Ever since the start of the PCI Data Security Standard, more and more organizations that store, process or transmit cardholder data are looking towards the compliance of this standard. This is because with the passage of time PCI DSS has become more mature and a widely acclaimed standard. But at the same time there are many organizations that yet need to fully comply with the standard. A research conducted by Verizon in 2011 showed that mostly the organizations that suffered a breach of security were the ones that did not comply with the standard, while some of them were the ones that were found to be compliant in their previous assessment. Hence, it is important to note here that compliance in not a one-time process. It is an ongoing process and organizations need to keep themselves compliant throughout the year rather than just validate for the compliance at one particular point of time. Only this way they can effectively protect their customer data from possible breach and ensure its safety and security.
Annual PCI DSS assessment is only an indication of how well an organization is complying at the time the assessment is made. It is not an indicator of the time period between two annual assessments. In order to consistently comply with the PCI DSS requirements, an organization needs to have a formal security set up that operates at all times and remains implemented throughout the year.
The following are some of the best practices an organization needs to adopt, to effectively implement and maintain PCI DSS compliance:
Determine the Scope of PCI DSS Compliance
Before implementing PCI DSS in relevance with your organization, it is important to determine the scope. You need to identify everything that is related to the storing, processing and transmitting of cardholder data, and identify all payment channels, locations and data flows.
Conduct a Gap Analysis
For every entity that comes under the scope of PCI DSS compliance, measure its current level of compliance against the standard requirements. This can be done with the help of the PCI Self Assessment Questionnaire (SAQ) which will enable you to determine which of your tools and systems are in place and which are lagging behind.
Develop Policies and Procedures
A set of formal policies and procedures must be developed to comply with the standard requirements and should be regulated and enforced within the organization.
Train the Personnel
It is important that every individual involved in handling cardholder data should be well aware of the PCI DSS requirements and for this purpose regular trainings should be carried out to new as well as old employees.
Encrypt Sensitive Data
Payment card data should never be left unencrypted whether it is being stored or transmitted via any medium. Sensitive data must always be encrypted with the help of an authorized encryption program.
Ensure Physical Security of Data
Physical security of data is as important as it is on an electronic system. Only authorized personnel should be allowed to physically access the data.
Scramble Track Data
Encoded data at the back of the credit card on the magnetic strip is known as track data. This data can be read by Point-of-sales systems and should not be stored, as some POS systems collect this information without informing the merchants. Hackers can easily access and exploit this information. Hence, it is important for POS vendors to scramble the track data in order to make it unreadable for third parties.
Use Secured Wireless Connections
Wireless connections should always be secured with a security key to minimize any potential intervention of an outside user.
Review Logs Regularly
System audit and security logs should be regularly reviewed to identify any possible non compliance issues.
Minimize the Scope
To make the process of implementing the PCI DSS easier, it is important to minimize the scope of compliance. This will help to reduce both the cost and the efforts required to achieve the compliance. Scope can be reduced by minimizing the cardholder data environment or the CDE. Anything that is related to storing, processing or transmitting cardholder data forms a part of the CDE. You can achieve this either through network segmentation or through tokenization.
Regularly Update the Software
It is important to regularly update all your company software to maintain your defense against external threats. The cost of not upgrading your software is quite higher than that of collective cost of upgrading your operating system, SQL, explorer, iMIS, etc. the iMIS15.1.2 and iMIS20 PCI approved payment applications.
Implement a Layered Security System:
A layered Security System helps achieve a higher level of protection because if one defense mechanism fails, the attack can still be stopped by the next layer and so on.
Follow the Mobile Payment Acceptance Guidelines
These guidelines provided by PCI SSC are actually for companies that have already implemented a PCI DSS compliant system within their framework. They allow merchants and application developers to follow a set of best practices to accept and process payment through a mobile device. By following these guidelines, account data cannot be accessed when it is entered into a device, or when it is being stored or processed.
Adopt Best Practices for Skimming Prevention
In the simplest of terms, skimming is a process through which thieves steal your credit or debit card information, and use it for their own criminal purpose. Skimming mostly occurs at retail outlets or ATM’s where criminals steal your information using organized tools and technology. The PCI Security Standards Council has issued a set of best practices for prevention of skimming at the hands of criminals. It comprehensively defines different situations and techniques of skimming and how these can be prevented.
To make things easier to understand and implement, the PCI Security Standards Council has released a number of documents of Best Practices and Guidelines that can help altogether in the implementation of PCI DSS in to your organization. These include, but are not limited to, the following:
- Skimming Prevention Best Practices
- Risk Assessment Guidelines
- Cloud Computing Guidelines
- PCI Compliance Maintenance Best Practices
- Tokenization Guidelines