The Payment Card Industry Data Security Standard (PCI DSS) has been in effect since the early 2000s. All businesses have been moving toward compliance since. However, many business overlook some key aspects of PCI compliance that increase their vulnerability. Here are six things to keep in mind as you move toward or evaluate your own PCI DSS compliance.
- Secure everything – Be sure you haven’t overlooked a portion of the cardholder data environment (CDE). All portions of the CDE must be protected, from endpoints to administration to storage to infrastructure.
- Patch regularly – Despite the hassle or cost, systems must be patched often, sometimes within a month of a release. Be sure that you evaluate weak points often and patch when necessary.
- Secure cardholder data – Two-factor authentication is required for remote access to cardholder data systems. Once implemented, two-factor authentication should be tested periodically to ensure that it is working properly.
- Limit third-party access – If you allow third-part access to your systems, it is essential to follow up and remove this access once it is no longer needed. A failure to do so will result in network vulnerabilities.
- Know where data is stored – Just because payment processing is outsourced to a third party does not remove merchant responsibility for cardholder data. Merchants research where and how this data is stored.
- Use tokenization – Rather than storing Sensitive Authentication Data (SAD), use tokenization during the payment process (even for recurring billing). It reduces your risk by eliminating the need to store sensitive cardholder information.
