PCI Compliance refers to the Payment Card Industry Data Security Standard. If your company accepts credit card payments, this concerns you.
If your company stores, processes, or transmits cardholder data – or it intends to – you must host all of that data in a secure manner, using a PCI compliant hosting provider. Cardholder data refers to personally identifiable information that is associated with a credit or debit card. This includes primary account numbers, the name on the card, and expiration dates.
The PCI Security Standards Council has established 12 PCI compliance requirements. Together, they create secure networks, protect data, and manage access to that data.
The PCI Compliance Checklist
1. Protect cardholder data by installing and maintaining a firewall
Every company storing, processing, or transmitting cardholder data must create its own firewall configuration policy. Your hosting provider should take care of this.
2. You must not use the default security parameters provided by vendors
Typically, vendor-supplied equipment comes with easy to remember usernames and passwords, such as ‘user’ or ‘admin’ and ‘password.’ Even if your vendor-supplied security parameters appear to be more complex, you must change them for your own unique and secure passwords.
3. If you store cardholder data, you must protect it.
Many companies avoid this, by ensuring that they do not automatically store cardholder data. Getting hold of cardholder data would please hackers or any cyber attackers, so protection needs to be stringent. The data should be physically protected by keeping it under restricted access, with locks preventing access to the servers, network and storage devices. The data should also require virtual authorization i.e. passwords or other kinds of authentication.
4. Encrypt transmitted cardholder database
If this data is being transmitted across an open network, it should be encrypted to render it unreadable and unusable by anyone without the required cipher.
Additionally, any PIN numbers or validation codes must not be stored.
5. Use and maintain anti-virus software
Malware is constantly being updated. Make sure that your protection is up to the task by performing regular maintenance.
6. Develop and maintain secure applications and systems
Even when systems and applications are considered to be secure, they should continue to be monitored and tested in order to identify new vulnerabilities. A PCI compliant hosting provider will monitor and update their system to discover and deal with vulnerabilities.
7. Restrict access
Users are a major cause of data breaches. This security risk can be mitigated by restricting access to the data. If only the people who need it have access, the chances of a breach are also reduced.
8. Use IDs
If each user has a unique ID, their activity on the network can be tracked and monitored. In the event of a data breach or accidental loss as a consequence of this individual’s actions, it should be possible to see how and when things went wrong. Accountability is a powerful tool.
These IDs need to be subject to best practices, such as including encryption of passwords, 30-day limits on passwords, and limits on time users can remain logged in.
9. Restrict physical access to cardholder data
A secure PCI-compliant environment will not only restrict cardholder data by using physical locks, but they should also employ surveillance cameras and use entry authentication.
10. Monitor all access to cardholder data and network resources
Monitoring and tracking this access helps to identify the source of a problem in the event of a data loss or breach.
11. Test security systems and processes on a regular basis
Those who seek cardholder data are constantly improving their systems and processes. That’s why it’s necessary to do the same if you are storing cardholder data.
12. Your policy addressing information security requires constant maintenance
Finally, PCI compliance requires that a business maintains a policy that includes all acceptable uses of technology, risk analysis processes, security procedures, and other admin tasks.
What is PCI Compliance Training by CFISA?
We provide our PCI course with our security awareness training. The two really go hand in hand.
In this case, you can expect 15 lessons, with two quiz questions to answer at the end of each lesson. We include one full lesson that explains what the Payment Card Industry Data Security Standard is all about. We encourage your employees to treat customer data as they would want their data treated. Important PCI compliance guidelines are covered to enlist employee participation and buy in.
Your employees will be motivated to go on by the attractive certificate available on completion. By the end of the PCI compliance certification, you and/or your workers will have all the information necessary to make sure that your workplace has complied with the PCI training requirements.
Our specialist team is on hand to deliver the training you need, in the way you need it. With so many people asking, “what is PCI compliance”, and “Is PCI compliance important to me”. If PCI compliance is what you require, then ensuring that your workforce understands what it entails is essential. We have a flexible pricing system, so just tell us what you require and there will be a solution that suits your budget.
PCI training from CFISA aims to make thinking about security a part of your workers’ repertoire, so that maintaining security best practices becomes a natural response. We use our experience and training expertise to get everyone who takes part in our training to engage fully with the process. Staff must be invested in protecting the organization for which they work, and maintaining PCI compliance.
At the same time, while we are familiarizing people with thinking about security, our PCI training goal is to break negative habits. Where there is behavior that causes security risks, we work on changing the attitudes and perceptions behind it, and replacing them with better understanding.
To get your workforce up to speed with PCI compliance requirements and to receive PCI compliance certification, give us a call at (561) 325-6050 or fill in our online form and provide us with some information about your goals, so we can get back to you with a tailored quote.
If you need PCI training, be sure to check the box on the form and provide any other information that will give us an idea of your business culture and your values. With customized training, whether in-person or otherwise, CFISA can deliver training that’s ideal for your team.
All new and updated lessons as of July 2017
Request a quote for full access to all lessons