Credit card on laptop

What Is PCI DSS? PCI DSS Compliance Requirements and Checklist

Compliance is more than acronyms

Navigating the regulatory and best practices compliance can be a daunting task for even the most experienced person. GDPR, HIPAA, and PCI DSS are just some of the acronyms that demand the attention of staff. In this article, we will explore the last of the above-mentioned acronyms, PCI DSS which stands for the Payment Card Industry Data Security Standards.

What is PCI DSS?

PCI DSS standards were established by the Payment Card Industry Security Standards Council (PCI SSC) to protect both the credit card holder and the business processing the card data. This is done by setting standards that dictate how the business actively protects consumer data and how credit card data should be processed. This is done to prevent data from landing up in the wrong hands and being used for fraudulent purposes.

The Internet is full of guides on how to reach and maintain a level of compliance as well as developments on the framework to account for developments in technology. There are a few takeaways that need to be discussed regarding how data can be lost or stolen. Typically, data can be lost or stolen via incorrectly configured wireless routers and servers, databases that are not properly secured, and even by hackers compromising either the card reader or the website’s code designed to perform a similar function. If PCI DSS standards are met, instances where the above weaknesses are exploited, can be drastically reduced. This in turn protects the business.

Compliance easy mode

Sifting through the compliance documents can be tedious or downright confusing if not technically minded. Luckily, several checklists are available to help ensure PCI DSS compliance. While many of these guides are written for specific regions there are several requirements that are near-universal. Using said checklists is a great way to easily help facilitate compliance.

Checklists will often include the following:

  • Make use of a correctly configured Firewall.
  • Refrain from using simple or default passwords that are easily hacked or guessed.
  • Cardholder data must be encrypted before it is sent over a public network.
  • Protections must be applied to any cardholder data that is stored for any period.
  • Restricting the number of staff who have privileged access to the network, reduces the avenues of attack considerably.
  • Deploy anti-virus software as well as a log and network monitoring solution.
  • Ensure the business’s security policy is set in stone and actions contrary to the policy are dealt with quickly and efficiently.

Use a qualified assessor

The above measures can easily be taken by the company itself but increasingly businesses will need to be assessed by a third party to ensure compliance. This must be done by a qualified assessor. Different regions will call these assessors by different names and titles but it is important to do your due diligence regarding the qualifications needed by the assessor to be regarded as qualified for PCI DSS evaluations.

 

Staff Writer at CPO Magazine