The best way to truly strengthen your business’s security posture—which is the goal of the PCI DSS—is to have a sober understanding of your risk as well as the full scope of your PCI compliance responsibility. Here are five best practices for easily and cost-effectively protecting your business against data thieves.
Owners of even the smallest businesses need to understand what happens to each customer’s sensitive data as soon as it leaves the customer’s hands and enters the business’s data processing, storage and transmission systems. As the customer’s information moves through your business processes, it is critical to maintain that data’s security and integrity.
Sensitive data can be financial information, such as credit card numbers, as well as any personally identifiable information (PII) that can be linked to an individual. Be sure to understand and identify all the places within your office environment, business processes and systems that sensitive data is captured, exchanged or stored.
A significant first step to putting security controls in place is assigning individual responsibility and accountability for monitoring and protecting the sensitive data your business handles. We suggest creating a simple spreadsheet that documents the various types of sensitive data your business is handling, its location, and who has responsibility for it. Be sure to review this spreadsheet on a quarterly basis at minimum, to ensure that the information it contains remains current.
One of the easiest steps toward lowering the security risk to your business (and reducing your scope for complying with the PCI DSS) is to not store cardholder data, period. Examine the spreadsheet you created as part of Best Practice #1 to evaluate where your sensitive data resides. Ask yourself with each line item: Does this information really need to be retained and stored?
The more items you can remove from your spreadsheet (because you aren’t storing the data), the better. If there is a significant business reason for you to store sensitive data, the following steps will help you secure it:
- Limit database access to only those who absolutely need it, giving those parties their own, unique credentials;
- Do not store authentication data for either your employees or your customers; and
- Implement a tokenization solution to enable repeat online customers to securely store and access their payment information.
- Again, the best thing you can do for your business is not store cardholder data or PII at all.
Good security incorporates “defense in depth,” or multiple layers of protection. One of the primary requirements of the PCI DSS is to have a properly configured firewall in place, because for businesses with an Internet connection, firewalls are a first line of cyber-defense.
It is imperative to properly configure your firewall according to the way your business handles data. The issue with “plugging in and forgetting” your business’s firewall is that a poorly configured firewall is only slightly better than no firewall at all. According to the United States Computer Emergency Readiness Team (US-CERT), the most common configuration mistake is not providing outbound data rules, which can leave the business open to external attack.
Protecting your perimeter means checking for any unprotected holes that could allow attackers to gain entry. The most common mistake is a remote access service that has been left up and running with a weak or, even worse, a default user-id and password in place. This often happens when consultants, contractors or VARs want to conveniently access business systems remotely in order to provide support. You can mitigate this security risk by limiting remote access to your network, ensuring remote access is only enabled when it has to be, and requiring vendors to use two-factor authentication for access.
If your business utilizes Internet-facing Web applications—in particular, an ecommerce site that accepts card payments—requirement 6.6 of the PCI DSS requires that you either utilize a Web Application Firewall (WAF) or have your website reviewed annually (or after any changes). Most merchants don’t have the resources to engage a technical expert to review their site after changes, so a WAF is the optimal alternative.
One of the weakest links in the security chain is humans—your employees; therefore, security awareness training is a critical, ongoing requirement for all employees, no matter the size of the business. Level 4 merchants should conduct security awareness training on an annual basis and include specific instructions for how employees should handle sensitive information and credit card transactions.
From a technology standpoint, merchants should be using payment technologies that have been tested and approved for PCI PA-DSS compliance. The PCI SSC requires regular, ongoing reviews of payment applications, and maintains a list of validated payment applications on their website.
In addition to segmenting the card data environment away from the rest of the network, it’s important to keep commercial grade anti-virus protection resident and current on every machine. Follow your technology vendor’s recommendations for installing and using every patch and service kit released for your systems and applications.
Today, many small merchants are outsourcing all or part of their card processing steps to service providers, such as shared hosting providers, payment gateways, managed security firms, etc. It is typical for merchants to outsource all or part of their IT infrastructure to service providers as well. Unfortunately, more than half (51%) of respondents to the 2013 Survey of Level 4 Merchant PCI Compliance Trends said they do not require their third-party service providers to be PCI compliant.
A service provider’s inability to properly protect your customer data could implicate your business should a breach occur. Protect yourself by asking for proof of compliance, as well as requesting any other audit reports such as the SAS 70, or its successor, the SSAE 16. These reports are often held by larger companies that store and/or process financial or other critical information on behalf of others.
For most Level 4 merchants, technology and data security are foreign and frustrating concepts. If you’re in a place where you would rather run your business than worry about hackers and security threats, PCI DSS-compliant service providers are the way to go.
Just as you rely on the merchants you shop with, your customers are depending upon you to protect their sensitive information. As a small business owner, it is your responsibility to take threats to your business systems seriously so that consumer information can be protected. Your customers won’t thank you, because they will never know how you’ve protected them behind the scenes. But the alternative (fines, penalties and lost business) is not worth the risk.
For additional detail on these five tips, download the entire ControlScan white paper, “The 5 Data Security Best Practices for Small Merchants,” or give us a call at 800-825-3301, ext. 2. We are happy to help.