PCI compliance should be a top priority for all businesses and institutions that collect and store customer credit/debit card information. PCI compliance, or payment card industry compliance, means that your business follows the necessary guidelines to keep cardholder information safe and secure from hacks or other misuses.
If you collect sensitive information like credit/debit card numbers, addresses, or social security numbers, you need to be PCI compliant to protect your business and your customers in case of attempted hacks. These regulations also help to prevent the misuse of customer information inside the company to prevent malpractice or lawsuits.
How can you make your website PCI compliant?
Let’s start by looking at the requirements for PCI compliance. There are 12 in total.
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
In order to be compliant, all of these requirements need to be met and maintained. It’s also important to point out that this is not something you can do once and maintain in the same way forever. Technology is constantly changing and hackers continue to outsmart security systems. As hackers become more advanced in their tactics, security standards need to change to continue to protect consumers.
In terms of actionable steps to meet these requirements, here are some suggestions from cloudsmallbusinessservice:
Malware, or malicious software, includes viruses and spyware. Set up firewalls to protect yourself and your customers from malware. In addition to firewalls, train staff about handling emails that may contain malware. Don’t open emails from an unknown source. Don’t download attachments you weren’t expecting to receive. Establish a protocol for handing spam so that your employees are informed and prepared to avoid malware.
Writing a Code of Conduct Policy
In the last point, I mentioned establishing a protocol for dealing with malware. On a similar note, you should develop policies for your employees regarding which websites they can access, which apps can be downloaded on their computers, and which devices can connect to the network. Also, clearly state what will happen if any of these rules are broken. This policy can also explicitly state that company computers are not for personal use. Educating your employees on this policy and enforcing it will increase security.
In the PCI compliance requirements, it clearly states that no one should use passwords that were set by vendors at the time of installing or purchasing products or software. Unique and secure passwords need to be set for each login. To ensure that passwords are strong, encourage employees to use letters, numbers, symbols, lowercase, and uppercase characters in their password. Also, discourage the use of the same password for multiple portals, discourage the use of family or pet names, and encourage the use of password safes like LastPass.
According to CNBC, the biggest cybersecurity risk is employee negligence. Make sure that employees are educated on all best practices, including but not limited to the use of password-protected documents and emails, shredding sensitive documents after use, locking computers and other devices when not in use, and storing or locking away sensitive documents to prevent unauthorized people from obtaining them.
Create a designated position or set a regular meeting time to discuss changes in security requirements and potential updates. As stated above, PCI compliance changes with technological advances. In order to keep your business and customers safe, you need to make sure that you are enforcing the latest and most efficient security standards. Creating a position for someone to constantly monitor this will allow you to be more hands-off. But, if it is not within your budget to create a new position, holding regular meetings to reevaluate is a must.
Lead by Example
Executive positions within a company need to set an example for other employees. If lower-level employees see executives ignoring policy or letting security standards slip, they will get the impression that it’s not as important as they were taught it was. Once high-level employees start to ignore standards, lower-level employees will follow suit.
Work Through a Self-Assessment Questionnaire
PCI Security Standards offers a self-assessment questionnaire that you can use to evaluate the effectiveness of your business’s current security standards. The assessment comes in several forms to meet your needs depending on the structure of your business. It will help you understand the changes that need to be made and where to start.
Work with a Hosting Company
Maintaining the security requirements for PCI compliance can be a lot of work. The risk of getting it wrong is significant and could ruin your company. If you do not have much experience with cyber-security and you lack the talent in-house, it is in your best interest to look into PCI compliant hosting companies for your website. They can fully devote themselves to ensure the security of your website, cardholder information storage, and maintenance.
PCI compliance should be a top priority for any business collecting and storing the credit/debit card information of its customers. Prioritizing security will not only protect your customers, but it will protect your business from damages like lawsuits and fees. Major breaches are also terrible for public image and reputation, costing a significant amount of money in marketing and public relations help to recover.
Protect your customers and your business from the devastation of a breach by taking these steps to become PCI compliant. Take the self-assessment and do further research on how you can make your business more safe and secure.