In today’s business world, convenience is a valuable commodity. About 75% of Americans shop online, getting their wants and needs delivered right to their doorstep without ever stepping outside their homes. And some businesses have taken convenience a step further, offering to store customers’ card information to make future purchases faster.
Any business that stores customers’ payment data, regardless of the company size or number of transactions, must comply with the Payment Card Industry Data Security Standard (PCI DSS). This set of regulations seeks to keep your customers’ data safe and secure — but what exactly do these standards mean?
If you want to keep your customers’ data secure (and avoid a fine of up to $100,000 PER MONTH of noncompliance), here are the 12 key requirements you need to follow to be PCI DSS compliant.
- Install a Firewall
Most companies who store card information do so in a cloud storage system. For the business, this can be very effective; cloud storage doesn’t take up physical space and can be very affordable. However, cloud storage isn’t always secure, which is why the PCI DSS requires companies to install a firewall to restrict traffic into their cloud.
- Set Secure Passwords
If your company’s server, firewalls, wifi, or network-connected devices are still using the default password you got from the vendor, you’re in big trouble! Those passwords are very easy to hack, which means they’re hardly secure enough to meet security standards. Reset the passwords to something stronger as soon as you can.
- Protect Stored Customer Data
If you’re planning to store customer card information, you need to make sure that all data is encrypted and protected. Use industry-accepted algorithms like AES-256 or RSA 2048 to encrypt your data, and make sure you know what data is being stored (so you can make sure it’s all protected).
- Encrypt Transactions
In addition to encrypting your customers’ stored data, you must also protect their data during the payment process. Transmitting card data over an open network like Bluetooth or the internet can leave data vulnerable to hackers. As a merchant, it is your responsibility to find a reliable payment processor and give your customers a secure system through which they can make their purchases.
- Update Your Antivirus
We all know someone who clicks “remind me later” every time their anti-virus software pops up asking for an update. But if you’re this cavalier with your business network, you’re putting yourself at risk for a variety of malware and hackings that can compromise your customer data and ruin your business’s reputation. Make sure your antivirus software is always up to date and scanning your system for potential threats.
- Keep Your Systems Secure
Keeping your data storage and transactions encrypted is essential to protecting card data, but they are not the only systems you need to be concerned about. Make sure you regularly check your firewalls, app software, databases, and points of sale to ensure they have no potential weaknesses leaving them vulnerable to threats.
- Customer Data is “Need To Know”
Storing card information doesn’t mean it has to be readily accessible. In fact, PCI DSS dictates that consumers’ data should only be accessible on a “need to know” basis. Implement a management strategy that limits access to this information to a shortlist of individuals within your organization. This will further protect the data from potential bad actors.
- Don’t Let Employees Share Logins
While a “need to know” policy will limit the number of people accessing your customers’ data, it’s not quite enough to completely protect the information. If you use a shared login, for example, bad actors could share that username and password with anyone, and there would be no telling who accessed the system! Avoid this by giving each employee their own unique login.
- Restrict Access to Physical Data
While most data is stored digitally, you will still need physical security to protect your office (and the computers on which your data is stored). Physical security measures like cameras and access logs — which you keep on file for at least 90 days — will deter people from tampering with or stealing the devices that hold your customers’ information.
- Monitor Your Networks
Unfortunately, the internet allows for endless amounts of risks and vulnerabilities. Cybercriminals can easily hack wireless networks and steal card data — which is why you need to have system monitoring tools constantly checking your networks for suspicious behavior.
- Test Your Systems
PCI DSS requires several periodic activities that will test your security system. These include scanning wireless access points quarterly, scanning external IP and domains (through a PCI-approved scanning vendor) quarterly, conducting an internal vulnerability scan quarterly, and conducting both application penetration tests and network penetration tests once a year.
- Implement a Security Policy
Finally, PCI DSS requires that organizations design a thorough security policy to address all things related to data storage. This policy must include user awareness training, a protocol for employee background checks, and incident management plans — and most importantly, this policy must be reassessed every year to adjust for new threats.
Security looks different online but is still just as important, which is why PCI DSS compliance spans all industries and business types. Some of these requirements are more technical than business owners may be used to and may require outside help from experts. It is all worth it, though, to keep your shoppers safe and confident in you as a merchant. Plus, you don’t want to end up in a news article about how hackers stole valuable data and card information, right? The best practices laid out in the PCI DSS exist for exactly that—to help detect and prevent data breaches.
About the Author
Aaron Smith is a tech writer and LA-based content strategist. He covers industry developments and in his free time, Aaron enjoys swimming, swing dancing, and sci-fi novels.