Skip to main content
Blog

12 Point Checklist for PCI Compliance

By November 8, 2018No Comments6 min read
PCI-DSS-compliance-credit-card

Payment card industry suffers massive loss each year due to credit card frauds. For decades, credit card companies are innovating their technology to counter frauds. Payment Card Industry Data Security Standard (PCI DSS) is a set of rules formed by major credit card companies. These rules protect a user’s credit card information from being misused. PCI DSS regulation mandates best security practices in these organizations.

If your business accepts credit card payments and either store, transmits or processes credit card information, then it is required to comply with PCI DSS. PCI DSS regulation prevents the company, the issuing bank, and other consumers from accessing and misusing your credit card information.

Who administers PCI DSS?

PCI DSS is administered by the Payment Card Industry Security Standards Council (PCI SSC). The compliance is verified annually. For companies that deal with a large number of transactions, an external Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA) creates a report on compliance. And for companies that deal with a small number of transactions, a self-assessment questionnaire is sufficient to satisfy the regulations.

How to add a PCI compliance in your company?

PSI SSC mandates 12 requirements that outline security best practices in a company. To give you a clearer picture of each requirement, we have created a 12-point checklist. By applying them in your security practices, you can ensure your PCI DSS certificate.

  1. Use of firewall to protect cardholder data:

A firewall acts as a security gate for incoming and outgoing network traffic. It is implemented as a hardware, software or both. Generally, routers have firewall inbuilt in them. You must have a firewall that is properly installed and configured. It will scan all the network traffic and block any suspicious network connection from accessing the system.

  1. Vendor-supplied system passwords should be changed:

Often, you can scale up your network to meet the growing demand from users. You can request additional or upgraded equipment from your vendor. But, a vendor supplied hardware or software, will contain default passwords and other security parameters. If not changed, these security parameters can easily turn into vulnerabilities. An individual with a vendor-supplied password from public information can access and control your system. This becomes an open invitation for credit card theft. Thus, changing passwords is always desirable for enhanced security.

  1. Stored cardholder data is protected:

Make sure that the credit card information stored in your system is suitably protected. By this, we mean to say that the stored data should be encrypted, hashed and truncated. This will prevent exposure and access to card data by anyone inside the company.

  1. Cardholder data is encrypted when transmitted over public networks:

A transaction data will travel through several networks between the server and the end system. There should be a proper encryption mechanism to protect any malicious third-party data access. This includes using trusted keys and certificates to reduce security risks.

  1. Anti-virus software is regularly updated:

Your antivirus software should be up to date. Attackers devise new techniques to breach into the server. To prevent virus and malware from entering the system, you must update your antivirus regularly. Antivirus will reduce the risk of exploitation via malware.

  1. Usage of secured systems and applications :

Any application that you use on the server should be secured and monitored 24/7. Any data flaw or bug in the application can become a major vulnerability. Vulnerabilities in systems can be used to execute malicious code by attackers to gain privileged access.

  1. Access to cardholder data is restricted:

The security software and process of your organization must restrict the access to card information only to authorized personnel. Not every employee should be given login passwords to access cardholder data. Only the higher level, administrative authorities should have this access privilege.

  1. IDs are used for proper authentication:

Every employee in the company should have a unique identification number. This number should be in use to record all access to crucial data components.

  1. A demilitarized zone (DMZ) is created:

A DMZ is created to prevent physical access to sophisticated components.  Any piece of hardware that stores the cardholder data should not be accessible by an unauthorized person.

  1. Network resources are monitored continuously:

The system can fail at any instance of time. A surging demand of resources can crash the server. Therefore, you should monitor the entire network continuously. You should log each transaction and access to critical data to prevent any risk of data breach.

  1. Regular vulnerability assessment tests:

Any vulnerability can cause serious damage to the entire security infrastructure. You should perform security vulnerability assessments from time to time to test the integrity of your system. This will help you to prevent any security attack in advance.

  1. Established security policies:

Your organization should have security policies in practice that covers all the guidelines of PCI Compliance. This involves training the employees to adapt security practices to prevent critical assets of the company. Each employee should understand his responsibility to protect sensitive information.

If you are planning to deal with credit card data in your organization, then you must adhere to the above PCI guidelines. A compliance assistance service provider can minimize your efforts in this process. It will develop effective strategies to meet the standards and utilize it for your business profitability. You may end up into legal troubles unless you recognize the importance of PCI compliance.

Contact us today to learn about Bleuwire™  services and solutions in how we can help your business.