Payment card industry (PCI) compliance requires a lot of dedication from a business to ensure its security of cardholder data is top-notch. Having your site scanned quarterly and answering the pci self-assessment questionnaires are just the beginning of meeting the regulations known as the Payment Card Industry Data Security Standards (PCI DSS) set forth by the PCI Security Standards Council.
Simply put, failure to comply can cost your business time, money, and undue hassle. There are several reasons your company can fail, and in this post we’re sharing how to fix PCI compliance issues so you can keep running your business without worry.
PCI compliance requirements are about protecting your cardholder information. Anything that can impact the security of that cardholder information, falls within the scope of PCI regulations. At a minimum, it’s wise to assume everything in the IT department falls within the PCI-DSS scope. As new PCI standards are released and/or updated, reassess what is and what isn’t within the scope of compliance, and make adjustments to maintain security where necessary.
Every payment channel matters, as does the process by which you take credit card data and what you do with it at every step of a transaction. If you neglect securing data during any element along the way, you risk that information being exposed, thereby violating the PCI-DSS rules. Not tracking what happens during the transaction and making assumptions about your businesses processes can put your customers' data at risk. Documenting all environments where credit card data is collected and stored brings you a step closer to PCI compliance. A single unsecured process can make you non-compliant.
Asset inventory is either generated from an asset management system or by manually tracking them. Regardless of the method you use, organizations face a common challenge in tracking inventory. Accurately monitoring and accounting for all PCI information can prove difficult, but is critical for compliance.
Your organization's inventory should include your hardware and software components, a description of their functions, and IP addresses if necessary. It’s also smart to include documentation of all your network and data flow diagrams in case you ever face a PCI compliance audit.
Using the wrong self-assessment questionnaire (SAQ) can cause you to risk non-compliance. For example, one SAQ is geared towards, “Partially Outsourced E-commerce Merchants Using
a Third-Party Website for Payment Processing,” and another is for “Merchants with Web-Based Virtual Payment Terminals – No Electronic Cardholder Data Storage.” This is why you must understand how specific systems and technologies are interpreted by the PCI Security Standards Council for your business. In other words, ensure you meet the eligibility criteria when architecting and securing the PCI environment for your company. If you’re looking for support with your PCI compliance, Rival offers expert guidance and PCI assessments.
Is all the cardholder data your company is storing necessary? Furthermore, do you need to hold onto it after the transaction is completed? Are you tracking and monitoring all of the data you’re storing, and keeping it secure from unauthorized users? Finally, are you granting too much access to this data? Each of these questions can help you to better determine whether or not your company is compliant with PCI standards.
The PCI Security Standards Council allows organizations to determine what is considered a significant change in their company. Most companies fall short on documenting these changes, however. Major changes can include:
If your company does initiate a significant change, it must be documented. This makes it easier to determine if the change maintains or prevents your compliance.
Your PCI compliance record may be affected by changes in management or personnel such as financial institution mergers and acquisitions. If there is a change in your company structure, it’s important to ensure you update and upgrade security measures protecting cardholder data across all new assets. Any new payment channels or business processes implemented as a result of the new business structure must be documented. Measures should be put in place to continue securing cardholder data at every step of all business processes resulting from the new business structuring as well.
Furthermore, if personnel leaves the company, their access to any data must be immediately revoked. The same holds true if your company is turning over vendors, shareholders, employees, security employees, and any other third-party. Only authorized users should have access to the specific data they need at any given time.
If there are new systems in place, or new business processes added to your business for any reason, they must be added to your periodic vulnerability scans. Whether you are doing your scans quarterly, semi-annually, or annually, it’s critical to scan all assets in existence at the time of the scan. Otherwise, missing an area could put your company at risk. For example, if you bring on a new third-party payment processor, and aren’t scanning them for vulnerabilities, you are risking non-compliance. Get a Vulnerability assessment from Rivial for added confidence.
After reading this post, if you’re struggling with these mistakes, we can help. Rivial Security can assist you in determining how to fix your PCI compliance issues. Contact us to schedule a strategy session or get a PCI assessment today.