If your business handles online sales and transactions made with credit and debit cards, ensuring that you comply with the legal requirements of eCommerce are essential. You learn to respect, understand, and satisfy the demands of PCI-DSS.
We thought we’d put together a little summary of what you need to know about PCI-DSS… and what it means for your business.
PCI-DSS stands for Payment Card Industry Data Security Standard. It’s a set of regulations relating to online commercial transactions and, specifically, the protection of a consumer’s card details and personal information.
It is a global standard that enables businesses to process card payments securely. This covers the storage, transmission and processing of cardholder data.
While PCI-DSS is not a legal requirement in of itself, most of the data related to it does fall under the umbrella of the Data Protection Act. So if you’re a business that handles card payments online, you’ll need to utilize the standards.
The Payment Card Industry Security Standards Council, who developed and maintain PCI-DSS, states that the regulations should cover “all system components included in or connected to the cardholder data environment”. Failure to satisfy the requirements, at least in terms of the Data Protection Act, can lead to serious repercussions, including fines and revoked credit card processing capabilities.
The PCI-DSS standard is organized into 12 requirements split across six categories.
There are two requirements that fall under Category 1:
This ultimately incorporates the use of advanced firewalls to prevent unauthorized access. Firewalls are responsible for the communication across the company’s trusted internal networks and untrusted external networks.
The defaults are often commonly known and easy to exploit, but changing those defaults instantly makes it harder for hackers and criminals to attack and compromise the data systems.
Two requirements fall under Category 2:
Only the necessary minimal data should be stored, and it should be protected by encryption, truncation, masking and hashing. Meanwhile, details from the chip or magnetic strip, as well as CVN and PIN data should never be stored by the company.
Security protocols like TLS, IPSec, and SSH are needed to protect sensitive data while the security policies related to the transmission of data in public networks should be clearly published and documented.
Category 3 covers two requirements:
This means using the cybersecurity tools to detect and remove all malware… on a 24/7 basis. Disabling them should only occur when authorized for a certain process.
Vulnerabilities need to be identified and ranked by their risk factor, while any software updates and patches from the specific vendors should be installed within 30 days of release. The maintenance aspects relate to internally and externally developed applications.
Three requirements fall under category 4:
The abuse of user privileges is one of the most common forms of online attack and can be very difficult to identify too. Limiting the access rights to sensitive data should involve setting the access control defaults to deny access. The access can then be given on a need-to-know basis.
Documented policies and procedures should be used across all system components with a special focus on non-consumer users and administrators. All users should have user Ids while two-factor authentication should be implemented for access via remote networks.
This means restricting the access to server rooms, data centers, and other locations that house sensitive data. Media should be secured while storage, access and distribution must be handled in a controlled environment. Once media is no longer needed, it should be disposed of.
Category 5 has two requirements:
Data logging prevents, detects, and minimizes the damage, which is why audit trials need to be implemented in a secure manner. A 3-month real-time analysis should be made available to the security team when requested, while all data should be held for one year minimum.
This should cover systems and processes. Most issues relating to unauthorized wireless access points or Internal and external network vulnerability scans can be used on a quarterly basis. Also, weekly critical file comparisons can quickly alert staff to unauthorized system modifications.
Category 6 contains just a single requirement:
The security policy should be established, published, maintained and disseminated for the best results. Risk assessments, usage policies, and incident response plans must also be established so that any attacks or breaches can be dealt with efficiently.
PCI-DSS is a collection of requirements that ultimately create the globally accepted standards regarding the handling of sensitive cardholder data, including personal details and payment information.
If you’re concerned about whether your e-commerce platform is compliant or secure, we’d love to have a short conversation. At BitLyft, we specialize in securing the data of both organizations and the customers who trust them. Reach out today and we can determine what steps, if any, are needed to keep you PCI-DSS compliant.