PCI compliance for merchants is a must, however, there are a lot of business owners that do not take PCI DSS seriously. As the Payment Card Industry Data Security Standard is not law, people mistakenly believe they do not need to follow it. However, PCI compliance is applicable to any type of business that stores, processes, or transmits card data, irrespective of how frequently they do so. If you do not oblige to PCI DSS, you can find yourself facing monumental fines. It is believed these fines are from around £3,000 to £65,000, and that’s just the fine from the bank; it doesn’t take into account the likes of fraud losses and compensation costs.
PCI compliance for retailers is split into 12 different requirements. These requirements are as follows; to protect stored cardholder information, to ensure access to card data and network resources is monitored and tracked, to maintain a security policy, to protect all cardholder data with a firewall, to regularly test all security systems and processes, to protect all systems against malware, to restrict physical access to cardholder data, to identify and authenticate access to system components, to restrict cardholder data access using businesses need to know, to avoid vendor-supplied defaults when it comes to security parameters, and to use encryption. Needless to say, it is a long list, and achieving PCI compliance is not always easy. Under each of the 12 requirements, there is plenty of detail about what is required from you. This is something that can be very difficult to manage alone, which is why a lot of business owners end up turning to cyber security companies. But first, we are going to take a look at some of the different sections of PCI compliance for merchants so you can get a good idea of what is required of you.
This relates to PCI compliance requirement two, which states that you should not use vendor-supplied defaults for system passwords and any other security parameters, This includes all types of default passwords, from operating systems to Point-of-Sale (PoS) terminals. Why is this important for cyber security? Well, it is not uncommon for default settings to be published, and thus in hacker communities such passwords are well known. This would make it easy for a cyber criminal to get into your network. This just scratches the surface of what you need to do to achieve this requirement. You must also develop configuration standards for all system components. This is to ensure that the known vulnerabilities that are associated with databases, enterprise applications, and operating systems are combatted. To achieve this, you must ensure each server only has one primary function, and that only services and protocols that are vital for system functionality are enabled. You also need to implement extra security features for any insecure services or protocols, and it is important to remove any unnecessary functions, such as file systems, web servers, scripts, and drivers that you do not need.
Encryption is another important part of PCI compliance for merchants. This is part of the fourth requirement, and it states that whenever cardholder data is transmitted there must be strong encryption controls in place. Encryption makes the data virtually impossible to read, and thus this ensures that cyber criminals do not have the ability to divert or intercept data when it is transit. To achieve this requirement, you need to use strong cryptography and security protocols whenever data is in transit over open, public networks, such as the Internet and satellite communications. This is vital because of the high level of vulnerability when data is in transmission on such a network. Aside from this, you also need to make sure you never utilise end-user messaging technologies, such as e-mail and instant messaging, for the purpose of sending unprotected PANs. Again, end-user messaging technologies can be intercepted with ease, which is why this requirement is so important. As is the case with most parts of PCI DSS, documentation plays a key role. You must document your security policy and all operational policies that relate to the encryption of cardholder data transmissions.
The paragraphs above only scratch the surface of two of the 12 requirements that are needed to achieve PCI compliance, and thus you can see that the scope really is huge. Let’s take a brief overview of some of the other requirements. Requirement eight states that you need to identify and authenticate system components, which includes many steps, such as using two-factor authentication, restricting access to any database that has cardholder data, assigning additional authentication mechanisms to an individual account, avoiding passwords that are shared or generic, and much more. Section ten is also comprehensive, and this involves tracking and monitoring access to network resources and cardholder data. Some of the steps you need to take to achieve this includes implementing and securing audit trails, recording all system component audit trail entries, reviewing security logs and events for all system components, and retaining audit trail history for at least a year. As you can see, there is a lot to consider when it comes to PCI compliance for merchants, and this is why it is a good idea to hire an expert security firm, such as Retail Secure.
Retail Secure guarantees PCI compliance for merchants. Our network security solution is an affordable, effective, and simple solution that is suited to all businesses, big or small. It offers easy output to the PCI Self Assessment Questionnaire, and it presents many excellent features for unbeatable cyber security. This includes the likes of LAN segregation, a sophisticated firewall for end-to-end protection, 24/7 monitoring, and a support line. To discover more, all you need to do is head to our website, www.retailsecure.co.uk. If you are ready to get started with our solution, or you have a query, simply call us on +44 (0) 333 320 8848.