As stated in part one of this series, obtaining PCI Compliance is essential for any business that intends to process credit card or ACH payments online. These standards have been set by the Payment Card Industry Data Security Standard (PCI DSS) to help reduce fraud and ensure electronic payments are processed in a secure manner.
In order to obtain PCI Compliance, a business must adhere to 12 requirements set by the PCI DSS that are divided into six categories. Taken from their
|Build and maintain a secure network||1. Install and maintain a firewall configuration to protect data. |
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
|Protect cardholder data||3. Protect stored cardholder data.|
4. Encrypt transmission of cardholder data and sensitive information across public networks.
|Maintain a vulnerability management program||5. Use and regularly update anti-virus software.|
6. Develop and maintain secure systems and applications.
|Implement strong access control measures||7. Restrict access to data by business need-to-know.|
8. Assign a unique I.D. to each person with computer access.
9. Restrict physical access to cardholder data.
|Regularly monitor and test networks||10. Track and monitor all access to network resources and cardholder data.|
11. Regularly test security systems and processes.
|Maintain an information security policy||12. Maintain a policy that addresses information security.|
These technical and operational requirements are imperative. They help a network protect sensitive data that if obtained by the wrong person could lead to cardholder fraud or identity theft. These also create a solid baseline that makes anyone involved with using cardholder data accountable should an issue arise.
So, how do you get started with obtaining PCI Compliance? This process can be broken into three steps: assess, remediate and report.
You must know the ins and outs of your IT assets and business processes used for processing credit card and ACH payments. These should be analyzed for vulnerabilities. This process must be executed in order to find and eliminate any possible risks.
This next step includes addressing any vulnerabilities that may be present to ensure a more secure network. These vulnerabilities may include issues in code or could just be the method a business uses for processing credit card and ACH transactions.
The final step requires collecting records that show actions taken during the remediation process as required by PCI DSS. These reports must be submitted. Compliance reports must also be submitted, but these go to banks and credit card companies that your organization will do business with. These reports must be submitted on a recurring basis.
These three steps, assess, remediate and report, are an ongoing process.
Azox Credit Card Extension (CCE) is PA-DSS certified, which means obtaining PCI Compliance when using our solution is must simpler. CCE is an ACH/