There are 12 pieces to PCI compliance, let’s list them and find if they are applicable, or if we can minimize our attention.
first of all it is not a major point in the standards, but creating an inventory of devices is paramount in becoming PCI compliant. Being compliant will also be easier for you if you make a proper inventory (with all the software and hardware that is applicable), but it is also good for general security even if not needed due to not touching payment card data. Basically for PCI compliance anything that touches payment card data is going to get some extra scrutiny.
So guess what, you need to have documentation and procedures to make sure only the right people will access the data and not abuse the data. I.e. do not send payment card data in an unencrypted format over Internet for example. Another example is do not send customer data via fax or chat sessions.
So if you have documentation and have signed employee statements that they read this, then PCI compliance is easier.
Let’s work our way form bottom: Must have security policy(documentation), must have testing of network and all systems, must have a firewall, must have antivirus or anti-malware software, must change default passwords, do not develop your own software (as that is much more difficult), authenticate to systems and restrict access to payment card data also physically. Do not store cardholder data will simplify your compliance needs.
Encrypt the actual transaction from cardholder (merchant to financial institution). This machine should be an approved mechanism from your financial institution. Although it complicates things if you have it on one of your computers. Easier if on a machine specific for swiping cards, or inserting cards.
If you focused on no development of your own software and used only a specific PCI compliant machine with documentation for your employees that would go a long way to solving your PCI compliance. If you can segment the network (if the payment card machine needs to access the Internet which a lot do now) that will cut down on the number of machines to test by the auditor.
Monitoring the log system is just prudent, as well as making sure that the access of systems is properly authenticated. Many of these steps are just common sense computer security items (changing default passwords).
Some general topic headings from PCI document:
Build and Maintain a Secure Network and Systems
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel
We will test your network and give you a specific list of making PCI compliance easy to follow and complete. Contact us to discuss.