Connect with us

IT Security

Do I Need To Be PCI Compliant?

credit cards

It’s complicated, but if your business (be it sole trader, small business, national or a global entity) is processing, storing and/or transmitting credit card information, I would recommend you continue reading.

But first, off I am going to make a promise to you.

I promise that this post will not contain any nerdy technical terms or go into detail on the standard’s requirements or any debates about the interpretation of said requirements. This post is for business owners seeking to understand if they need to be “PCI compliant” and if so, what to do next.

And before I continue, I need to mention that this post is for merchants only. If you believe your business is a “service provider” (for example, your customers are other merchants that you store, process, or transmit cardholder data for) then wait for my next post which will cover PCI DSS service providers.

So, What is PCI DSS?

So, let’s begin with first making sure that we are on the same page with the term “PCI”. The Payment Card Industry Security Standards Council (PCI SSC) is tasked with managing the Payment Card Industry Data Security Standard (PCI DSS) which is commonly referred to as “PCI”. There is, in fact, more than just the PCI DSS standard that the PCI SSC is required to manage, but at a guess, you would not be reading this post if you were looking for information on those standards.

The PCI DSS standard is comprised of 12 high-level requirements. Each requirement addresses a component of securing credit card data. For example, Requirement 1 addresses the need to have a firewall installed within certain parts of your computer network, Requirement 2 looks at ensuring any vendor defaults for accounts or configurations are changed, and Requirement 12 deals with policy and standards among other things. Each of the 12 requirements is then broken down into sub-requirements which address specific items for compliance.

At the time of writing this post, there are over 240+ requirements in total for PCI DSS 3.2! Don’t be worried yet. Depending on your business, not all requirements may apply to you.

The table below lists out the 12 high-level requirements.

RequirementDescription
Requirement 1Install and maintain a firewall configuration to protect cardholder data
Requirement 2Do not use vendor-supplied defaults for system passwords and other security parameters
Requirement 3Protect stored cardholder data
Requirement 4Encrypt transmission of cardholder data across open, public networks
Requirement 5Use and regularly update anti-virus software on all systems commonly affected by malware
Requirement 6Develop and maintain secure systems and applications
Requirement 7Restrict access to cardholder data by business need-to-know
Requirement 8Assign a unique ID to each person with computer access
Requirement 9Restrict physical access to cardholder data
Requirement 10Track and monitor all access to network resources and cardholder data
Requirement 11Regularly test security systems and processes
Requirement 12Maintain a policy that addresses information security

To reach PCI DSS compliance you must meet each of the requirement’s objectives that are applicable to your scope of compliance, which I will cover later in this post.

PCI DSS is an annual reporting process. Even though you only have to report on your compliance annually, you’re expected to stay compliant throughout the year.

Why Do I have to be “PCI DSS Compliant”?

In short, PCI DSS is here to help reduce the chances of credit card data being stolen, and that includes your credit cards!

PCI DSS is essential and much needed in helping businesses improve their IT security. Almost every day, there is a significant breach of personal information including credit card data reported in the news. I would not be surprised that many of you have had your personal information, including bank details and credit card data stolen due to the failure of a business’s IT security. When your business becomes PCI DSS compliant you are helping reduce the chances of your customers’ data being stolen – that’s good for business, right?
Also, it’s important to note that if you do suffer a breach that results in credit card data being stolen, you could face several consequences, such as:

  1. Your acquiring bank may pass on any fines it receives from the credit card brands and other interested parties and/or
  2. Your acquiring bank may stop processing credit card transactions from you and/or
  3. Your acquiring bank may demand that you undertake a very costly forensic examination to determine how the breach occurred.

Often the cost imposed on your business if you suffer a breach without being PCI DSS compliant is far more than the cost to become PCI compliant in the first place.

Being PCI DSS compliant will not make your business become 100% secure, but it will help reduce your risk to a breach.

Who or What is Enforcing PCI DSS Compliance?

The PCI SSC has no power to enforce a business to become PCI DSS compliant – that’s not their mandate. However, if you accept credit cards as payment, be it accepting a physical credit card at your shop, or over the phone, or via email, or via snail-mail, or online such as your eCommerce site or any other channel, your bank that processes the credit card transaction on your behalf (called an “acquiring bank”) will often include a contractual requirement for you to be PCI DSS compliant. If you refuse to become compliant, the acquiring bank will often show you the door.

Why does the acquiring bank care so much about my PCI DSS compliance?

Great question!

The acquiring bank carries the risk of being fined by the credit card brands that formed the PCI SSC if your business suffers a breach of credit card data. So, in more cases than not your acquiring bank will expect that you become PCI DSS compliant.

How do I know what PCI DSS requirements I need to meet?

As a QSA, my advice is to contact your acquiring bank and ask them. As mentioned above, it’s your acquiring bank that is fined by the payment card brands if your business suffers a breach resulting in credit card data being stolen, so they are accepting the risk.

I could cover the difference between a Report on Compliance “RoC” and the different Self-Assessment Questionnaires “SAQ”, but I do not want to lead you up the wrong path.

One thing I will say is unless your business is considered a “Level 1” (which means your business processes more than 6 million card transactions per annum or you’re a global merchant, or if under Mastercard, a merchant that has suffered a hack/attack that resulted in account data compromise). Your acquiring bank will more than likely ask you to complete one or more Self-Assessment Questionnaires.

Again, contact your acquiring bank and ask them.

10 Tips for Improving Your Chances at PCI DSS Compliance

I have provided below a few tips that should help your business on the road to PCI DSS compliance. These tips are general IT security tips so regardless of where you are with your PCI DSS compliance, the tips below will help improve your IT security regardless. NOTE! These tips do not guarantee PCI DSS compliance on their own!

  1. Respect credit card data. Have a long hard think about the reasons why you need to store credit card data after using it for a transaction. The key recommendation of PCI SSC is if you don’t need to keep credit card data, then don’t! Not storing credit card data after a transaction will reduce your PCI DSS compliance requirements by quite a bit.
    1. If you store credit card data electronically, make 100% sure that only people who need to have access to that data do and that the systems storing the credit card data are well protected from un-authorized access. There are strict requirements around storing credit card data which includes the use of encryption-at-rest. If this sounds too hard then consider having your payment gateway provider store the credit card data and your business uses a payment token instead. For more information on reducing your PCI DSS scope read this post-> How Can I Reduce My PCI DSS Scope?
    2. If credit card details are written down on paper and need to be stored for some time ensure that the storage container can be locked and the key to unlocking the container is only accessible to authorized users. Do not leave credit card details unprotected at any time such as lying around on post-it notes.
    3. If any of your systems are transmitting credit card data for example from your eCommerce site to your payment gateway ensure the transmission is encrypted. For the eCommerce site that normally means using only HTTPS protocol. Ensure that “TLS 1.2” protocol is used not “SSL” or “TLS 1.0” or “TLS “1.1”. Use this free and very helpful tool https://www.ssllabs.com to understand what protocols is currently used by your systems.
  2. Record all systems and users that process, store or transmit credit card data. Once all systems and users have been recorded, see where you can reduce how many users and systems need to “touch” the credit card data. The fewer systems and users that “touch” credit card data the better for you reaching PCI DSS compliance.
  3. Implement a patching schedule for your IT systems to ensure the latest patches are installed in a timely manner. For critical patches ensure the patch is applied less than one month from the patches release. If you have any operating systems that are end-of-life such as Windows XP or Windows 2003 Server focus on upgrading or replacing the operating systems ASAP. No patches are available to the general public which means these systems are at a much higher risk of being attacked.
  4. Only grant local admin access to operating systems to users who really-really need it.
  5. Ensure all computers have anti-virus installed and a local firewall. Ensure that the anti-virus signatures are kept up-to-date and that the anti-virus software and firewall cannot be turned off or configured without authorization.
  6. Ensure all users have strong passwords and that they don’t share their computer accounts with others. Stop any use of computer accounts that are used by more than one user (normally called “shared account”). Every user should have their computer accounts which allow you to better track the actions of users within your environment.
  7. Change all vendor-supplied default accounts/passwords and any configurations that could make the device vulnerable to attack. Search in google for “default password for ” and add the devices name. You will be surprised at the number of devices which are Internet facing that have the default username and password active!
  8. Look at placing a firewall at the perimeter of your business environment to control what traffic flows in and out of your business. Only allow traffic that you consider a business need to flow in and out of your business. You may also need additional firewall(s) between the “perimeter” firewall and where card data is transmitted, process and stored – you may need help with this from a network IT professional.
  9. Record all service providers that have access to your IT systems including what level of permissions they have, what user accounts they use to access your environment, why they have access to your environment. You must have awareness and control over all service providers who have access to your IT systems. The number of IT security breaches caused by service providers is staggering.
  10. Implement a basic IT security education program for your users to be conducted when a person starts and annually. The program should cover IT security basics such as how to create strong passwords, how to identify phishing/social engineering, how to protect credit card data, thinking before clicking on an email attachment, watching out for tail-gating etc. Write an IT Security policy that your users can refer to when required. The policy should cover all things IT security within your business from patching schedule, approved software, security configurations for computers such as anti-virus/local firewall, remote access, Internet usage, enforcement etc.

So let’s recap.

  1. PCI DSS is a standard that comprises of 12 high-level requirements addressing the security of credit card data. Each of the 12 requirements is then broken down into sub-requirements addressing a particular security objective.
  2. If you’re a merchant that accepts as payment credit card data be-it physically accepting cards at your shop, over the phone, via email, via snail-mail, via ecommerce or any other channel, more than likely your acquiring bank will expect you to be PCI DSS compliant.
  3. Depending on how you accept credit cards and your level of credit card transactions, not all of the 240+ requirements will apply to your business to reach PCI DSS compliance.
  4. To become “PCI DSS” compliant you must meet the “testing procedures” for each requirement that is applicable to you. For example, if the requirement to have a firewall installed within your network is applicable to your business then to meet that requirement you need to install a firewall in the way required by PCI DSS.
  5. Reporting on PCI DSS compliance is an annual process. But compliance should be part of the way you run your business every day.
  6. Contact your acquiring bank and ask them what they require you to provide to demonstrate your compliance. They’ll likely be able to tell you what forms to submit and whether you can fill it in yourself or need to get a QSA to help.
  7. If you accept credit cards, do not ignore PCI DSS! If you do and your business suffers a breach resulting in credit card data being stolen, there is a very high likelihood that your acquiring bank will be knocking on your door and it won’t be an enjoyable experience!

PCI DSS Resources

PCI DSS Website -> https://www.pcisecuritystandards.org/
PCI DSS Official Document Library-> https://www.pcisecuritystandards.org/document_library

Author Details

Marc is a PCI QSA at Confide and has been working with the company since May of 2016. Confide is New Zealand’s Premier Security Assessment Company for the Payment Card Industry.

BusinessArticles is the popular online Hub for quality business articles. We publish unique articles and share them with our social followers.

Continue Reading

IT Security

Developing an eCommerce Website: 7 Must-Do Privacy Steps

settings

Setting up a website is effortless these days. You buy your hosting, find a platform, pick a name, and voila – you’re a site owner. The real challenge comes when you need to develop every bit of it before it goes public. It continues when it goes live since your task is to keep it safe and secure.

With digital crime growing every day, keeping a website safe from fraud and hacking is challenging. During Covid-19 there were up to 30,000 cyber attacks every day. Any competent business person whose success depends on online sales knows that a significant breach or several small chargebacks can kill everything they’ve done since the start.

Privacy & Security On eCommerce Sites

Selling your products or services online has a huge earning potential. It offers you a more expansive and virtually unlimited reach. According to Statista research, around 270 million Americans make online purchases in a year. That brings a total of $548 billion into the eCommerce industry every year.

However, the money you’ll be receiving from your eCommerce store, i.e., the website, won’t change hands invisibly. You’ll need people’s information, a lot of which is personal, to process their payments and deliver the products and services. Unless you have a good privacy and safety strategy in place, this will be impossible to do.

Did you know that every month, there is an average of 249 fraud attempts? In 2018, it prevented only 182 fraud attempt and in 2020 FTC received over 2 million consumer fraud reports.

People are warier of the rising online crime than ever. They put extra caution into sharing their personal information, which means that people won’t trust you enough to buy from your website unless you put safety measures in place.

The online world is highly reliant on word-of-mouth. It means that, even if you suffer a smaller hack that doesn’t hurt your company badly, the word can spread pretty fast, instantly ruining your reputation and credibility.

Not to mention, failing to implement the necessary safety measures can equal breaking the law. You’ll be up for penalties and consequences. It’s why if you’ve decided to put your eCommerce business idea into action, you need to take all the precautions to keep privacy to an optimal level.

Critical Privacy & Security Tasks

Here are the critical privacy and security steps that every eCommerce website creator should take.

Get familiar with the applicable laws

As crime grows online, so does the number of security steps businesses need to take to keep their customers safe. Data is beneficial to companies these days. It allows them to sell products, track the market, analyze and create their marketing strategies, and communicate with customers. However, it is as much of a threat as it is an asset.

The call for strengthening the data privacy of consumers has been heard all around the globe. Every year, we hear new legislative changes that ensure consumers’ privacy and security who buy things online. There are currently 100 countries spanning six continents with privacy laws in place, attempting to protect internet users’ information.

If you want to build a trustworthy business and avoid legal issues, you need to operate within the confines of the laws applicable to you. For example, if you’re in California, you should constantly be up to date with the latest ccpa laws and regulations. These are carefully crafted to keep consumers safe.

The California Consumer Protection Act or CCPA is one of the latest additions to privacy laws worldwide. It was enacted on January 1 of 2020. At this point, eCommerce businesses had more than a year to understand and ensure that their companies are doing the necessary to protect consumers.

With that in mind, before you put your website online, you need to make privacy your priority—this is the best way to get started.

In addition to ensuring that your website complies with the CCPA regulations, ensure that you’re informed on other applicable laws and regulations. Why is this important?

GDPR, for example, (the European Union privacy law) requires all companies who sell to customers within the Union’s borders to be compliant with their rules and regulations. If you want to avoid harsh penalties, you should get familiar with their regulations also.

Trademark your logo and company name

Your business might be new for now, and therefore, there’ll probably be little interest in stealing it. However, as it grows, you might be a victim of identity theft – but for your company. The most essential tip an eCommerce business person can get these days is to trademark their company name and logo.

Before you choose a name, make sure that it is clear to use as a trademark. Finding an available domain name does not mean that your choice is known as a trademark. To ensure that no one will try and take your company name and logo, you need to go through this process as soon as possible.

If you don’t know how to register a name as a trademark, seek a legal professional that will process your request through the Patent and Trademark Office. Registering your company’s and website’s name protects you against infringers, future copiers, as well as knockoffs.

Pick a secure eCommerce platform

There are many choices in terms of where you can open your eCommerce store. But, if you want to enrich consumers’ privacy, you should take this step very seriously. Building a store on Software-as-a-Service platforms like Shopify or BigCommerce is an excellent idea since these sites help you build, host, and keep your store safe.

In most cases, eCommerce platforms are chosen for their convenience of use, functionality, range of design, and security features. The goal here is to find solutions that provide SSL certificates, encrypted payment gateways, and suitable authentication protocols for buyers and sellers.

Use HTTPS

SSL or Secure Sockets Layer is a security technology that allows you to establish encrypted links between browsers and web servers. Using HTTP with SSL ensures that all data through the web server and browser remains integral and private. It’s vital if you wish to ensure your customers’ privacy and keep the eCommerce transactions secure.

Having HTTPS websites means higher Google rankings, improved security, increased customer confidence, and conversions.

Keep the website updated

Not only should you update your site to meet the latest changes in laws and regulations, but also to prevent fraud. Yes, website owners can also take measures to reduce the risk of being hacked. As of 2019, 56% of all the traffic online comes from automated sources like spammers, impersonators, hacking tools, and bots.

Unpatched extensions and applications make websites very easy targets. This is why you should always keep the site and its back-end software updated with new security patches.

Opt for strong passwords

password

Those bots and hacking tools are a brute force of hacking. They put endless combinations of letters into a site attempting to enter it. Unless you have a strong password, they might get lucky and crack it. Then, it won’t matter what type of site you have or which laws you’ve tried to follow – they’ll be in.

So, make strong passwords to enter your site, but also request strong passwords from your team. Have your employees use strong passwords, a combo of different-sized letters, symbols, or numbers. Also, remind people to change their passwords often, like, for example, twice a year.

Even if your site has flawless security and many measures in place, many websites’ weakest links are customers. People tend to have poor password hygiene. They’ll use the same passwords or try something very simple that they’ll remember easily. That being said, have some rules in terms of password creation for your consumers. This is to keep their data safe, so you’re doing them a favor by asking this, too.

Also use MFA (multi-factor authentication) wherever you can.  Your clients will thank you for it.

Learn to recognize the signs of fraud

Your job does not end when you take measures to create a safe website. To keep people’s private information secure, you need to remain alert at all times. Fraud prevention can only be as successful, which is why you need to learn to recognize the signs of fraud and stop it before it is too late.

To do this, take a peek at the types of emails used to sign up, the customer order history, check for suspicious emails, etc. Keep in mind that fraudsters target higher value items and usually have their orders shipped to obscure addresses.

Final thoughts

The eCommerce industry can be fruitful for those with a clear idea and quality products and services. However, if you want to succeed and survive in this market, you must put the customers’ privacy as one of your priorities. Remember – this is never a one-and-done deal. Threats change and evolve every day. At this time, the smartest move you can make to keep your reputation and business intact is to maintain a security-focused mindset.

Continue Reading

IT Security

Take These Steps And Protect Your Business From A Cybercrime

cyber crime

You might have read the news story surrounding the events that happened at Mal A Largo. The prestigious club favoured by the president was recently breached by a woman who claimed she was a member. She wasn’t. When she was inside, she suggested she was there for a conference.

There was no conference taking place and the woman entered the club with multiple pieces of tech. One of which contained malware data. The president was in the club at the time and it is not currently known what the woman’s intentions were. It is however clear, that she almost succeeded.

This shouldn’t come as a massive shock. After all, recent reports have suggested that by 2021 there will be a cyber attack on a business every twenty seconds. That’s crazy and it won’t just be big businesses that are exposed either.

Indeed, experts suggest that smaller companies will be targeted because criminals won’t expect them to have the latest protection measures in place.

This leaves an important question: Is your business secure and prepared for the threat of a cyber attack?

Truthfully, the answer is probably no. But you can take steps and make changes to ensure that your business is protected.

Let’s look at some of the ways you can do this, plus here’s a quick recap on what you need to know about cyber crime and malware.

What is Malware?

You don’t need to know the history of malware but it’s kind of interesting so here’s a short summary.  Its beginnings are thought to be in 1949, with  computer scientist John von Neumann, however the first documented viruses were in the 1970s.

There was the creeper worm by Bob Thomas and in the eighties the man credited as the father of viruses, Fred Cohen really developed the computer virus as we know it today.

Not all viruses are bad, though malware is and it’s thought that a third of all computers world-wide have been infected at some time.

Hard-hitting viruses

There have been some very hard hitting computer viruses over the years including:

  • 2013 – Cyptolocker. This is one of the early ramsonware programs. Ramsonware in itself is interesting insofar as it denies the user access to their computer with threats to publish the users’ data unless a ransom is paid.
  • 2014 – Backoff. Known for hitting the Point of Sale (POS) machines to steal credit card data.
  • 2016 – Cerber. One of the most infective viruses according to Microsoft.
  • 2017 – WannaCry Ransomware. Appropriately named as many companies attacked by it did ‘want to cry’.

Source – a brief history of malware

What is Cybercrime?

Simply put, cybercrime is the term given to describe any criminal activity online, i.e. uses the Internet. It’s far-reaching, insofar as it includes everything from ramsonware and other viruses, to hacking, phishing and spamming.

So, what can you do to make sure your business is protected?

Installed And Up To Date

It’s important to make sure that you are installing anti-virus software. Once it is installed, make sure that you are updating it regularly. Many people think that once you have installed anti-virus software on your tech, your issues are over. This just isn’t the case. Indeed, it’s instead possible and even likely that you fall behind on updates and suddenly there’s basically no protection for your business.

This is usually because people are relying on free antivirus software. Free software is better than nothing, but it’s definitely not the ideal solution. If you want the highest level of protection, then you need to invest in the best software on the market. This isn’t free but it does provide fantastic value for your company.

Choose Strong Passwords

Passwords are incredibly dangerous if they are easy to guess or if they include information that people could quickly access. As such, there should be no personal information used to create your passwords. It should be a random string of numbers and letters. These are almost impossible to guess or hack and as such will keep your sensitive data secure.

The Latest Tech

Do make sure that you are investing in the latest technology and equipment. The latest tech will usually have preventive measures in place to ensure that software is protected. Particularly if they are running the latest programs and systems.

You should be careful of methods for saving money as well such as BYOD initiatives. While this can cut costs down, you can’t guarantee that the devices that employees are as secure as they need to be. Investing in the latest technology yourself will always be the best option.

We hope this helps you understand how to secure your business from a potential cybercrime.

Continue Reading

IT Security

How Compliant is your Small Business?

women manager

Operating a small business doesn’t mean you can be complacent with how you’re protecting customer data and the prevention of the real threat of credit card theft.

Hacking gangs are alive and well hence the tightening of data protection rules  in the western world including the European Union’s GDPR.

Data Protection

So there’s two major compliances to work on immediately if you’ve not done so already.  Doing the basics  to ensure your business is in compliance with data protection laws including the GDPR even if you’re not in Europe is a must-do and here’s how you can get started if you’ve not done it already.

Every website collecting email addresses and more, need to comply with the requirements for protecting customer data.  There’s more that’s needed too see (Website policies) further on in this article.

PCI Compliance

There is also a pressing concern for all businesses, eCommerce and particularly those in the retail sector to commit to  PCI compliance.  You might be wondering what it is and is your operation too small to be bothered with it right now.

A really good explanation of what PCI DSS is and why any business transactions using credit cards needs to comply can be found in this article on BusinessBlogs.

Self Assessment

Smaller businesses can do a self assessment and why you might sigh with relief, don’t get too comfortable, you’ll still need to know exactly how to do a PCI self assessment and how to get set up so when your business grows it’s got everything in place for external assessments.

PCI and Networks

The real difficulty lies in understanding how sensitive data moves along your network which is a must for assessment.  The wireless LANs and other connectivity points like USBs and bluetooth can be penetrated hence they need to be monitored and secure.  This is where a PCI compliant specialist comes into their own not only for your self assessment but also when using external PCI auditors for your compliance.

Website Policies

Earlier on we mentioned protection of customer data and laws like GDPR.

Any business with a website that collects customer data can not avoid the basics website features that allow for transparency of how customer data is collected, utilised and shared with privacy and cookies policies.

This really is the norm now and it’s the entry level for all websites so all website developers will implement it, so it’s just the older sites and the Do-it-yourself crowd who need to be aware of the requirements.

Website visitor expectation is they’ll see the pop up that asks for acceptance of re. your website cookies policy and they’ll take the necessary action.  Without it, your business is not perceived as being secure and visitors may take no further action i.e. they’ll exit your site.

All websites should also be using the SSL (HTTPS), and be mobile ready.  Plus have all the bells and whistles in place to manage customer data collection and management for protection of customer data.

Summary

Ignorance is not bliss and it will be hurting your business if your website is not on top of it’s compliance requirements.   Get curious, find out what you need to know and when you need to take action to keep the hackers out and the visitors in.

Continue Reading

Trending