Achieving PCI DSS Compliance

The Payment Card Industry Data Security Standard, or PCI DSS, was created to encourage merchants who store, process, or transmit credit card data to implement a certain level of security. And by "encourage," of course, I mean "mandate." Merchants who fail to achieve PCI DSS compliance will be subject to steep fines and even the loss of the ability to accept credit cards at all.

So how do you go about achieving PCI DSS compliance? The PCI Security Standards Council has laid out 12 requirements that a merchant must conform to in order to be considered compliant. These requirements are as follows.

Install and maintain a firewall configuration
A firewall is a device that controls the traffic that is allowed into your system. Every system must be protected by a firewall and unauthorized access must be blocked. The firewall must be actively maintained to deter unwanted intrusions.

Do not use vendor-supplied defaults for system passwords
When you first install a system, chances are they come with a standard list of passwords to install and begin accessing that system. These need to be changed immediately because chances are they are well known in the hacker community, and will be the first things they use when they attempt to gain access.

Protect stored cardholder data
This one seems obvious, but often companies don't do enough to ensure security. Data encryption is critical, and companies should even consider remote data storage as a viable option.

Encrypt transmission of cardholder data across open, public networks
If they can't get to it on your system, criminals could try to intercept sensitive information en route. But if you make sure the data is properly encrypted, you don't have much to worry about.

Use and regularly update anti-virus software
A daylight charge across the minefield isn't always the preferred way to get into a system, and criminal intrusions aren't the only threat to sensitive data. Viruses and other malicious programs can get into your system any number of ways, and the damage they do could be irreparable. Keeping updated defensive measures is critical.

Develop and maintain secure systems and applications
As patches are released to deal with known security issues in a program, you must make sure you have them properly installed and up-to-date.

Restrict access to cardholder data by business need-to-know
In reality, there are only a few people in any given company that need to have access to sensitive data. You must make sure that they are the only people who have legitimate access to it.

Assign a unique ID to each person with computer access
This allows only certain people with a certain ID to access credit card data. It also ensures that certain actions can be traced back to known and authorized users.

Restrict physical access to cardholder data
Again, there is very limited need for more than a few people to physically access sensitive data. By restricting access you can guard against people removing hardcopies or even entire systems.

Track and monitor all access to network resources and cardholder data
You need to implement logging mechanisms that track user activities. This way, should anything unseemly happen to your system, you can analyze and discover exactly what went wrong, and what needs to be done to prevent future problems.

Regularly test security systems and processes
Hackers are always trying new methods to get at your system, and by regularly testing your security measures you can find the security holes first. By frequently testing your security, you can maintain the strongest defense possible.

Maintain a policy that addressees information security for employees and contractors
Security measures and procedures are useless if you're the only one who knows about them. One of your priorities needs to include making all employees aware of the sensitivity of data and their individual responsibility to protect it.

Achieving PCI DSS compliance can be a long and arduous process. Many companies have, therefore, chosen to outsource their PCI DSS compliance to companies that specialize in data storage and security. Whichever option you choose, however, the quicker you achieve compliance the quicker you can start to experience the benefits.