Bar none, securing consumer credit card data is essential to doing business in 2017. And the information security industry is meeting the demand. But as security solutions evolve in scope and scale, it’s important to understand the various components so you’re confident (and educated) in properly securing your customer data.
One of the elements of it compliance and security is an SSL (secure sockets layer) certificate, which provides data protection via a secured connection for credit card data as it travels across an open or public network. SSL technology secures credit card transactions, data transfers and logins over the Internet by establishing an encrypted link between web servers and browsers. And business owners should certainly obtain an SSL certificate – but that is only one piece of the information security pie.
The PCI (Payment Card Industry) Data Security Standards includes 12 requirements – one of which is transmission encryption through an SSL certificate.
Let’s be clear. SSL is part of compliance. It is not compliance.
A business is not PCI compliant unless it meets all 12 requirements. Those requirements are made up of over 300 system-specific system requirement tests covering a broader range of security goals beyond just information transmission across the Internet. The 12 requirement sections are divided into the following 6 compliance objectives:
- Building and maintaining a secure network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Protecting cardholder data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Maintaining a vulnerability management program
- Requirement 5: Use and regularly update anti-virus software programs
- Requirement 6: Develop and maintain secure systems and applications
- Implementing strong access control measures
- Requirement 7: Restrict access to cardholder data by business need to know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
- Regularly monitoring and testing networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
- Maintaining an information security policy
- Requirement 12: Maintain a policy that addresses information security for all personnel
An SSL certificate is one of the mandates for having a PCI compliant site, but just having an SSL certificate does not make a business’ website PCI compliant (it was worth repeating).
A third-party vendor, such as ZZ Servers, can help your business navigate industry security standards and ensure your business is meeting all the standards. ZZ Servers offers fully PCI-enabled hosting environments and can help your business achieve PCI compliance through log monitoring and archiving, firewall maintenance, intrusion detection, vulnerability testing, and internal and external penetration testing.
Securing customer data is essential for any business today. No matter your business’ size, information security solutions are within reach. We can help.