PCI Compliance: Cardholder Data Security Requirements
There are enough aspects of business that you can’t control to remind you to focus on that which you can control: your data.
How to keep your data secure and prevent unauthorized access are just two of the primary goals of the Payment Card Industry Security Standards Council. In 2006, the major credit card companies agreed on the need for consistent data protection measures for all entities that accept, store, and transmit payment card transactions to protect cardholder information.
What Are the Data Security Requirements?
The Council outlined requirements for cardholder security measures in the Payment Card Industry Data Security Standard (PCI DSS), and compliance is required from businesses that process payment card transactions and cardholder information.
Compliance requirements are broken out into six key areas:
- Securing IT systems and network
- Measures to safeguard cardholder information
- Define specific processes to identify and address vulnerabilities
- Procedures outlined for controlled access
- Monitor and test networks routinely
- Maintain and update information security policies
If you sense a pattern, you’d be right – these six areas represent your technology and how your business accepts, stores, processes, transmits, and secures cardholder data from payment card transactions.
What Does It Mean to Be PCI DSS Compliant?
In a nutshell, if you’re PCI DSS compliant, you’ve actively taken steps to protect cardholder data and minimize credit card fraud. You’ve undoubtedly heard reports about data breaches. Unauthorized access to cardholder information is the leading cause of data breaches, and the primary goal of a data breach is to obtain information to make available for profit – just not your profit.
By taking the steps outlined above to become PCI DSS compliant, you are making sure your business and your network are protected from becoming the next victim of a data breach.
What Systems Need to Be Compliant?
This is a challenging question because it depends entirely on your business, but the main concern here is your IT environment and your technology. The good news is, many businesses that accept payment card transactions rely on a similar technology ecosystem, including:
- Desktop or laptop computers
- Web-based applications
- Mobile devices
- Remote access connections
- Wireless networks
Each of these examples has a password or passcode for access, for single or multiple users, and connects to other endpoints and transmits data using a network. You can see how controlled access and security are critical with each.
Additional security measures you can take include:
- Use unique passwords for each device
- Change passwords often and don’t use default passwords for any device or connection
- Encrypt data to mask information
- Train users on security best practices
- Reinforce consistency among users
- Check and run security updates for software and applications
- Limit user access to sensitive information, including areas where cardholder data is stored
- Ensure users are assigned a unique ID, and track all network activity
For more information on how you can protect your business and your data and maintain PCI DSS compliance, keep the Quick Reference Guide on hand, routinely test all security systems and processes for vulnerabilities, and maintain a formal policy that outlines security processes and protocols for all users.