Compliance with the PCI DSS (Payment Card Industry Data Security Standard) is mandatory for all businesses accepting cards for payment. The Standard ensures appropriate security protocols are applied to your payment acceptance environment to protect against fraud.
In its simplest form, the process of achieving compliance involves a scoping (or profiling) stage, which determines the level of risk the business is exposed to. This determined risk profile will then dictate the actions the business needs to take in order to achieve compliance with the Standard.
Once the actions (e.g. scanning, changes to processes etc.) are completed to the meet the requirements of the relevant questionnaire(s), a “compliant” status is awarded to the business. The validation of these requirements must then be renewed annually.
The mistake many small businesses then make, is they believe that their security and compliance responsibilities are finished and do not need to be revisited until the revalidation date, 12 months later. It’s important to understand that the PCI DSS is not simply a box-ticking exercise to be done but once a year.
A business’s “compliant” status is something that must be maintained throughout the year, consistently reviewed and improved to ensure it remains compliant. Not doing so can result in increased risk of fraud, non-compliance penalties, fines and severe reputational damage in the event of a data breach, to name but a few.
In this blog, we examine some elements of your compliance and security safeguards that need consistent maintenance in order to remain compliant and secure – all year round.
Information security policy
Implementing and maintaining an information security policy is a mandatory part of your PCI compliance. It’s important that your policy is kept on your premises, is written or adapted to suit your business’ needs, signed by senior management and staff members who regularly handle sensitive data, and then kept on your business’ premises at all times.
Many acquiring banks or Qualified Security Assessor (QSA) companies (if you use one) will provide you with a boiler plate policy as part of your assessment. However, it’s imperative that your policy reflects your business. It’s important to edit and adapt this policy to accurately portray how your staff handle the payment card data of your customers. One size does not fit all.
What’s more, staff members need to be responsible for maintaining and updating the policy. If your processes and procedures change throughout the year, so too should the policy to reflect those changes.
The importance of an information security policy cannot be underestimated. If you are found not to be following the policy, you could be creating needless liability for your business in the event of a data breach.
Ensure your policy is reviewed regularly and is relevant to your business’ daily operations.
Depending on your SAQ type or level of risk, you may be required to maintain a certain amount of scanning to ensure your payment processing environment remains secure throughout the year. Monthly or quarterly scanning requirements are common and it’s important that you keep to these requirements.
If your bank does not offer a managed service, or you elect to take control of your own compliance, set a reminder and run your scans when specified.
In many cases this is a mandatory part of maintaining your compliance with the PCI DSS and failure to execute the scans may result in your business being held liable for a data breach were one to occur. Failure to conduct these scans at the specified times may also result in your business losing its “compliant” status, bringing a host of issues for your business.
The loss of this status can open your business to liability in the event of a data breach. It can also potentially lead your acquiring bank to impose non-compliance charges on your account and impose fines in some cases.
There are different types of scans you should be conducting regularly – some are mandatory, some are not. All are advised.
- ASV Scanning (SAQ requirement 11.2.1/2)
This is a security assessment of your externally facing environment. All of the IP addresses you employ that face the internet are checked for security vulnerabilities. The results are then assessed by an approved scanning vendor (ASV) approved by the PCI Security Standards Council.
For e.g. if your payment card device is connected via the internet, the PCI DSS will require an ASV scan to be conducted on your IP address to ensure no security vulnerabilities exist.
In many cases, your acquiring bank can assist with arranging these scans. In some cases, you may need to engage a specialist ASV company to conduct these scans and assess the results.
The important point to note here, is that rarely is doing this once a year sufficient to remain secure and compliant, it must be maintained and performed periodically depending on your level of risk.
- Cardholder data scan
This scan checks your network drives and devices for unencrypted cardholder data. It will check your systems and alert you to files that it suspects may contain the full 16-digit number on the front of a payment card. You then need to review the results and take action.
As part of the PCI DSS, you are required to refrain from storing unencrypted cardholder data on your systems to help protect against the risk of fraud. The best way to protect your customer’s cardholder data and your business is not to store this data.
If such data has been found and you don’t need to store it, you should securely delete it. If it is necessary to retain this data, ask a solution provider about available technologies you can employ to store this data securely.
In order to maintain your compliance and security levels, it is recommended to run this scan regularly to ensure staff members are not inadvertently opening up your business to a fraud risk by knowingly or unknowingly storing credit card numbers.
- Security scanning
In addition to your mandatory compliance-led scanning, it’s also advisable to conduct regular security scanning to ensure your devices are kept virus-free. This is a vital step in ensuring your systems remain secure, further reducing the risk of a breach. Security scanning can help by checking your systems for viruses and malware. Read more about the risks of malware to a small business here.
The PCI DSS also requires that companies install adequate firewall and antivirus software to systems that are commonly affected by malware and viruses (Requirements 1.4, 5.1). If these requirements are applicable to you, you will need to impose them in order to achieve compliance.
However, it’s important as a small business not to just invest in these defences and then leave them unutilized for the remainder of their time in use.
As outlined above, it’s prudent to conduct regular antivirus scans across all your devices in use, not just your desktops. Ensure your antivirus software is kept up to date – this is vital to it being effective. Avoid free versions of antivirus software, they often lack the necessary array of tools necessary to protect a functioning business.
Patching & updates
Depending on your systems and level of risk, requirement 6.2 of the PCI DSS requires a business to ensure all vendor supplied security patches are applied.
So, what does this mean? When a security vulnerability is found in a piece of software or application, the developers of that software will typically release an update to the software that fixes or “patches” the vulnerability. It is generally distributed via the internet in the form of a software update. When the user installs the update, this vulnerability is fixed in the application’s code.
As a small business, it’s important you monitor and install all available patches as they become available. This way you can ensure all applications and software in use are protected against all known vulnerabilities.
Requirement 9.9 of the Standard requires you to periodically inspect your card reading devices for tampering and substitution. It directs you to maintain a list of your devices, train your staff to be aware of attempted tampering and suspicious behaviour and to report any suspected tampering or substitution.
This is an ongoing requirement and must be adhered to on a regular basis, simply looking at your terminal once a year will not suffice. As with your scanning and patching above, make this a regular habit and ensure all staff are vigilant to the risk of tampering.
The Standard recommends that you perform regular inspections. We recommend you keep a log of photos of how the device should look to compare with to make noticing tampering easier. The Standard also suggests the use of a UV marker to help detect advanced tampering.
Ask your card reading device provider for more guidance on how to prevent and detect tampering of your payment devices. More information can also be found in our blog Protecting Card Reading Devices.
The lead to constantly maintaining your compliance requirements needs to come from the top. This is best implemented through staff education on your business’s compliance and security responsibilities.
In addition to keeping your information security policy up to date, ensure your staff members are periodically refreshed on security and compliance basics.
Remind you employees regularly on important issues. Some examples include (but are not limited to):
- The handling of sensitive data – not communicating credit card numbers in an insecure manner
- Being mindful of sensitive information displayed on their computer screens within customer view
- Password strength and complexity
- Never sharing login details
- Physical security and access to restricted areas
As described in this blog, your compliance and payment security responsibilities do not end when your SAQ is submitted. Your compliant status is an ongoing process that needs to be maintained and monitored at all times. Ultimately your business reduces its risks and protects its customers at the same time.
If you are confused about any of the technical terms used in this blog, see our glossary of terms in our Small Business A-Z of Cybersecurity.
Our paper It’s time for small businesses to take cybersecurity seriously covers the subject of data loss and the threats posed to small businesses by cybersecurity in more detail.
If you are a merchant that requires technical or PCI DSS help, please click here