PCI compliance refers to the 12 security standards that businesses must abide by in order to process transactions securely without data exposure to the naked eye. PCI compliance is an important part of any business whether they’re in retail or they’re in an enterprise corporate business – PCI compliance is vital.
Do You Need to be PCI Compliant?
The short answer is yes. If you legally operate a business in the United States and store any form of personal data such as names, emails or credit card numbers you must be PCI compliant. Fortunately, if you’re operating a business currently with any merchant services partner you should have gone through a PCI compliance test with help to get compliant.
If you aren’t partnered with a merchant services provider or you haven’t undergone a PCI compliance test, reach out to PayHawk today to learn how we can help process your payments while remaining PCI compliant.
12 Security Standards toPCI Compliance
There are 12 individual security standards that make up PCI compliance and those are:
- No default passwords
- Protection of cardholder data
- Encryption of transactions through open networks
- Systems are protected from viruses or malware
- Applications are all secured with encryption
- Cardholder data is restricted to specific user levels
- Access to system access logs
- Physical access is restricted to cardholder data
- Tracked & monitored access to all network resources
- Ability to regular test security systems
- Maintaining a policy that addresses all information security for all employees
Let’s go into each of the security standards that make up PCI compliance.
The first standard in PCI compliance to have a securely configured firewall that restricts access to cardholder data and general information. Firewalls act as an access manager, oftentimes it may be a physical device at the location of your network or server. The firewall adjusts the levels of access to specific data by configured types. Firewalls are oftentimes always configured with additional security and encryption technology. To think in terms of network layout the firewall would sit just in front of the receiving server and then process that data securely with restricted access to its next journey which is often the server or a secure database.
No default passwords
Default passwords can be a dangerous thing to have on your network. The second security standard is for any device on your public or open network – cannot have any vendor-provided default passwords. For example, a router may have the username admin with the password of admin. These passwords must be changed and cannot be the same as any other device on the network.
Protection of cardholder data
The third component to PCI compliance is protection of cardholder data. This is very closely related to using a firewall but it does not end there. For businesses that use physical records or handwritten/typed information that pertains to the customer such as credit card numbers or addresses must be securely locked away and held to your states standards. Protection of cardholder data variables in PCI compliance also requires you to have limited storage times, purge dates, and be completely encrypted if it’s digital information.
Encryption of transactions through open networks
Encryption of transactions through open networks means that for any transaction that happens either online or locally must be encrypted from start to finish. SSL or secured sockets layer is typically the most commonly used encryption method for transactions. This component functions as a funnel from end-to-end from the moment a transaction is started you are connected to a unique security layer all the way to the end.
Systems are protected from viruses or malware
The fifth component to PCI compliance is that all of your devices on the network are protected against malware or viruses. It can be very helpful to have anti-virus software installed on each machine and also a form of virus protection on your server and firewall.
Applications are all secured with encryption
The next variable to PCI compliance is ensuring that all applications are secured with encryption. This means when you use any application on your network that the application uses a form of secure encryption – as mentioned before SSL is a very popular choice for application encryption and security.
Cardholder data is restricted to specific user levels
The sixth component to PCI compliance is that all cardholder data is restricted to specific user levels. This means that any data pertaining to the cardholder is restricted down to specific roles on your network such as financial admins or merchant service partners.
Access to system access logs
Another important part of PCI compliance is having access to all system access logs on your network. System access logs refers to logs that show when data was accessed and the user or device accessed it.
Physical access is restricted to cardholder data
The ninth part of PCI compliance is that all physical access is restricted to any cardholder data. This means that cardholder data cannot be accessed locally from a server, or in a file storage box or word file. If an employee goes to your server they should not be able to access cardholder data simply because they are in front of the server. Cardholder data should be accessible behind the user access roles instead of having public logins to systems that may contain the cardholders data.
Tracked & monitored access to all network resources
One of the most critical parts of PCI compliance is ensuring that you are tracking and monitoring every resource going across your public or open network. This is important for more than internal security, if in the event an outside entity penetrates your firewall and gains unauthorized access to your systems, you should immediately have access to the logged resources and troubleshoot the cause and create systems of prevention.
Ability to regular test security systems
The eleventh variable to PCI compliance is having the internal resources to regularly test the security systems. This means that you should have a dedicated resource that routinely tests the security systems such as your firewall, PCI, DNS and even user access standards.
Maintaining a policy that addresses all information security for all employees
The last component to PCI compliance is maintaining policy that addresses all information security for all employees. This is your written policy on general information security for all employees – it will often explain how to create passwords, what access they have, how to stay safe online, connecting securely and much more.