Articles

10 PCI Compliance Best Practices to Protect Your Business and Customers

In 2014, Home Depot suffered a data breach of historic proportions. Hackers gained access to the retailer’s payment systems, compromising credit card information for 56 million customers. That breach cost Home Depot $179 million. While no organization can claim immunity from cyber-attacks, following PCI compliance best practices can mitigate the extent of the damage.

All organizations that process credit cards must adhere to the Payment Card Industry Data Security Standard (PCI DSS) or face stiff fines. More importantly, PCI compliance represents a starting point for effective cyber security. Following best practices not only keeps you compliant but protects both your business and your customers.

1. Use Firewalls

Firewalls form the first line of defense for your network and all devices connected to the network. Make sure to maintain those firewalls, applying software updates as soon as they become available.

2. Change Default Passwords

Many devices critical to your system, including routers and point of sale (POS) systems, come installed with default passwords. Always replace the defaults with strong passwords. Hackers know the defaults and have used them successfully over and over again to gain access.

3. Encrypt All Transmitted Data

Credit card and customer information must be encrypted at every stage of the process. Make sure that you properly configure and enable encryption features on your wireless router and payment gateways.

4. Keep Software Up to Date

Make it a point to apply security patches in a timely fashion. This applies to your operating system, anti-virus and anti-malware, and all other software you use. Pay special attention to updating software on all devices that interact with credit card data.

5. Restrict Access to Cardholder Data

No one should have access to cardholder data unless their work duties require that access. Deny access for anyone else. Ideally, you should avoid storing sensitive cardholder data on your server or hard drive at all. Most modern payment gateways will provide a vault feature for you to store cardholder information away from your website.

6. Monitor and Log All Activity

In the event of an issue, you need to be able to trace the problem to its source. First, make sure that every user has a unique identifier. That is, you should never have multiple employees sharing generic credentials for a device.

Second, create access logs to document all activity relating to cardholder data. Finally, review system security and audit logs regularly to search for compliance issues and anomalies.

7. Run Regular Security Tests

PCI DSS requires an annual network vulnerability scan and Self-Assessment Questionnaire. But demonstrating PCI compliance once a year will hardly ensure cyber security. Run mini audits regularly to test systems and procedures and highlight vulnerabilities.

8. Choose Your Payment Processor Wisely

Payment processors offer a variety of features. Every provider will provide a measure of PCI compliance service, and will charge you accordingly. But some vendors provide more comprehensive services than others. Do your homework and thoroughly review your contract before signing on.

A good payment processor will provide regular security scans and give you access to the logs. They will ensure that processing systems are PCI compliant. Many will also include encryption.

9. Monitor for Card Skimmers

Train employees to monitor POS systems for credit card skimmers. Thieves can install them in seconds, so while self-service lanes pose the greatest risk, any POS can be compromised. EMV technology reduces the risk, although criminals have even begun to target chip cards, as well.

10. Train Employees

No matter how effective your network security and anti-virus, the human factor remains the weakest link in the security chain. Therefore, communicate policies clearly and provide regular, industry-specific training for employees. Approach cyber-security training on multiple levels, from in-person seminars to posters and workflow reminders.

Expert PCI Compliance Management Services

eMazzanti provides proven retail IT services, with staff trained at the highest levels in retail data security. As an active member of the PCI Security Standards Council, we are working to advance world-wide PCI security standards. Our QIR certified PCI experts work hard to implement and monitor your POS system, build robust network security and ensure PCI compliance.

Download Article PDF

Cloud Services New York City

Recent Posts

Shared Mailbox vs. Regular Mailbox in Microsoft Exchange

Microsoft Exchange provides multiple ways to control email communication in a business. Shared Mailboxes and…

2 days ago

Remote Work Rising: The New<br>Way We’ll Work

Remote working was once a niche specialty, only used by tech-savvy and freelancers. But in…

2 days ago

The Role of Print Servers In<br>An Organization

While we live in a digital age, print is still a staple for many businesses.…

2 days ago

Implementing Anti-Spoofing Rules for Email Protection

Increasingly, email communication is playing a pivotal role in business operations, facilitating collaboration, customer engagement,…

3 days ago

The Comprehensive Benefits of MSP Management for Servers, Exchange, O365, VPN, and Networks

As the digital landscape evolves, businesses of all sizes face the challenge of managing complex…

3 days ago

Cost-Benefit Analysis of On-Premises Network/Server Infrastructure vs. Azure-Based Cloud Infrastructure

In the evolving landscape of information technology, businesses constantly seek the most efficient and cost-effective…

3 days ago