What is PCI compliance and why is it important to you? The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments. If your company intends to accept card payment, and store, process and transmit cardholder data, you need to host your data securely with a PCI compliant hosting provider.
This white paper is ideal for executives and IT decision-makers as up-to-date information regarding what PCI compliance is and best practices and specific technology recommendations, including cloud-based PCI compliant hosting options.
Read below for for more information on PCI Compliance, and the goals it aims to achieve:
Goal: Building and maintaining a secure network
- Install and maintain a firewall configuration to protect cardholder data. Companies must create their own firewall configuration policy and develop a configuration test procedure designed to protect cardholder data. Your hosting provider should have firewalls in place to protect and create a secure, private network.
- Do not use vendor-supplied defaults for system passwords and other security parameters. This means creating, maintaining and updating your system passwords with unique and secure passwords created by your company, not ones that a software vendor might already have in place when purchased.
Goal: Protect Cardholder Data
- Protect stored data. This requirement only applies to companies that store cardholder data to payment card industry data security standards. Specifically, companies that do not automatically store cardholder data are already avoiding a possible data security breach often targeted by identity theft. A PCI compliant hosting provider should provide multiple layers of defense and a secure data protection model that combines physical and virtual security methods. Virtual security includes authorization, authentication, passwords, etc. Physical includes restricted access and server, storage and networking cabinet locks, according to Computerworld.com.
- Encrypt transmission of cardholder data across open, public networks. Encrypted data is unreadable and unusable to a system intruder without the property cryptographic keys, according the PCI Security Standards Council. Cryptographic keys refers to the process in which plaintext, like the words seen here, are transformed into ciphertext. Ciphertext contains information unreadable to those without the cipher, or the specific algorithm that can decode the text.As an added security measure, sensitive authentication data, including card validation codes or PIN numbers, must never be stored after authorization – even if this data is encrypted.
Goal: Maintain a Vulnerability Management Program.
- Use and regularly update anti-virus software. An anti-virus software service needs to be frequently updated to protect against the most recently developed malware. If your data is being hosted on outsourced servers, a managed server provider is responsible for maintaining a safe environment, including generating audit logs.
- Develop and maintain secure systems and applications. This includes discovering newly identified security vulnerabilities via alert systems. Your PCI compliant hosting provider should be monitoring and updating their systems to accommodate any security vulnerabilities.
Goal: Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know. Limiting the number of personnel that have access to cardholder data will lessen the chances of a security breach.
- Assign a unique ID to each person with computer access. User accounts with access should follow best practices, including password encryption, authorization, authentication, password updates every 30 days, log-in time limits, etc.
- Restrict physical access to cardholder data. If your data is hosted in an off-site data center, your data center provider should have limited personnel with access to the sensitive information. PCI compliant data centers should have full monitoring, including surveillance cameras and entry authentication to ensure a secure and PCI compliant hosting environment.
Goal: Implement Strong Access Control Measures
- Track and monitor all access to network resources and cardholder data. Logging systems that track user activity and stored archives can help your hosting provider pinpoint the cause in the event of a security breach or other issue.
- Regularly test security systems and processes. With regular monitoring and testing processes in place, your data hosting provider should be able to assure you that your customers’ cardholder data is safe at all times.
Goal: Maintain an Information Security Policy
- Maintain a policy that addresses information security. This policy should include all acceptable uses of technology, reviews and annual processes for risk analysis, operational security procedures, and other general administrative tasks.
If you are choosing a data hosting provider, ask for documentation of the processes that ensure the 12 PCI compliance requirements can be met.
Bottom Line
PCI compliance is required for many industries, especially those that accept debit / credit payments, or require financial information. If you handle this kind of data, chances are you need to adhere to PCI compliance. It’s all in an effort to better protect consumers from fraud and theft, so it is important to examine and take steps towards PCI compliance as soon as possible.
Let’s Get In Touch
If you’re not sure whether you are in PCI compliance or not, it’s time to talk to an expert. Otava boasts baked-in compliance to all of our products, so you can rest assured you’ll ace every audit. Contact us today to learn more about how our professionals can make your business PCI compliant.
GET IN TOUCH
More resources
Levels of PCI Compliance: Do you know what level your business falls under to meet PCI compliance? While the 12 PCI compliant requirements are dictated by the PCI Security Standards Council (PCI SSC), compliance is enforced by the credit card issuer companies…(Keep Reading)
Encrypting Backup Data for HIPAA and PCI Compliance: Stored data is a top target by hackers, especially the type of data that can be used for fraud and medical identity theft – within the healthcare industry in particular, encrypting stored data to meet HIPAA compliance is one way to avoid the HIPAA Breach Notification Rule and keep data secure…(Keep Reading)
Tackling PCI Compliance Challenges in the Cloud: In addition to defining PCI cloud hosting providers’ roles and responsibilities when it comes to achieving compliance in conjunction with clients/merchants, the recently released PCI DSS Cloud Computing Guidelines from the PCI Security Standards Council, also covers a few examples of compliance challenges that may arise…(Keep Reading)
Achieving Compliance in a Hybrid Cloud: According to the 2019 Rightscale® State of the Cloud report, the number of enterprises with a hybrid cloud strategy (one that combines both public and private clouds) grew to 58 percent for 2019, up from 51 percent in 2018. While the growing trend is exciting, it can create some anxiety around how to maintain compliance across the environment. In fact, 81% of respondents for the report indicate compliance was a top…(Keep Reading)
About Otava
Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.