security, not compliance)At the end of the day, PCI compliance is all about helping merchants protect their customers, so you shouldn’t be looking to do the bare minimum to ‘pass’ PCI (just like you should aim to ‘just pass’ a doctor’s examination when all that really counts is the underlying reality: your health). Merchants who concentrate on their customers’ safety will have a better business, less risk, and will find that PCI compliance comes almost as a painless symptom of doing the right thing.
2. Know your obligationsPCI compliance covers a broad-range set of security requirements, many of which are highly technical (for example, it covers everything from how you configure and manage your computers and data, to how you train and manage your staff). You can learn a lot more about PCI compliance at http://www.panopticsecurity.com/faq.html, or look at the official Self-Assessment Questionnaires created by the PCI council (https://www.pcisecuritystandards.org/saq/index.shtml). These don’t cover everything you need to know, but do give you a quick sense of what you need to do, and what to worry about most.
3. Take ActionIt is critical that you don’t wait until something goes wrong and then try to react. Doing so never works with security issues, and often leads to expensive disasters. The only approach that works is to think about these problems in advance, and fix them before disaster strikes. Doing the PCI compliance self-assessment is not only required of you, it gives you a good sense of what things you need to improve.
4. SimplifyOne of the good things about security (and PCI compliance) is that you can often avoid problems, rather than confront and conquer them. This is not a ‘cheat’, but the best possible approach, as well as the cheapest and most efficient. The next few tips explain this in more detail.
5. Limit the scopePCI compliance is only concerned about those things (computers, people, paperwork, etc) that might deal with cardholder data such as credit card numbers. If you separate your world into an “affected by PCI” zone and a “not affected by PCI” zone, you can simplify your life dramatically by keeping the PCI zone small and simple. Every computer or piece of software you add to the PCI zone means more paperwork, more danger, and more expense. For example, if you have a computer that is used as a Point Of Sale, don’t use it for surfing the web as well: get a separate computer for surfing and ‘everything else’ and keep it completely separate from the PCI zone.
6. Don’t store cardholder data unless you absolutely have toThe biggest and messiest area of PCI has to do with any cardholder information that you store electronically. The best and cheapest answer is to simply NOT keep any such records: doing so makes your business is significantly safer, and makes PCI compliance a much simpler, easier process to worry about.
7. Don’t use unnecessary technologyEvery new piece of technology that you introduce into the ‘PCI zone’ makes your life more complicated and risky. For example, wireless computer networking might be convenient, but if you use it in a way that overlaps with PCI, you have to worry about a number of highly technical questions (about device configuration, encryption, key management, and so on). If you possibly can, keep ‘messy’ technologies like wireless completely separated from anything to do with cardholder data.
8. No silver bulletsThere are lots of companies out there promising that their product will make all your PCI compliance worries go away, and these companies are all twisting the truth. There are many products that can help you, but don’t get fooled into believing that there’s a “silver bullet” that will kill all your problems. PCI compliance is complicated and demanding, so don’t get fooled by snake-oil salesmen.
9. Keep at it!Security is like physical fitness: you have to keep working on it all the time, rather than just making a big effort once a year or so. The right approach is to make it a small, but steady, part of your everyday life.
About the author - Tim Cranny, PhD - CEO
Tim is a global leader in the information security space, having played key strategic and technical roles in a variety of high-tech startups. He has worked extensively and directly on cutting-edge technology (ranging from cryptographic networks to SaaS solutions built around artificial intelligence engines), but has long experience in embedding technology in its strategic and business context, and positioning his companies to exploit emerging trends in business and technology. Tim has worked extensively as a communicator and evangelist of security issues, having spoken at dozens of international conferences and written dozens of whitepapers and journal articles.
Education: Bachelor's Degree with First Class Honors (mathematics and physics), a University Medal, and a PhD in pure mathematics (obtained at age 24). CISSP
Panoptic Security is a technology security company that specializes in PCI compliance programs for small and mid-size merchants, ISOs, Acquiring Banks and credit card processors. Our executive team includes some of the security industry's leading technologists and PCI compliance experts.
Other resources:
{jcomments on}