As a business that accepts and occasionally stores the sensitive information gathered during a transaction, there are few things quite as important as maintaining your security measures. In response to this, the Payment Card Industry (PCI) Security Standards Council has maintained a set of controls to help organizations and businesses determine whether they’re compliant or not.
Whether you’re new to understanding PCI compliance or you’re looking to correct certain systems within your organization, we’ve put together a guide for your reference. By following the six points detailed below, you’ll have the tools you need to better address the risks that come with the data you’ve collected as a result of your cardholder environment.
Before you do anything else in your system, the first step you should always take is to limit the amount of data you retain and remove any sensitive information entirely. This can include everything from PII, Personally Identifiable Information, to PCI, Payment Card Information. In the instance that a breach does somehow occur, your environment wouldn’t contain the sensitive information that would put you or your customers at risk. In general, your best course of action is to never store the unnecessary data that you don’t need for your environment to properly and effectively operate.
In a house, the more points of entry you have, the less secure your home can be because of the variety of access points, all of which cannot be covered all at once. If we consider this concept and apply it to your system, the less access points you have, the less opportunities you have for a breach. However, it’s best practice to assume a breach can still happen and to have a plan and all the necessary tools in place to quickly respond to it.
The applications you employ to accept card information and payment are often the first point of contact between you and your customers. However, this can also be one of the first access points that could potentially be exploited in a breach. No matter which applications you’re using or how many unique payment elements are used in those apps, there is always an associated risk. Since these are often targeted and one of the first things to be compromised in a breach, you should focus your efforts on securing all the elements and access points within these apps.
With every environment that collects and stores cardholder information, regardless of how long that information is stored, you should never have too many cooks in the kitchen accessing this information. Tracking the number of individuals or teams that can access your network and system will keep you in the loop on who is doing what and when. If you aren’t monitoring those accessing your system, it can be difficult to pinpoint when someone or something has connected to your environment when they shouldn’t be. Limit who can access your data and you’ll minimize the opportunity for potential threats.
We understand that, in some cases, it’s necessary and required to store the account numbers and other sensitive information pertaining to your payments. Primary Account Numbers, also known as PANs, are regularly targeted in a breach, so when you must keep them in your system, store them strategically. A good tip for this step is to isolate this type of information to just one area of your network. When you keep this data in just one segment of your system, you decrease the opportunity for this information to be unnecessarily accessed or discovered in a breach.
As with every other aspect of business, going back and checking your work with routine maintenance and extensive documentation of your controls and breach responses will keep you accountable. Once you have your plans and strategies in place, you’ll have an easier time ensuring that everything is operating as it should be. With this, you can also have everything you need to regularly train new and existing employees on your internal SOPs and run through possible breach scenarios, so everyone is up to date on your current security controls and response procedures.
Now that you have the steps you need to keep your data safe and maintain PCI compliance, take the time to see how your organization currently stands. Instead of waiting months for a third-party audit, take our quick self-assessment to see where you’re compliant and where you need to improve. You can also contact our team to learn more about compliance and how our solutions can help you keep your data safe as you grow.