What is PCI?
Specifically, the Payment Card Industry Data Security Standard (PCI DSS) prohibits the storage of the full contents of any magnetic-stripe, CVV2 or PIN data. Storage of this type of data is in violation of (PCI DSS) and the card company operating regulations. It also provides security requirements for transmitting card data.
PCI is now short hand for the data protection standard that governs the payments industry efforts to protect against hackers and it provides a lot of detail on how that protection should be implemented. This means that PCI is not only good for protecting payment card data, but also protecting your business and any personally identifiable information you may have about your customers and employees.
- Maintain cardholder account information in a secure manner with limited access.
- Maintain cardholder personal information in a secure manner with limited access.
- Limit access to information to authorized personnel.
- Ensure those with access comply with security requirements.
- Provide communication security and encryption.
- Do not disclose cardholder information to third parties.
- Do not retain mag-stripe data.
- Perform background checks on all those with access to cardholder data.
- Implement Verified by Visa and MasterCard SecureCode.
- Become Cardholder Information Security Program (CISP) compliant
- Install and maintain working firewall to protect data
- Keep security patches up-to-date
- Protect stored data
- Encrypt data sent across public networks
- Use and regularly update anti-virus software
- Restrict access to data by "need to know"
- Assign a unique ID to each person with computer access
- Don't use vendor-supplied defaults or passwords and security parameters
- Track all access to data by unique ID
- Regularl test security systems and processes
- Implement and maintain an information security policy
- Restrict physical access to data
Additional, comprehensive information can be obtained at:
Visa's Payment Application Best Practices (PABP). A list of PABP-validated applications is available at www.visa.com/pabp.
A list of PA-DSS validated applications is available at: www.pcisecuritystandards.org/security_standards/vpa/.
We also recommend you review these PDF documents:
PCI Quick Reference Guide
PCI Data Storage Do's & Don'ts at a Glance
It is critical that you ensure that you do not use payment applications known to retain prohibited data elements and that you take corrective action to address any identified deficiencies because these applications are at risk of being compromised.
- Upgrade to a secure Payment Application immediately. Confirm with your POS vendor that your specific payment application version is PCI compliant.
- In addition to upgrading your payment application, any old storage of prohibited data must be securely deleted from all systems, databases and log files.
- Enforce network security on your POS. Insecure networks connected to the internet are prime candidates for attacks.
- Secure remote management applications like PCAnywhere. Turn on your remote management software ONLY when needed.
- Don't store it if you don't need it. Take steps to protect your customer's data if you do store it to meet data security compliance standards.
- Skimming fraud can be addressed with Pay at the Table solutions.
- Process your card payments using a credit card terminal not tied to your POS.
- Invoice your clients using a branded Secure Checkout page
- Use a customer management token solution for repeat and recurring transactions to stay out of scope with PCI.