Assign a unique ID to each person with computer access. This requirement is requiring authentication for access by administrators, users and applications to any database containing cardholder data and the restriction of any database queries to administrators only.

You must assign a unique user name to each employee before allowing them access to any of your system’s components. Additionally you have 3 options for authenticating each user: A password, an access card or physical device and third biometric scanning or other recognition software.

If accessing the system via remote VPN or any other remote access to your network you should incorporate a two-factor authentication. For example one factor is login & password, the other using tokenization or some other dual-factor authentication method.

Of course passwords should be unreadable to others using strong cryptography and you should ensure proper user identification & authentication management on your system. This should include verification of the user’s identity before resetting a password. Control the addition, deletion or modification of a user’s credentials. Set all first time passwords using a unique value and require that the user change them immediately after first time use. Immediately revoke access to any terminated users and remove inactive user accounts every 90 days. Monitor vendor remote access and limit their access to the time period needed to perform their task. Require a minimum password length of at least 7 characters utilizing both numeric & alphabetic characters and limit the use of the same password within a period of at least one year. Limit repeat access attempts to no more than six before locking out the user & set the lockout for at least 30 minutes or until an administrator enables the user ID. Require the user to re-authenticate after being idle for 15 minutes. Do not use any group, shared or generic accounts & you should communicate all these policies & procedures to all users with access to cardholder data.

Russell Harverson has over 9 years experience in the credit card processing industry and has built a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Services, shedding light on the credit card processing industry. To contact him via email: theGuru@theMerchantProcessingGuru.com
Or call him at: 1-888-368-GURU (4878)

This requirement also requires that you document written approval by an authorized party and of course that you actually implement an access control system whether it be with login & password, lock and key, whatever serves the purpose.

An access control system with multiple users on a network should include the following:
A default “deny-all” function so when adding a new user you must specifically grant them access,
the ability to assign privileges based on job classification & job functions for example; do not give the cook the same access privileges as a server or a nurse the same access privileges as the billing clerk.
This access control should cover your entire system and it’s components.

Russell Harverson has over 9 years experience in the credit card processing industry and has built a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Services, shedding light on the credit card processing industry. To contact him via email: theGuru@theMerchantProcessingGuru.com
Or call him at: 1-888-368-GURU (4878)

Develop and maintain secure systems and applications. This one is probably the most technical and complicated of all the requirements but unless you are developing software yourself for use with credit card processing most of the items in this requirement should not apply to you. Much of this requirement is geared to developers & so should you be utilizing software applications that have been developed by others just make sure they are PCI DSS level one certified, then not everything in this requirement will apply to you but the developer, please make sure however to implement what does apply to you such as the following:

Firstly you are required to install the latest vendor supplied security patches for all software on your systems within one month of release. Scan at least annually all public facing web-applications and make sure there is a web-application firewall in front of public-facing web applications.

Again, my summaries of each requirement are to help explain the requirements in an easy to understand manner, please refer to the PCI DSS and follow its guidelines to become fully compliant. We are now half way through the requirements and as you can see they are a common sense approach to protecting the security of your customer’s credit card data. I hope this series is making it a little less daunting to comply with PCI DSS. Please don’t hesitate to contact me with any questions.

Russell Harverson has over 9 years experience in the credit card processing industry and has built a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Services, shedding light on the credit card processing industry. To contact him via email: theGuru@theMerchantProcessingGuru.com
Or call him at: 1-888-368-GURU (4878)

Use and regularly update anti-virus software or programs. This one really is simple and so this post will be a short one. Here I would invest in a complete security suit from a top rated, professional security software provider that includes not only the anti-virus software but also anti spyware, malware and every kind of known malicious software out there. You can also get it with a firewall which will not replace the firewall required in requirement #1 but enhance it with the required PC software firewall on each system.

You must keep this software up to date and current with all security updates and it must be capable of generating audit logs. Again, this needs to be loaded on each system that is on your network from the server to every station and device that connects to the network.

Russell Harverson has over 9 years experience in the credit card processing industry and has built a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Services, shedding light on the credit card processing industry. To contact him via email: theGuru@theMerchantProcessingGuru.com
Or call him at: 1-888-368-GURU (4878)

When using a virtual terminal or selling items on the web you must have an SSL secured gateway where your customer’s cardholder information is entered for purchase of your product or service. You will know if it is secured when you are on the payment screen and in the URL at the beginning you will see https:// (The `s’ indicates an SSL secured page).

You might say that you are using a dial up terminal through a phone line so this does not apply to you. Well if you are using an analog POTS line (Plain Old Telephone Service), you may be right but should you be on a system such as VoIP then you are in fact transmitting the data over the internet as VoIP translates your sound waves to a digital signal and sends it as packets over the internet which is then vulnerable to hackers.

There are terminals that are emerging in the market that are End-to-End Encrypted so that no matter what happens to the data, it cannot be decrypted by anyone other than the processor with the key in their own data centers. This is the wave of the future as even a WPA2 encrypted wireless network is still not 100% secure. The best example of this is Verifone’s Vx510 VSP, this terminal uses SSL encryption as well as triple DES encryption. It encrypts the information as you swipe the card on the card reader itself, before it goes anywhere else and the encrypted card information is transmitted from the terminal over the internet to the processor directly and only then as it reaches the processor is it decrypted in their secure data center. This terminal is tamper proof and will not allow anyone to change it’s configuration. It can only be programmed at the processor’s secure facility, so no one who is not authorized can load anything into the terminal. Verifone has also recently launched a new line of Vx terminals that they are calling the Vx Evolution, I have yet to try any of these so I cannot talk about them yet. These newer Vx Evolution terminals are reported to be PCI PTS 3.0 certified and are all End-to-End encrypted which just confirms the industry shift to a higher level of encryption. Verifone is the industry leader in credit card processing terminals manufacturing and has recently purchased Hypercom their largest US competitor.

Russell Harverson has over 9 years experience in the credit card processing industry and has built a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Services, shedding light on the credit card processing industry. To contact him via email: theGuru@theMerchantProcessingGuru.com
Or call him at: 1-888-368-GURU (4878)

Protect stored cardholder data. First of all let me say that if you do not need to store card holder data then don’t. Many businesses however need to keep cardholder data on file to make future payments from their customers easier for themselves and their customer. So if this describes you and your business then you must be very careful how and where you store this data and there is still certain data that is not allowed under PCI to store such as the 3-4 digits on the back of the card (CVV2), anyone’s pin number for debit cards or the full track data from the magnetic strip of the card. Basically all you can store is the cardholder name, expiration date and the account number which needs to be unreadable through truncation of at least the second set of 6 digits, the first 6 & last 4 being readable. These must be secured using cryptographic keys.

You must implement a disposal policy and procedure of the cardholder data that is gathered so as not to have it unsecured anywhere and to dispose of the information stored after it is no longer needed. You are also required to limit access to this information to only those who need to have access to it for business purposes.

If you do need to store cardholder information for future payments you have many options today that will allow you to do so in a compliant manner depending upon your business needs. Should you have the need for monthly reoccurring charges that are charged at the same time every month for the same amount then a simple SSL secured online gateway with reoccurring billing enabled is a great option. However should you need to keep a card on “file” for an unknown future billing amount and date then you can store your customer information in a secure online “customer vault”.

Russell Harverson has over 9 years experience in the credit card processing industry and has built a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Services, shedding light on the credit card processing industry. To contact him via email: theGuru@theMerchantProcessingGuru.com
Or call him at: 1-888-368-GURU (4878)

Do not use vendor-supplied defaults for system passwords and other security parameters. This one is actually fairly simple but many still do not change vendor passwords on their security devices this requirement asks for them to be changed on. The reason for this is quite simple, the vendor default passwords are so widely known that it is easy for a hacker to try this first when trying to gain access and they are likely to know pretty much all default passwords or can find them out with a simple search.

To be clear you must change the vendor default password on everything that is connected to your network including routers, POS systems, wireless devices, credit card terminals etc. This requirement also asks that you implement and update regularly your system configuration standards and encrypt any web-based administrative access via VPN. If this is beyond your technical abilities, please look into hiring an IT company to help you do this, it is so important and it will not cost that much to have an IT company do these things.

With these first 2 posts you should have a good idea of what securing your network means and that it really is not overly burdensome but is basically a best practice anyway to securing your data and that of your customers. You are now well on your way to understanding what PCI is and what you need to do to become compliant. Again, this is just a summary so please refer to the PCI DSS Requirements for more information as there are particular requirements that they have and I do not cover everything in this summary. You can find a great resource here for the PCI DSS Prioritized approach to becoming PCI compliant: PCI DSS Prioritized Approach

Russell Harverson has over 9 years experience in the credit card processing industry and has build a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Services, shedding light on the credit card processing industry. To contact him via email: theGuru@theMerchantProcessingGuru.com
Or call him at: 1-888-368-GURU (4878)

What I will try to do in this series is summarize the main objectives of each of the PCI requirements, giving you an easy to follow & understand overview of what you need to do to become compliant. Please keep in mind though that this is a summary, so please refer to the PCI Security Standards for a full description of what is required of your business.

Requirement #1. Install and maintain a firewall configuration to protect cardholder data. Sounds simple right? Got Firewall, good to go! Unfortunately just having a firewall does not fulfill this requirement, there are steps that you need to take to make sure your firewall is not only in existence but PCI requires that it be configured in a certain way, which I will specify, have periodic tests and procedures in place to make sure your firewall is effectively doing what it needs to do. Of course if you have a network, they are referring to a physical firewall in your router or some other standalone device, not a software firewall. Configuration should include restricting the flow of traffic from unknown sources, prohibit public access to any cardholder sensitive information and in addition, have personal firewall software on any wireless device or personal computers that have access to your network. This also means that if you are allowing wifi connectivity to the public (your customers, visitors etc.),  you should at  a minimum have a password on it that you change periodically and limit access to the rest of your network. But the best solution would be to have a separate network for your public wifi access.

If you have a network and do not have an IT person on staff who can configure this for you then I suggest that you find an IT company who understands these requirements and has had experience implementing networks that adhere to these requirements in other businesses.

Russell Harverson has over 9 years experience in the credit card processing industry and has build a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Services, shedding light on the credit card processing industry. To contact him via email: theGuru@theMerchantProcessingGuru.com
Or call him at: 1-888-368-GURU (4878)

Before I get into the 12 requirements of PCI DSS Compliance I wanted to reiterate why this is so important in the first place. We still do not hear stories every evening on the news about data breaches, so is this even a real concern? The answer is a resounding YES! If you wait for a breach to happen to someone on your street or you begin to hear about it more often and plan to implement a PCI program as and when the threat becomes apparent, it just may be too late and it could cost you your business.

Anyone with a merchant account who processes any credit cards at all, even one a year, not only must be PCI compliant but is more vulnerable that you can even begin to fathom. The first reason to become PCI compliant is because when you sign a merchant agreement you are contractually responsible and bound to the acquirer to meet all requirements of PCI DSS. This means that if you do not become compliant within a certain amount of time you are in violation of the merchant agreement and you are fully responsible for any breach that occurs. Above all, a breach could be so devastating to a small business that the fines and required forensic audits alone could put you out of business. A forensic audit that is ordered by the associations to investigate how the breach occurred could cost as much as $10,000 or more, even if you are not at fault, and the fines from the Associations could be as high as $30 – $50 for each card number that was stolen and in most cases thousands of card numbers are stole, you do the math!

Another great reason is just to protect your customer’s cardholder data. Breaches occurred long before PCI compliance even existed and the increase in this crime over the years, along with the lack of response from the industry to safeguard against this has brought the Associations to regulate it and create a minimum standard for cardholder data security that everyone needs to adhere to. But the fact of the matter is that we should all be as concerned, if not more so, about protecting our customers data than we are about covering our backside if something were to happen…

The data breach of TJ Maxx in 2006 was easily executed from a laptop in a car in the parking lot. The criminals were able to easily access the stores wifi and download all the information that they wanted from their network that was completely open. Since then PCI DSS was established and most of these big box stores have implemented all the PCI requirements and now the hackers have moved on to smaller, easier targets for the most part. This leaves the small business owners who have not yet taken PCI compliance as seriously, vulnerable to attack.

If you are in the medical industry a PCI data breach is also a HIPAA violation, if you think about it a patient’s credit card data is patient information just like any other patient information. So if you have to comply with HIPAA, PCI DSS should be incorporated with your HIPAA policies and procedures and you should adhere to the 12 PCI requirements as fervently as to HIPAA regulations. Your practice may depend on it. Unfortunately, the medical industry is one of the industries that are seeing a huge increase in data theft.

Still not convinced? Here is a video interview of someone who experienced a data breach first hand and was brave enough to share and warn others about it:

Meanwhile a really good white paper was released last Monday by ControlScan, a leading authority in the PCI compliance space, that explains the main steps a merchant should take to become PCI compliant. It is a great overview of the best practices any merchant should take. It gets a little technical in places but don’t let that alarm you, this information can help you hire the right IT or PCI Security people to help you take the steps necessary to secure your network. Basically, if you need help becoming PCI compliant get the help, it could mean the difference between building a thriving business or going out of business, it’s that simple!


Here is the link to the white paper from ControlScan:

www.controlscan.com


Russell Harverson has over 9 years experience in the credit card processing industry and has build a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Processing, shedding light on the credit card processing industry. To contact him via email: theGuru@theMerchantProcessingGuru.com
Or call him at: 1-888-368-GURU (4878)