Does your business process credit cards? Would you be able to continue operating if you lost the ability to process cards?
If your business relies on credit cards to conduct business, there are certain cybersecurity measures you must implement to comply with the Payment Card Industry Data Security Standard (PCI-DSS). A common misperception of PCI-DSS is that if you don’t store credit card information, you don’t have to be PCI compliant but that simply is not true. The PCI standards also apply to handling of data while it is processed or transmitted over the computer network, phone lines, and even fax. So unless you are using point-to-point encryption AND tokenization, you will need to comply with PCI-DSS.
Another misconception is that payment card processors do not fine small companies when they have a breach and while fines are typically levied with merchants that process more than a million transactions a year, if you suffer a breach of cardholder data you will be liable for chargeback amounts, credit monitoring costs, and could be on the hook for compliance auditing costs as well as lose your ability to process credit cards.
The PCI-DSS requirements mirror data security best practices and a few of key requirements are:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 1 requires that businesses that process or transmit credit card data to have a firewall to protect the cardholder data. It further dictates that the firewall configuration needs to be reviewed every six months and that you must block bogus IP addresses (Bogons) from accessing the network from outside.
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Requirement 5 requires that the business implement anti-virus software on all computers that could be compromised (5.1) and also that the anti-virus is able to detect, block, and remove known malicious software (5.1.2). While there are free anti-virus options available, many are limited in their capabilities and also do not provide the same level of protection as paid anti-virus. Additionally, anti-virus programs are not expensive (as low as $2.50 per computer per month from Axiom) so why would you take the risk that your computers could be infected by credit card stealing malware or locked up by ransomware?
Requirement 5 also states that you must ensure that the anti-virus programs are kept up-to-date, perform regular scans, and that you maintain an audit log (5.2) And anti-virus programs also cannot be disabled by users (5.3) unless justified and approved by management.
Requirement 6: Develop and maintain secure systems and applications
Requirement 6 guides companies to establish a method of conducting security assessments (6.1) to identify vulnerabilities and assign a risk rating (low, medium, high, critical) to found vulnerabilities. The requirement also requires that companies install security patches for known vulnerabilities within one month of the patch being released (6.2).
How Axiom can help with PCI Compliance
Axiom is able to assist with fulfilling all of the PCI-DSS requirements listed above through our combination of hardware and software services. If any of the requirements give you pause, contact us today for a free consultation at (800) 519-5070 Ext. 7
For more information on PCI-DSS, you may find the official PCI DSS Quick Reference Guide helpful.