PCI compliance checklist: find out if you’re compliant.

By: Joshua Griffin


Nab pci small 1In 2017, identity fraud increased by 8%, rising to 16.7 million impacted U.S. consumers, with online shopping accounting for more than 80% of that. The trend is increasing year-by-year at an alarming rate.

If your business accepts, stores, or transfers credit card information, you are responsible for protecting your customers’ data. You may have heard of PCI, which stands for the Payment Card Industry Data Security Standards (PCI DDS).

PCI compliance is a set of standards, created by the largest credit card issuers, to establish mandated policies for the secure creation, processing, storage, and transmission of credit card data.

Although you can’t display a certification showing that you’ve achieved PCI compliance, if you process credit cards at your business, you must prove compliance through documentation. If you aren’t compliant, you could face both penalties and a damaged reputation.

To make compliance more manageable, let’s look at our PCI compliance checklist — designed to help you stay ahead of any potential privacy issues.

How to install, maintain, and test a secure network.

The importance of having a secure firewall.

The first step towards establishing a secure network in your business is installing a strong, secure firewall. A firewall is a computer software program which blocks unauthorized access to digital data. A firewall isolates your computer network from the rest of the internet by creating code that inspects each piece of data that hits the wall, allowing or denying traffic.  Firewalls enhance security while being tailored to your computer use. By installing and continually testing a reliable firewall, you’ve taken the first step to comply with PCI standards, preventing unauthorized access to consumer data.

Anti-virus software.

In addition to a secure firewall, you must implement anti-virus software. Anti-virus software, also known as anti-malware, helps detect and protect your computer systems from viruses, trojan horses, and worms, which can cause significant harm to your computer software and data. Be advised that computer viruses evolve, so you’ll want to continually monitor and update your anti-virus software so you can protect yourself adequately.

Program testing and updating.

You’ll also want to make sure to test and update your currently used software programs. Failing to verify or upgrade your systems can leave them vulnerable to viruses or crashes. If you use third-party software programs or apps, make sure that those programs individually meet the PCI standards — don’t assume they do.

Create policies to run quarterly vulnerability scans of your computer system. In doing so, use a qualified internal employee or resource, or engage an external service to complete all internal audits. These audits will help identify any vulnerabilities regarding credit card data. Create comparisons of your computer tools, so that you can monitor any changes from week to week. When running your scans, don’t forget to check your wireless access points as well.

Nab pci 1 small 2Create and maintain secure computer systems.

When establishing your secure network and programs, you also need to create and maintain a secure computer system. This compliance step addresses the security of your servers, installing security patches on all systems or programs after release. Make sure that your security updates are timely and adequately installed on all components, while setting security upgrades and patches to update automatically.

How to protect your customers’ data.

Passwords & third-party login information.

Keeping track of passwords is beyond frustrating. However, don’t take the easy way out and default to your third-party vendors’ passwords or other login information. By creating custom passwords for each computer user, you’re adding another layer of data protection and complying with the required PCI standards. When creating passwords, use a combination of uppercase and lowercase letters, along with numbers and symbols for optimal security.

For digital access to credit card information, provide your applicable team members with unique identifiers. For example, implement a multi-factor authorization system for all remote access. Disable any access to remote entrance points if your customer information is not in use. Additionally, monitor and document all remote access to your consumers’ payment information.

The importance of encryption.

Additionally, make sure that your data is encrypted, which is the process of converting data to code, preventing unauthorized access. When deciding how to encrypt your consumer information when it transmits across open, public networks, review how and where your customer’s credit card information is used within your business. By doing this, you can safeguard your data through encryption suited to your company and operations. Additionally, like your implemented software, monitor and update your encryption processes regularly, guarding against potential vulnerabilities.

Restrict access.

Further, physically restrict the access to your customer data. In other words, keep access to this information on a need-to-know basis only. Based on your team members’ roles in your business, inform those needing access to this data about how, when, and why to connect with this information. Train applicable employees on security measures. Make sure they understand what makes data secure under the PCI compliance rules, as well as what can create vulnerabilities. Knowledge and training are powerful tools for protecting credit card data.

Also, be sure to maintain restrictions on physical computer access to information. For example, keep your computer system in a secure, monitored area, preventing just anyone from accessing private information. Additionally, create access points within your software, allowing only specific employees to retrieve customer information. For any old information you may have in your business, be sure to destroy any customer information properly, by using a shredding service, for example.

Track and log access.

Don’t merely implement privacy controls and let them be. To comply with PCI standards, you should log and report any access to your computer systems. Create written or electronic audit logs, indicating each access point, failed log-ins, and any changes made to the data. Through this tracking, you can identify each user, the date and time of access, and the information altered. Create procedures for creating and monitoring your review logs and address any abnormalities as soon as they are discovered.

Protect stored credit card information.

Many businesses don’t store sensitive payment information because of the potential risk of data breach or compromise. However, if you do store this type of data, you’ll need to take the appropriate PCI-compliant steps to safeguard this data. Make sure your employees acknowledge their training on the use of customer information and the PCI’s privacy standards in writing. If you issue sale receipts, don’t print the customer’s entire card number on the form. Simply mask the first part of the credit card number, leaving only the last four digits. Finally, make sure that only key employees can access any complete records on customer payment information. Don’t leave yourself vulnerable by having this data available to all your employees.

Create a security policy.

Throughout your training, tracking, and logging, you need to create a security policy outlining in detail the procedures for PCI compliance. In your written compliance and security policy, you should include the following policies and processes:

  • Updating your computer software and identifying security threats and vulnerabilities.
  • Retaining any customer data.
  • Identifying all internal employees’ roles and access to data.
  • Creating a list for identifying all third-party vendors as well as training such vendors on your systems.
  • Creating steps for change management.
  • Preparing all applicable employees on an annual basis.
  • Identifying all company technology, such as desktops, laptops, smartphones, email usage, and remote or wireless access.
  • Reporting breach or vulnerability incidents.

PCI compliance can seem intimidating. However, by creating a checklist, following it, and putting these tasks on your calendar, you’ll find that compliance isn’t such a bear. Break down each step over a year and document your actions and results. Remember, you want to prove that you’re compliant with the PCI standards. Having appropriate documentation allows you to do just that.

At NAB, we can help guide you through your PCI-mandated compliance. Our credit card processing equipment is PCI-compliant and our dedicated team of security experts has answers to all your questions about security. We offer low processing fees and don’t require long-term contracts. We help make it easy to provide your customers with the frictionless transactions they’ve come to expect.

Whether you’re looking to accept payments in-store, online, or on the go, we have the solutions and service you need. We’ll help you tailor a PCI-compliant payment processing plan to your specific business, giving you peace of mind. To set up a consultation, contact us here or give us a call at 877.840.1952.