Payment Card Industry Data Security Standard, or PCI DSS, may not be something you’ve heard of. If you have, you’re probably aware what a headache is can be for businesses to meet the stringent standards laid out by credit card companies in order to be certified PCI compliant. Compliance is a complicated issue, but what it boils down to are a set of standards designed to increase controls around cardholder data to reduce fraud. By ensuring that your company is PCI compliant, you mitigate liability in case of a security breach. In most cases of large data breaches where cardholder data has been compromised, companies were found to have not been PCI compliant, which opens them up to litigation from cardholders and card issuers.
There are twelve categories on which your company is judged compliant, but amongst these there are 220 sub-categories. The categories mainly focus on the safety and security of your network, how information is stored, and how information is transmitted. These categories help to prevent an attacker from getting inside your network in the first place, but they also help prevent an attacker from compromising cardholder data, even if they are able to gain access to your network. Finally, but ensuring that confidential data is transmitted in encrypted form, cardholder data is protected from what is known as a man-in-the-middle attack, where data is intercepted during the transmission process. For most small to midsize companies, compliance is based on what is called a Self-Assessment Questionnaire. Essentially, the business will certify that it meets PCI standards and submit this form. Larger companies, however, are subject to extensive auditing.
What matters the most to you, the business owner, is that if you process credit card data, you must ensure that it is done in a manner that is PCI Compliant. Once of the easiest means to accomplish this in the SMB field is to contract with an outside vendor. PayPal, one of the largest online credit card processors, has software available for SMB’s to insert onto their website to process credit card transactions for consumers.
Because this data is processed externally, many of the more onerous aspects of compliance are foisted onto the vendor, alleviating the headache of securing internal systems. For some companies, this is not an option. All data processing must be done on the premises, and in these cases, the two most important things to remember are Firewalls and encryption. Firewalls, like a SonicWALL, work to prevent malicious intrusions into your network, by actively disallowing traffic from certain locations and access pathways, meaning that the intruder never has access to your network in order to attempt to steal sensitive data. A good firewall is your first line of defense, and its importance in an enterprise environment cannot be overstressed.
The second most important aspect of PCI Compliance is to ensure that all sensitive data is encrypted end-to-end. End-to-end encryption means that data starts out encrypted, is transmitted in an encrypted state, and is then stored in an encrypted manner in the location that it was transmitted to. This is the area that can present the biggest headache to many SMB owners. If you do handle customer credit card transactions you must be sure you are working with a qualified IT provider, otherwise you may be opening your business up to unnecessary risk.