Any company, of any size, that accepts credit card payments, for any type of transaction, whether the transaction is B2C or B2B, must be compliant with the Payment Card Industry Data Security Standard (PCI DSS). Credit card data must be securely hosted by using a PCI compliant hosting provider.
The goal of the PCI DSS is for merchants to be able to accept card payments, store the sensitive information, process it properly, and transmit cardholder data in ways that are as secure as possible.
Data breaches of private credit card data are very serious and cause significant financial damage. The PCI DSS has a set of 12 standards that every merchant and credit card processing company must follow, which are:
- Network Security: Firewalls are installed and maintained in order to create a secure, private network. A firewall configuration policy and testing procedures are used to protect cardholder data.
- Unique and Robust Passwords: Default passwords should never be used. Unique and secure passwords that are robust of at least 8-characters long and contain special characters should be used. Passwords should be changed regularly according to a standard company policy.
- Stored Data Protection: Any company that stores credit card information should have multiple layers of security to protect data that includes both cyber and physical security methods. A PCI compliant hosting provider should provide multiple layers of defense. A secure data protection model combines physical and cyber security methods. Cyber security includes passwords, authorization, authentication, and network traffic monitoring for intrusion detection. Physical security includes such things as having a sophisticated alarm system, video surveillance of data centers, restricted access to server rooms, secure network devices, and cabinet locks for equipment.
- Encryption: Point-to-point encryption is used to transmit cardholder data across open, public networks.
- Anti-Virus and Anti-Malware Protection: Anti-virus software is kept up-to-date. The network is constantly scanned for viruses, malware, trojans, ransomware, and any other security vulnerabilities.
- Maintain Secure Operating Systems and Software Applications: Operating systems and applications are constantly updated for security vulnerabilities. The system is regularly tested for vulnerability to hackers using exploits. Newly identified vulnerabilities are detected by alert systems. Any discovered vulnerabilities are immediately repaired.
- Restrict Access to Cardholder Data on a Need-To-Know Basis: Restricting the number of personnel that has access to the cardholder data reduces the security risks.
- Issue and Track Unique User IDs: Every person with network access needs to have a unique user ID that should never be shared with anyone else. User accounts are immediately canceled when a person is no longer authorized to access the network.
- Restrict Physical Access to Computer and Network Equipment: Many network security breaches are achieved by physical attacks on the facilities or by unauthorized physical entries. Cardholder data needs the equivalent protection found in banking facilities that are used to protect the currency.
- Track and Monitor Network Access and Transactions: All network activities are monitored for intrusions and unauthorized use. Standard security practices include resetting user passwords automatically every thirty days, restricting login times per session, monitoring activities with sensitive data files, regulating bandwidth usage, and restricting out-of-network access to sensitive data.
- Test System Security and Processes on a Regular Basis: Internal testing of system security should be ongoing. Many organizations also benefit from hiring outside firms who conduct “white-hat” attacks on networks on behalf of the organization to discover vulnerabilities.
- Maintain and Update a Formal Information Security Policy: This formal policy ensures that all employees, independent contractors, and anyone that has any access to any of the company’s data, understand the security issues involved and the enforcement of penalties for any intentional unauthorized data breaches.
Organizations that do not meet the standards for credit card processing face severe risk of financial loss and other damages, which can be extremely costly. ClearPay meets and/or exceeds all the requirements of the Payment Card Industry Data Security Standards. Contact ClearPay today for a free assessment, to find out if your organization is in compliance with the PCI DSS.