The Payment Card Industry Data Security Standards (PCI DSS) outline what are acceptable forms of processing, storing and transmitting your clients’ credit card information. It consists of common sense steps that mirror security best practices and are endorsed by all major credit and charge card payment brands including Visa, MasterCard, American Express, Diners Club and JCB

Goal

PCI DSS Requirements

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

 

The best practices to adopt are if you don’t need to keep the credit card information then don’t keep it. However, if you do need to keep your clients’ credit card information on file the PCI DSS restricts which card elements can and cannot be stored.

The following information cannot be stored after authorisation:

* Sensitive cardholder information i.e. full contents of track data from the magnetic stripe of the card.

* Card Verification Numbers (CVV2/CVC2/CID). These are the three digits on the back of the card or four digits on front of card for American Express.

It is important to remember that you can only store the customers’ account information that is necessary for your business and only with the cardholders’ knowledge and consent.

Cardholder information needs to be destroyed after its use. If you are using manual paper facilities it is imperative that you destroy all carbon copies of manual imprints in such a way that that the details are unreadable. The same must be done for sales vouchers that are printed via EFTPOS terminals. This is to make sure that any carbon copies and terminal sales vouchers cannot be retrieved from the rubbish which means that fraudsters may be able to use the data.

Further information on storing electronic data securely can be found by going to:

https://www.pcisecuritystandards.org

http://www.visa-asia.com/ap/tw/merchants/riskmgmt/includes/uploads/SecurityIncidentRespProcd.pdf

http://www.mastercard.com/gateway/payment-processing/PCI-Compliance.html

You can ensure that your business complies with the full PCI Standards by completing the SAQ which is available on the websites mentioned above.

Found this post helpful? Share it!