There are 12 steps to compliance:
- Firewall maintenance
- Change your default passwords (and create a password policy)
- Protect stored cardholder data (if you are not developing software or have a website that you are developing – this may not be necessary)
- Encrypt Cardholder data – i.e. use devices that encrypt cardholder data (or develop this properly)
- Protect all systems against malware (using anti-virus software)
- Develop and maintain secure applications (only if you are developing software)
- Restrict access to cardholder data (if developing authenticate before giving access)
- Identify and authenticate access to system components
- Authentication physical access (only qualified people should access credit card systems)
- Track and monitor all access to network resources and cardholder data (log systems)
- regularly test security systems and procedures
- Maintain a policy that addresses security information for all personnel
But as you can tell – each business will have it’s own specifics to focus on – especially if they develop web software to accept credit cards. But if you do not have credit card(CC) development then a lot of items can be skipped. And if one does a few other items(like segment networks) then it is even easier. Just make sure all devices that run credit cards are encrypting the CC numbers.
We have modified this set of headings into a security policy. The inventory of all items may not have it’s own heading, but it is a part of a heading, and I believe it is important enough to get it’s own bubble in the infographic.
I.e. you can make a security policy out of all the headings here(ones relevant to you).
Why should one become compliant? Because it is basic cybersecurity, thus you will save yourself from potential future headaches (possible hacks and ransomware). The attackers are forever trying to steal your resources, and this is a good start (a minimum level of Cybersecurity).
What is better than just PCI compliance? Using a framework which encompasses all company processes and data (not just credit card data).
Contact us to discuss