Questions? Contact Us

 

Latest News

Featured News & Events

Tips for Optimizing PCI Compliance

Sparked by the increase in credit card fraud, PCI DSS compliance went into effect in 2004 to help protect cardholder data. The Payment Card Industry Data Security Standard (PCI DSS) applies to all entities that store, process, and/or transmit cardholder data and those entities that can impact this data. The only exception is Telco Companies that only supply the communications lines and no other services to the business. It covers technical, physical, and operational practices for systems and components included in or connected to environments with cardholder data.

In a nutshell, if your business accepts or processes payment cards, PCI DSS applies to you. The number of cards you work with has no impact on the compliance with the requirements. If you process 10 credit cards a year or one billion credit cards a year the same requirements apply.

With all that effort, attention and certification, you'd think there would be no security breaches exposing consumer credit card information. Unfortunately, that's not the case.

"PCI is an everyday, all day activity. It's not just an annual event to gain your company a PCI compliant report," said Howard Glavin, senior vice president at K3DES, a technology consulting firm providing computer and network security assessments, including PCI Assessments.

The PCI standards are continually evolving to address changes in the market and industry. In fact, the latest version, PCI DSS 3.2, contains several updates that are audit-enforceable now, and some significant updates going into effect on June 30.

"The majority of the January 31, 2018 and June 30, 2018 updates found in 3.2 add additional oversight and security practices for Service Providers," said Glavin.

"PCI DSS 3.2 January 2018 changes add requirements around multi-factor authentication for all system, network, and database administrators. It also adds requirements that will make PCI compliance more of an ongoing practice, vs. a point-in-time activity, especially for service providers who have new notification, documentation and review requirements," Glavin added.

The June 30, 2018 deadline requires that organizations move from SSL (Secure Sockets Layer) or early TLS (Transport Layer Security) cryptographic communications protocols to TLS 1.1 or higher.

Advice: Operate on a 'Need to Know' Basis

PCI compliance, while not the panacea we all want for security, is an important process for businesses and consumers alike. Consumers gain a level of confidence doing business with a vendor or company by understanding it's doing its due diligence to protect cardholder data Information. Businesses have an obligation and responsibility to protect consumer information, and PCI DSS helps them implement best practices for protecting that data.

Other Personally Identifiable Information (PII) may also be captured but his is not part of PCI and must be addressed by the company as well to ensure all PII is protected to meet the laws, and regulations of the Country, Sate, and Community in which they do business.

"The biggest item that most companies discover when they self-assess for PCI compliance – and are surprised to find – is their lack of knowledge of all the places they store card holder data, in both physical and electronic form," Glavin said. "As businesses grow, data tends to migrate and occasionally the cardholder data moves from the PCI controlled environments to areas that are viewed as out of scope for PCI and this data is then in non-controlled areas of the business.

"Organizations should limit the amount and type of card holder data they store. If you only need the first six and last four digits in a card number do not keep anything more than that for 'just in case' issues," Glavin said.

Companies need to figure out exactly the minimum information they need to conduct business, and reduce the data stored, processed and transmitted to just that amount of data. Then keep that data access on a "need to know, right to know, and time to know" basis.

"The company must constantly question who really needs to see, use or review that cardholder data and limit access to just those individuals," Glavin said. "Additionally, all access to this data should be audited, logged and reviewed for potential abuse and misuse on a very frequent basis."

PCI compliance is not something you want to leave to up to chance or inexperience. To see how ZZ Servers can give you real PCI peace of mind, contact us today.
Five must-haves in any disaster recovery plan
What is gained from Cybersecurity and Physical Sec...

Related Posts

 

Tag Cloud

phishing Disaster Recovery Plan Home Depot Breach hosting control panel cyber monitoring management activesync search Firetalk credit card employee training ZZ Servers Co-Founder information technology TLS bash cloud infrastructure QSA arduino teensy shared folders DEF CON Zendzian shared secure hosting DRP Positive Customer Impact IT solutions business shared hosting permissions shared server recovering data Cybersecurity Business Solutions ipad compliant hosting computer networks cyber security Payment Card Industry PCI Compliance IT Windows SSL mail server Small Business command line Ubuntu Internet Corporation VPS Servers healthcare solutions apache safe computing Car Hacking Presentation Online Business spf credit cards stolen log files Domani Names cyber liability insurance Hosting David Zendzian network Business Solutions Information Technology health care providers Continuous Monitoring multi-factor authentication iphone trends dss data protection Web Hosting Health Care Cybersecurity vps PCI Data Security Standards small business PCI Solutions GDPR Shmoocon Hackers TiaraCon ZZ Servers security circles kerio InterWorx anti virus malicious software Email business community World Backup Day data privacy change Cybersecurity PCI compliance protect data computer security compliance Healthcare Records Server Mangement business solitions eCommerce Linux password two factor authentication Accountability Act windows 7 email accounts members area Assigned Names cybersecurity HIPAA black friday Internet Announcement Xen caller-id ICANN CentOs Medical Records IT Solutions IT services smartphone pci complliant hosting Vulnerability PCI Audit amazon ec2 support spam spoofing physical security BSides Medical Solutions business solutions exchange Reports PCI assesment phishing attacks Internet infrastructure businesses Debian backup solutions Alarm Scalable Redundant Cloud Infrastructure follow.The HIPAA Privacy Rule credit card payment qsa OSSEC vyatta router firewall filter security PCI HIPAA personal information cyber monday cli INFOSEC blackberry dsbl IT Services HIPPA intrusion detection embedded HIPAA solutions logical security Cloud Computing computing in the cloud PCI Hosting PCI Service Provider eCommerce Solutions vulnerability scanning passwords Geekend HIPAA Solutions video sender policy Credit Card Security Control Panel Las Vegas Interworx-CP infrastructure Business Planning motivation cloud social engineering physical Compliance Security education openssl cyber protection Credit Cards data breach HIDS lamp IT security National Cyber Security Awareness Month cyber PCI DSS 3.2 Health Insurance Portability Sysadmin cell phone email Charleston security