We are now well into the year and spring is almost here. The nagging PCI compliance pain is starting to reappear. So, retailers: Where would you begin?
Here’s a list of things that can help you check off some important milestones, but you need to get cracking now. It’s time to prepare, plan, and execute your yearly PCI assessment says the PCI calendar.
- Take an inventory of your hardware and software technologies. Make sure your vendors are meeting security mandates.
- Schedule penetration testing of your environment. Note if you are a Level 1 or Level 2 merchants, pen tests need to be done after any significant change in the environment and by a qualified security vendor.
- Continue with external and internal vulnerability scanning every quarter. Passing scans are required for the last 3 quarters prior to an audit.
- Review security logs of critical components per requirement 10.6.1.
- Verify and validate 8.2.4 to ensure user password parameters are set to require users to change passwords at least every 90 days.
- Pay attention to your anti-virus configuration. Ensure
- they are kept current with most recent software and signature files
- they perform automatic updates
- they perform automatic scans
- they generate logs
- Physically inspect devices for signs of tampering per requirement 9.9.
- Requirement 3.1 says identify and securely delete store cardholder data that exceeds defined retention periods.
- Follow requirement 9 and sub-controls related to inventory, storage and destruction of media. Make a note of when and by whom they were done.
- Keep the logs. These are the multiple factor authentication logs, event logs, syslogs, file integrity monitoring logs and more.
- Conduct security awareness training.
Merchants by now know that PCI compliance is not a point in time but an ongoing occurrence. Ask the experts at Omega, if you have doubts or questions on any of the when, what, and how of these PCI compliance requirements. Phone 636-557-7777.