In 2014, Home Depot suffered a data breach of historic proportions. Hackers gained access to the retailer’s payment systems, compromising credit card information for 56 million customers. That breach cost Home Depot $179 million. While no organization can claim immunity from cyber-attacks, following PCI compliance best practices can mitigate the extent of the damage.
All organizations that process credit cards must adhere to the Payment Card Industry Data Security Standard (PCI DSS) or face stiff fines. More importantly, PCI compliance represents a starting point for effective cyber security. Following best practices not only keeps you compliant but protects both your business and your customers.
Firewalls form the first line of defense for your network and all devices connected to the network. Make sure to maintain those firewalls, applying software updates as soon as they become available.
Many devices critical to your system, including routers and point of sale (POS) systems, come installed with default passwords. Always replace the defaults with strong passwords. Hackers know the defaults and have used them successfully over and over again to gain access.
Credit card and customer information must be encrypted at every stage of the process. Make sure that you properly configure and enable encryption features on your wireless router and payment gateways.
Make it a point to apply security patches in a timely fashion. This applies to your operating system, anti-virus and anti-malware, and all other software you use. Pay special attention to updating software on all devices that interact with credit card data.
No one should have access to cardholder data unless their work duties require that access. Deny access for anyone else. Ideally, you should avoid storing sensitive cardholder data on your server or hard drive at all. Most modern payment gateways will provide a vault feature for you to store cardholder information away from your website.
In the event of an issue, you need to be able to trace the problem to its source. First, make sure that every user has a unique identifier. That is, you should never have multiple employees sharing generic credentials for a device.
Second, create access logs to document all activity relating to cardholder data. Finally, review system security and audit logs regularly to search for compliance issues and anomalies.
PCI DSS requires an annual network vulnerability scan and Self-Assessment Questionnaire. But demonstrating PCI compliance once a year will hardly ensure cyber security. Run mini audits regularly to test systems and procedures and highlight vulnerabilities.
Payment processors offer a variety of features. Every provider will provide a measure of PCI compliance service, and will charge you accordingly. But some vendors provide more comprehensive services than others. Do your homework and thoroughly review your contract before signing on.
A good payment processor will provide regular security scans and give you access to the logs. They will ensure that processing systems are PCI compliant. Many will also include encryption.
Train employees to monitor POS systems for credit card skimmers. Thieves can install them in seconds, so while self-service lanes pose the greatest risk, any POS can be compromised. EMV technology reduces the risk, although criminals have even begun to target chip cards, as well.
No matter how effective your network security and anti-virus, the human factor remains the weakest link in the security chain. Therefore, communicate policies clearly and provide regular, industry-specific training for employees. Approach cyber-security training on multiple levels, from in-person seminars to posters and workflow reminders.
eMazzanti provides proven retail IT services, with staff trained at the highest levels in retail data security. As an active member of the PCI Security Standards Council, we are working to advance world-wide PCI security standards. Our QIR certified PCI experts work hard to implement and monitor your POS system, build robust network security and ensure PCI compliance.
Cyber threats never take a day off, never clock out and go home at the…
Building, deploying, and managing applications via Microsoft's global network of data centers is easier with…
Microsoft Copilot is a tool, powered by AI, that aims to boost your productivity within…
Making things happen is the art and science of project management. The process involves managing…
In today's fast digital life, website performance is important, as it holds visitors and ensures…
The FBI reported that cyber attacks against government facilities saw an increase of almost 36…