PCI DSS Credit card information

PCI DSS is confusing stuff.    The fact is that as a business that processes, stores or transmits credit card data, you are required to validate your compliance with the PCI-DSS standards.

Note that I said you have to validate.  That does not mean that your data is safe!    Most stores are responsible for completing an annual Self Assessment Questionnaire (SAQ) and a quarterly report from an Authorized Security Vendor (ASV) that you have passed a network scan.

Note that the PCI SAQ C-2 is the document that most of our customers are required to fill out.  It’s 26 pages long and considered the “shortened version”.

So, what does it say?  In short, use common sense.    There are 11 sections to the document and each has its own particular bit of verification.   NOTE, don’t take any of the following as legal advice or as the final word on how to fill out your PCI documents!

1)   Installed a firewall and have it configured properly.  Hopefully you have secured your WiFi and separated it from your POS system.

2)  Don’t use default passwords .  We won’t let you  do this in version 7.60 and above but you still need to do it with your  other passwords in Windows, your router etc.

3)  Protect cardholder data.  Make sure that your POS does not store data and insure that the credit card numbers are masked etc.  Don’t write credit card numbers down and use an integrated solution.

4)  Encrypt transmission of the card data on networks.   We encrypt the data per standards between the local nodes on the network.

5)  Use an anti-virus.  We like Microsoft Security Essentials.

6)  Develop & maintain secure systems.   Make sure you maintain your  POS with the most updated version .  Also your  Windows critical updates need to be kept up to date.

7)  Restrict access to cardholder data to people that need it. Since the cards are not stored in SP-1, this is handled.  If you write numbers down and save them, then you are opening a whole other can of worms.

8)  Assign unique ID’s to each person  with POS access.  You do have unique employee ID’s right?

9)  Restrict physical access to cardholder data.  Since we don’t store cardholder data this should be a no brainier.  If you write numbers down for some reason you need to have polices and procedures in place to insure that the data is not taken off site.   Also, they need to be destroyed and secured in store (i.e. locked) until they are destroyed.

11) Test your processes and security systems.  Make sure that you have a way to see if the network has been comprimised (hacked).   Even just USB drives plugged in, software downloaded that is not approved or a wireless devices installed can through this question.  Make sure you don’t let your POS become a home computer.    Also, you have to have an qualified internal or external party perform a quarterly scan.

12) Maintain a policy that addresses information security.    This concerns a lot of security  issues in your store.  One of the things most stores have never thought about is that you must have policies and procedures in place as far as employee electronic devices.  Yes you are supposed to have a list of which employees are allowed to have what type of electronic devices in your store!

January 12th, 2012 by