Despite being ultimately responsible for PCI-DSS compliance, most merchants have never heard of it.
So, what is PCI-DSS? PCI-DSS stands for Payment Card Industry Data Security Standards, which was issued by the Payment Card Industry Data Security Council (the “Council”). Founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc., the Council developed the PCI-DSS to protect payment account data throughout the payment lifecycle and prevent data theft. The standards apply to merchants, service providers, and financial institutions and include security practices technologies and processes, and standards for developers and vendors for creating secure payment products and solutions. In short, if you accept or process payment cards, PCI-DSS applies to you.
For the merchants out there accepting payments via credit cards and/or storing payment information from customers and thinking “Wait…what?!?” in response to seeing this, relax. Many of you, without realizing it, utilize a cloud-based payment collection platform that is PCI-DSS compliant. And, these basic steps as penned by the Council are a starting point to begin the journey to PCI-DSS compliance:
Buy and use only approved PIN entry devices at your points-of-sale.
Buy and use only validated payment software at your POS or website shopping cart.
Do not store any sensitive cardholder data in computers or on paper.
Use a firewall on your network and PCs.
Make sure your wireless router is password-protected and uses encryption.
Use strong passwords. Be sure to change default passwords on hardware and software – most are unsafe.
Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
Teach your employees about security and protecting cardholder data.
Follow the PCI Data Security Standard.
During the remote working surge caused by the Coronavirus pandemic, the Council released a blog post, reminding businesses and merchants to TRAIN and EDUCATE their employees, keep security processes up to date, and encourage employees to consider physical surroundings while working (i.e. – avoid prying eyes). The Council also listed several security protocols, many of which were already discussed on lacyberlawblog.com, but are restated by the Council as follows:
Use multi-factor authentication for all remote network access;
Require strong passwords and give examples of such to employees;
Ensure all systems used by staff working remotely have up-to-date patches, anti-malware protection, and firewall functionality to protect from internet-based threats;
Uninstall or disable unnecessary applications and software to reduce avenues of attack;
Implement access controls to prevent unnecessary access by employees to certain resources/folders;
Use only secure, encrypted communications—e.g., a properly configured VPN—to protect all transmissions to/from the remote device that contain sensitive information, such as cardholder data;
Automatically disconnect remote access sessions after a period of inactivity, to avoid idle, open connections being used for unauthorized access; and
Ensure incident response plans are up to date and include accurate contact details for key personnel. Procedures for detecting and responding to a potential data breach could be different for incidents originating from remote work environments.
Additionally, IT teams need key identifiers to distinguish between rogue/malicious callers and actual staff logging in as remote users, and vice versa. This is particularly important as hackers increasingly seek remote desktop access abilities. Examples of key identifiers can simply be verbal pass-codes assigned to each individual employee that are conveyed to staff via U.S. Mail, with the IT staff having a master list and the remote workers having the list of identifiers for the IT staff. Of course, such a process requires trust in existing employees and identifiers should be changed periodically.
Retaining a cyber literate attorney can assist your business in determining requisite compliance measures and employee training techniques to mitigate negligence claims under the shield of attorney-client confidentiality. Reach out at Sarah@alexandersides.com.