The Payment Card Industry Data Security Standards (PCI DSS) outline what are acceptable forms of processing, storing and transmitting your clients’ credit card information. It consists of common sense steps that mirror security best practices and are endorsed by all major credit and charge card payment brands including Visa, MasterCard, American Express, Diners Club and JCB
Goal Build and Maintain a Secure Network
PCI DSS Requirements 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Goal Protect Cardholder Data
PCI DSS Requirements 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Goal Maintain a Vulnerability Management Program
PCI DSS Requirements 5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Goal Implement Strong Access Control Measures
PCI DSS Requirements 7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Goal Regularly Monitor and Test Networks
PCI DSS Requirements 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Goal Maintain an Information Security Policy
PCI DSS Requirements 12. Maintain a policy that addresses information security for all personnel
The best practices to adopt are if you don’t need to keep the credit card information then don’t keep it. However, if you do need to keep your clients’ credit card information on file the PCI DSS restricts which card elements can and cannot be stored.
The following information cannot be stored after authorisation:
* Sensitive cardholder information i.e. full contents of track data from the magnetic stripe of the card. * Card Verification Numbers (CVV2/CVC2/CID). These are the three digits on the back of the card or four digits on front of card for American Express.
It is important to remember that you can only store the customers’ account information that is necessary for your business and only with the cardholders’ knowledge and consent. Cardholder information needs to be destroyed after its use. If you are using manual paper facilities it is imperative that you destroy all carbon copies of manual imprints in such a way that that the details are unreadable. The same must be done for sales vouchers that are printed via EFTPOS terminals. This is to make sure that any carbon copies and terminal sales vouchers cannot be retrieved from the rubbish which means that fraudsters may be able to use the data. Further information on storing electronic data securely can be found by going to: https://www.pcisecuritystandards.org http://www.visa-asia.com/ap/tw/merchants/riskmgmt/includes/uploads/SecurityIncidentRespProcd.pdf http://www.mastercard.com/gateway/payment-processing/PCI-Compliance.html You can ensure that your business complies with the full PCI Standards by completing the SAQ which is available on the websites mentioned above.
Found this post helpful? Please share it!