How To Keep Cardholder Data Safe and Secure
Understand what to need to do to comply with Payment Card Industry Data Security Standards in UK. Vendors need to understand and implement the standards for a secure payment taking process in the UK.
If your business is compliant with PCI DSS it is highly unlikely it will suffer a damaging breach of security and loss of data. It is best practice to follow for protecting credit card data. The widely accepted policies and procedures are designed to protect your customers and your business.
Create Your Own PCI DSS Compliance Checklist
PCI compliance in UK is critical to business resilience and the protection of your business reputation.
The Payment Card Industry has its own standards to follow. It is worthwhile creating your own PCI DSS compliance checklist to self assess your business risks and then take proportionate remedial action.
Your business should audit and self assess your business practices periodically. The audits will further protect consumers and businesses from data theft and fraud. PCI DSS policies and procedures cover data encryption to network compart mentation to reduce the spread of a breach.
Requirements of PCI DSS include :
- Install and maintain a firewall configuration to protect cardholder data : firewalls prevent against unauthorised access to cardholder data and their effectiveness needs to be assessed.
- Do not use vendor-supplied defaults for system passwords and other security parameters : Vendor-supplied default settings must therefore be changed and unnecessary default accounts disabled or removed before any system. This applies to firewalls too.
- Protect stored cardholder data : set clear policies procedures and processes for the retention and disposal storage of cardholder data. Firstly don’t keep what is not needed then protect what is store via encryption, truncation, masking and hashing. Examples of customer data never to be retained includes chip data and card verification number (CVN) and customer PIN numbers (personal identification numbers). Cryptographic keys should therefore be stored securely and access to them should be restricted to key personnel only.
- Encrypt transmission of cardholder data across open, public networks : Cryptography and security protocols (e.g. TLS, IPSEC, SSH, etc.) should be used to safeguard sensitive cardholder data during transmission over open, public networks that could easily be accessed by malicious individuals such as the internet and Bluetooth, GPRS and satellite communications. Secure procedures, policies and practices should be documented and relevant personnel informed and trained.
- Protect against malware and regularly update antivirus software or programs : Antivirus software must be used to protect against viruses, worms and Trojans. Must assess the risk from systems indirectly and directly connected to computer systems that could be infected by malware. Where there is an interruption to antivirus software then the risk should be reassessed and remedial action taken.
- Assess maintain and review security of systems and applications : Identify, evaluate and control changes in security posed from vendor software updates. vulnerabilities are fixed by patches issued by the software vendors to ensure that your systems continuously upgraded as vendor systems are updated, or as soon as possible thereafter.
- Restrict access to cardholder data : The number of users who can access critical cardholder data should be restricted. Record who does have access and ensure access is necessary for operational activity and only access minimal information for job tasks.
- Create an audit trial by identifying and authenticating access to system components : Manage and document non-consumer user and administrator access to systems with the allocation of unique ID’s. Control the use of ID’s via passwords, smart cards and biometrics. When access to systems is required from remote locations a minimum of two-factor authentication must be used.
- Restrict physical access to cardholder data : Electronic Develop different controls for onsite personnel and visitors. Physical access to systems should also be limited and monitored by the use of appropriate controls. Extra physical controls should be in place for high risk items or areas including server rooms and data centres. All hardware should be secured to building. Media storage, access and disposal should be secure. Devices that capture payment card data via direct physical interaction with the card must be protected from tampering and substitution, and should be periodically inspected to detect tampering or substitution. An up-to-date list of these devices should be maintained.
- Track and monitor all access to network resources and cardholder data : The use of logging mechanisms is critical in preventing, detecting and minimising the impact of data compromises. Breaches should be logged and investigated. Secure, controlled audit trails must be implemented that link all access to system components with individual users and log their actions (including access to cardholder data, actions taken by individuals with root or administrative privileges, access to audit trails, invalid logical access attempts, use of and changes to identification and authentication mechanisms, the initialising, stopping or pausing of audit logs, and the creation and deletion of system-level objects). Audit trail history should be retained for at least a year, with a minimum of three months’ logs immediately available for analysis. Logs and security events should be regularly reviewed to identify anomalous or suspicious activity.
- Regularly test security systems and processes : System components, processes and custom software must be regularly tested to ensure the continuing utility of security controls. Documented processes must be implemented to detect and identify all unauthorised wireless access points on a quarterly basis. Internal and external network vulnerability scans must be performed by qualified personnel at least quarterly and after any significant change in the network (e.g. new system component installations, changes in network topology, firewall rule modifications and product upgrades). Intrusion detection/prevention techniques should be used to detect and/or prevent network intrusions, and a change detection mechanism should be employed to perform weekly critical file comparisons, and to alert personnel to unauthorised system modifications. Internal and external penetration testing must be carried out at least annually as well as after any significant change in the network (e.g. operating system upgrade, the addition of a sub-network or a web server). Exploitable vulnerabilities found during penetration testing must be corrected and testing must then be repeated to confirm that the corrections are adequate.
- Maintain a policy that addresses information security for all personnel
For more information on technology risks
Subscribe to BusinessRiskTV.com for free today