You’ve opened your doors for business and things are trekking along nicely. Its taken months or even years of hard work to get to this point. Yet, there’s a looming cloud overhead that carries an intimidating amount of power and mystery that threatens the work you’ve poured your heart into and that cloud is PCI compliance.
PCI Data Security Standards (DSS) were created as an accountability measure for businesses that store, process, or transmit cardholder data in order to eliminate fraud and protect consumers’ information. Every business that handles cardholder information is required to abide by this set of rules, regardless of your field. Business owners have to pass the test but are hardly given an adequate education or equipped to understand the system. It would take you hours on end just to read all of the requirements for handling card data, let alone taking the time to evaluate them against your business practices to ensure you’re following them correctly. That’s why we put together a quick start manual on PCI compliance so you can better understand the topic without getting lost in the details. Here are a few simple steps to get you started on the road to full PCI compliance for your business.
Understand What Requirements Apply to Your Business.
There are dozens of guidelines that may or may not apply to your specific industry. In fact, the PCI council has published over 1,800 pages of information related to the guidelines that could apply to your business and it would take you days to read through it all. We suggest doing some basic research to find out which regulations apply in order to avoid overcomplicating the process. Here are the three areas that PCI compliance regulates to get you started:
- Safely managing customer credit card data to ensure that sensitive card details are securely collected and transmitted.
- Securely storing data via encryption, ongoing monitoring, and testing the data access points to maximize optimal security.
- Annually validating that the required PCI security measurements are in place, including forms, questionnaires, external vulnerability scanning services, and 3rd party audits.
Do You Directly Handle Sensitive Information?
An important question to ask is whether or not your business directly handles sensitive credit card data. Your answer determines the level of requirements you need to meet. If you do handle data directly, you’ll need to go to great lengths to set up the appropriate security controls to avoid data breaches. However, if your business does not need to manage sensitive data, meaning the data never crosses through your servers, you don’t have to go through the same intense process.
Determine the Scope of Your Cardholder Data Environment
PCI DSS has strict regulations when it comes to organizations that manage sensitive data, and the starting point for following their rules is to understand the scope of your cardholder data environment (CDE). This encompasses people, processes and technology that store, process, or transmit credit card information. Organizing all of these areas to define and contain where data is being handled will help eliminate areas that don’t need to be evaluated by PCI standards. An unorganized data environment means everything is up for debate and could be required to undergo the long PCI validation process.
Know Where Your Data Is Going
Not only do you need to know where data is being housed within your organization, but you need to know where it comes from and goes at all times. Tons of data flows in and out of your business on a daily basis, but do you know where to find it when you need it? Data mapping will help you retain tighter controls over the information entrusted into your care and prevent confusion or misplacement in the long haul. This might sound like an overwhelming task, but it is so important to know what information is within your sphere of influence and when it moves on to the next person or entity. Should PCI DSS require any information that passes through your gates, you need to know exactly where to find it. Avoid digging through layers of data to and set aside time to get organized ahead of time.
Did you know you must complete a PCI validation form every year? Just like your doctor’s appointment, treat PCI compliance like an annual check-up rather than a one and done occurrence. You should be prepared at all times to show that you’re operating within PCI’s security standards, regardless of the last time you checked it off your list. PCI DSS version 3.2.1 includes 12 main areas of requirements that outline security best practices.
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open or public networks
- Protect all systems against malware and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
If you’re a new kid on the block, you can complete one of the nine different forms or Self-Assessment Questionnaires (SAQs) created by the PCI council to you get started. In the event that you find it difficult to narrow down which questionnaire is applicable, it might be worth the investment to hire a PCI council-approved auditor to aid you in the process. On top of the already complicated system, the PCI council revises their rules every three years and publishes incremental updates often, adding to the industry’s complexity.
Do Routine Security Checks
Just because you have security measures in place doesn’t mean you shouldn’t do a sweep through every once in a while, to ensure your processes are airtight. Data breaches can happen right under your nose if you aren’t prepared. Just as security guards walk the premises of their domain on a regular basis to check all vulnerable areas, you should have your hand on the pulse of your organization’s security to make sure you always know what’s going on. Schedule routine check-ups so nothing sneaks up on you unaware.
Stay On Top by Monitoring
Remaining PCI compliant is an ongoing ordeal, similar to maintaining personal health and wellness. As your business grows, your level of compliance requirements will change, and you should stay on our A-game with the latest security practices in place. Some companies go as far as creating an entire team of people dedicated to ensuring PCI compliance is upheld within all departments. If you go that route, make sure you have adequate representation from security, technology and payments, finance, and legal. All of these areas provide strategy and insight for creating a solid compliance structure across the entirety of your organization.
How To Become PCI DSS v3.2.1 Compliant
We’ve already emphasized the importance of understanding what requirements apply to your specific business, but you should also know there are 4 levels of PCI compliance, usually determined by the transaction volume your business handles during a 12-month period. Find out which category you fall into by downloading the simple PDF we created outlining each level in detail.
Your payments provider is the best resource for you in terms of all PCI related issues or questions. At Rev19, we partner with business owners to help them not only understand what’s required of them but to feel confident that they are on top of their checklist at all times. There’s a lot more on the topic than what we dove into here, so if you need a greater debrief on the subject, we’d love to chat. To continue the conversation about PCI compliance with us, please fill out the quick form below and one of our team members will be in touch!