PCI compliance, or Payment Card Industry compliance, is a set of standards created to ensure that when business take credit card payments online, they do it in a secure manner, minimizing the risk of credit card theft. The PCI Council creates the rules (there are ~150 of them) which dictate everything from firewall configuration to security protection on devices used to store, process, or transmit credit card data.
The onus is on you, the business, to ensure you are following the guidelines and to periodically (typically at least annually) conduct a self-assessment against the requirements to make sure you’re still compliant. Failure to follow the PCI guidelines can result in fines and can also result in your business not being able to take credit card payments.
Some of the best practices recommended by PCI include:
- Do not store any sensitive cardholder data in computers or on paper.
- Use a firewall on your network and PCs.
- Make sure your wireless router is password-protected and uses encryption.
- Use strong passwords. Be sure to change default passwords on hardware and software – most are unsafe.
- Follow the PCI Data Security Standard.
If your organization does any of the following: storing, processing, or transmitting credit card data, then you must be PCI Compliant. Your business must ensure the security of the following:
- Card readers
- Point of sale systems
- Store networks & wireless access routers
- Payment card data storage and transmission
- Payment card data stored in paper-based records
- Online payment applications and shopping carts
Even if you rely on a third-party service provider to process all your credit card payments, and even though they may be responsible, ultimately you will be held accountable if a breach occurs and it’s traced back to your business.
So, what should a business like yours do to best ensure PCI compliance? Following a risk-based approach to cyber security is a solid approach to achieving PCI compliance goals. One of the best ways to do this is to use the NIST Cyber Security Framework and map it to PCI compliance. When you put your focus on security first, PCI compliance will follow. Just focusing on PCI compliance alone might give you the coveted checkmark to process card payments but it may not be enough to prevent a breach in the long run.
Have questions about mapping the NIST Cyber Security Framework to your PCI compliance goals? Contact the experts at QuickProtect to ensure your cyber security and compliance goals are achieved.