How to Stay PCI Compliant
PCI compliance is non-negotiable if you accept credit and debit cards, but preparing for a PCI audit and ensuring that your company meets credit card compliance standards can be daunting.
Jeff VanSickel, senior consultant at IT compliance consulting firm SystemExperts, provided a few tips for preparing for a PCI assessment and keeping your standards at secure levels at all times:
Identify all business and client data. This includes any cardholder data, its sensitivity and its criticality. Correctly defining the scope of assessment is probably the most difficult and important part of any PCI compliance program, VanSickel said. An overly narrow scope can jeopardize cardholder data, while an overly broad scope can add immense and unnecessary cost and effort to a PCI compliance program.
Understand the boundaries of the cardholder data environment. Monitor all of the data that flows into and out of it. Any system that connects to the cardholder data environment is within the scope of compliance and, therefore, must meet PCI requirements. The cardholder data environment includes all processes, technology, and people who store, process, or transmit customer cardholder data or authentication data, as well as all connected system components and any virtualization components, like servers.
Establish operating controls. This measure is necessary to protect the confidentiality and integrity of any cardholder data. Cardholder data should be protected wherever it is imported, processed, stored and transmitted. It must also be properly disposed of at the end of its life span. “Backups must also preserve the confidentiality and integrity of cardholder data,” VanSickel said. “Additionally, all media must be properly disposed of to ensure the continued confidentiality of the data. Be sure to include not only the hard disks used by company-owned computer systems but also leased systems and the storage included in modern copy machines and printers.”
Have an incident response plan in place. When a security incident occurs, it’s important to have a plan to return to secure operations as quickly as possible. This plan should define roles, responsibilities, communication requirements, and contact strategies in the event data is compromised, including notification of the payment brands, legal counsel, and public relations. “Ideally, companies should have a certified forensics specialist on retainer who can gather evidence and testify as an expert witness if necessary,” VanSickel said.
Explain and enforce security procedures. You can never be sure that employees understand security practices and behaviors that can put your business at risk. It is up to you to make sure everyone in the company, including IT specialists and upper management, is educated on PCI compliance procedures.
Key takeaway: PCI compliance involves properly tracking the right data and having an incident response plan in place, including security procedures to follow in the event of a breach.