All merchants need to be aware of and abide by best practices when storing cardholder data and sensitive authentication data alike. Consequences of failure to use best practices can include civil lawsuits, fiscal loss, and an overall failure to uphold an important ethical responsibility. Various standards have been outlined by the Payment Card Industry Security Council which is comprised of the major credit card companies such as Visa and MasterCard.
Outlined below is a brief summary of the 12 requirements outlined by the PCI DSS Specification.
1st and 2nd PCI DSS Requirements
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
These requirements were put in place to make sure that initial preventative measures are used to ensure that cardholder data does not inadvertently fall into the hands of an unlawful third party. Some precautions include maintaining firewall protection on any computer that accesses or stores cardholder information.
3rd and 4th PCI DSS Requirements
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
All cardholder data must be encrypted when transmitted across public networks. Steps should be taken to ensure that sensitive information on private networks must be protected as well. One very important aspect of storing and processing cardholder data is being aware of what data can be stored and what cannot.
With proper security measures in place it can be acceptable to store certain cardholder data such as the primary account number, expiration date, and cardholder name – but the cost to bring your systems to compliance is exponentially increased with each piece of data that you store. Therefore a primary initial focus of achieving PCI compliance should always be to determine the fewest required pieces of data that your business must store in order to conduct your daily operations.
We should mention here that it is never acceptable to store certain sensitive authentication data including full magnetic stripe data, CVV codes, and PINs. In the event a database with cardholder information is hacked, a lack of stripe data, CVV codes, and PINs can mollify damages caused by fraudulent acquisition of cardholder data.
5th and 6th PCI DSS Requirements
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Hackers make it their work to increasingly learn how to illicitly access information. As such merchants must take these necessary precautions to protect cardholder data. Merchants need to use only securly developed and maintained computer interfaces and must regularly update all antivirus software.
Merchant systems will be submitted to scanning and penetration testing before they can be verified as PCI Compliant.
7th, 8th, and 9th PCI DSS Requirements
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Merchants must take physical measures to restrict access to cardholder information based upon who in the organization actually needs access to what data. Not every employee has the same needs for access to data in your systems. Some reasonable and necessary precautions include assigning unique passwords to personnel.
Other physical restrictions include “common sense precautions”, for instance, never keep cardholder data in a notebook or in a simple spreadsheet file. These methods are wide open to anyone to access and could leave your business financially hurting for many years to come.
10th and 11th PCI DSS Requirements
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
PCI compliance requires logging of all system activity. These logs must be centralized and regularly reviewed by an appropriate authority for the organization.
Regular security scans of existing systems is required and a penetration test is required at least annually.
12th PCI DSS Requirement
12. Maintain a policy that addresses information security for all personnel
Merchants must create and a written and exercised security policy that addresses system security for all personnel/employees. Regular training procedures should be in place to ensure that all staff are aware of how to keep cardholder data safe and what to do in the event of a data breach. Having a knowledgeable staff can save you much time and money.
Importance of PCI DDS cardholder data policy
Being knowledgable about these best practice guidelines protects everyone. Merchants who have inadvertently been the victim of a data breach end up paying tremendous fees of of around $250 per lost record. If a business looses just 1,000 customer records they would quickly be responsible for fees starting at $250,000 and more. And the loss of consumer confidence in your business can sting your profits for many years after the fact.