It doesn’t matter if your business is a restaurant chain, marketing consultancy, or event-planning group. It makes no difference if you’re a small-sized firm or a large organization. If your company has a merchant account and takes payments by credit card, then PCI compliance is a matter that deserves your attention.
Millions of businesses are required to be PCI compliant. Frequently, those very same companies rely on insufficient IT infrastructure.
Given the potential consequences of ignoring PCI compliance, it’s critical to understand what PCI compliance is—and what it means for your business.
In this blog, we’re going to help you do just that by addressing questions, such as…
- What is PCI compliance?
- What does PCI compliance involve?
- Is my business accountable?
Let’s get started.
What Is PCI Compliance?
The PCI Security Standards Council explains that it has several security standards that govern everything from PIN entry devices to the software people use to make online payments.
More than likely, that’s not the kind of compliance you had in mind.
You’re probably thinking about something called the Payment Card Industry Data Security Standard (PCI DSS).
According to the PCI Security Standards Council, this governs “merchants and other entities that store, process, and/or transmit cardholder data.”
At first glance, the PCI DSS may sound like a piece of legislation upheld by the US government. But this is not the case.
The PCI Security Standards Council’s website explains that “enforcement of compliance with the PCI DSS” actually belongs to…
- American Express.
- JCB International.
Let me translate this for you.
If you violate the PCI DSS, you might be accountable to MasterCard or Visa for your noncompliance.
In other words, a PCI DSS violation is a big deal.
Which leads us to our next consideration…
What Businesses Are Accountable to the PCI DSS?
As you can already see, it’s not enough to answer the question, “What is PCI compliance?”
Given the implications of breaking the PCI DSS, it’s important to know if your business is accountable.
Here’s a simple rule of thumb:
You need to be concerned about PCI compliance if your business does any type of credit card processing—at all.
The PCI DSS doesn’t play favorites with industries. This regulation can affect…
- Restaurant locations.
- Entertainment companies.
- Grocery stores.
- CPA firms.
- Attorney practices.
- Other service-based organizations.
Unless you’re a business that only accepts cash and checks—it’s in your best interest to take PCI compliance seriously.
What Does PCI DSS Compliance Require?
To understand what PCI compliance involves let’s take a brief look at the 12 requirements the PCI Security Standards Council lays out in its PCI DSS Quick Reference Guide. It’s an excellent introduction to PCI compliance if you’re new to the subject, and I highly recommend that you check it out. (You can download it here.)
Below I’m sharing direct quotes and some important points from the Guide…
- “Install and maintain a firewall configuration to protect cardholder data.” While this instruction might sound simple, the Guide actually lists five key activities that are required, which include “[reviewing] configuration rule sets at least every six months,” locking down your network from the public, and more.
- “Do not use vendor-supplied defaults for system passwords and other security parameters.” This is pretty straightforward, so let’s move on to the next point…
- “Protect stored cardholder data.” If you look at the Guide, you’ll find the PCI Security Standards Council comes as close as it can to banning storage altogether. The Guide does say companies can store “data…necessary to meet the needs of the business.” But, for some data (such as customers’ PINs), the Guide doesn’t allow for any exceptions.
- “Encrypt transmission of cardholder data across open, public networks.” Encryption of data in transit is a common demand across compliance requirements, and the PCI DSS is no different.
- “Protect all systems against malware and regularly update anti-virus software or programs.” Given this instruction, simply installing your antivirus software and ignoring it thereafter isn’t going to cut it. The Guide also explains you should ensure “anti-virus mechanisms are actively running” and are safe from tampering. Your antivirus protection is a key point which we’ll circle back to later.
- “Develop and maintain secure systems and applications.” There’s much more information in this section of the Guide than we’ll cover. However, one thing to note is that the Guide actually gives a deadline for how quickly your company should address certain software patches. This is key if your business regularly neglects software updates.
- “Restrict access to cardholder data by business need to know.” An important takeaway from this section of the Guide is this: Just because someone works at your company, it doesn’t mean he or she can view the entirety of your customers’ credit card information.
- “Identify and authenticate access to system components.” This portion of the Guide reveals why simply employing usernames and passwords doesn’t equal security.
- “Restrict physical access to cardholder data.” At Proactive IT, we believe that if you’re storing data locally…you face a much bigger business risk. Many businesses don’t engage in this practice, but you definitely need to check out the PCI Security Standards Council’s rules if you do.
- “Track and monitor all access to network resources and cardholder data.” This might sound like complicated language. But here’s a quick summary of this section of the Guide: Your company needs the ability to go back in history and determine who did what.
- “Regularly test security systems and processes.” The Guide stipulates “network vulnerability scans at least quarterly” among other measures. At Proactive IT, we work with clients who are deliberately scammed to make sure their network is compliant with the PCI DSS.
12. “Maintain a policy that addresses information security for all personnel.” Hold on before you think that this is an easy requirement to meet. In the Guide, you’ll see this actually involves eleven sub-requirements that cover everything from “annual risk assessments” to determining the trustworthiness of job applicants.
Keep in mind that this list is by no means exhaustive. There’s a lot more to the PCI DSS than what’s mentioned above.
But this should provide a good glimpse into the far-reaching implications of this regulation.
Is My Business At Risk for PCI Noncompliance?
Without investigating your IT infrastructure, I can’t say for sure.
However, if your IT infrastructure is not closely managed by a partner who “sweats the details,” there’s a very good chance your business is not compliant with the PCI DSS.
Here are a few common IT mishaps we find companies make…which can also impact PCI DSS compliance:
- Unsecured firewalls. As you read above, firewalls are an important part of PCI compliance. But here’s the reality: having a firewall is only half the battle. At Proactive IT, we frequently meet companies that have a firewall that is obsolete. Or the security subscription is expired or out of date. And each is a big no-no for PCI DSS compliance.
- Defaults. Yes, there’s a reason the PCI Security Standards Council says you shouldn’t use vendor defaults. We often find default usernames and passwords in place on critical hardware. And believe me, it only takes a quick Google search to discover the default credentials.
- Stored information. Despite the risks that come with this practice, we have found businesses storing information that they should not.
- Defunct antivirus software. We see companies who have unmanaged antivirus software—that isn’t monitored for functionality and updates. We even find antivirus protection that’s been disabled by a virus. Neglect is a big issue.
How Can I Improve My PCI Compliance?
Staying PCI compliant is a complex, multifaceted task. It involves everything from the passwords you use to the people you hire.
And even when you know PCI compliance is necessary, you might experience a gap between the PCI DSS’s demands…and having the resources to implement PCI-compliant best practices.
When it comes to PCI DSS requirements that involve technology solutions, we’re here to support your business. (In fact, we can even help you meet the Guide’s stipulation of “[maintaining] a policy that addresses information security.”)
If you need help staying PCI DSS compliant, we’d encourage you to give us a call at 704-464-3075 or contact us.
You can also learn more about our IT compliance services here.