Are you PCI compliant? Do you know? The PCI DSS or payment card industry data security standard is a set of mandatory security protocols for the processing industry. Any merchant that processes credit card information in the normal course of daily business must demonstrate that their company is PCI compliant. It is not an option. Your business can be penalized and fined by the card associations of Visa, MasterCard, Discover, American Express and JCB (Japan Credit Bureau) just for not officially certifying your PCI compliance. Not knowing if you are PCI compliant or believing you are not required to be PCI compliant are no defense against fines, or worse, data breaches.
In the vast majority of data theft cases, criminals used a specially designed type of data collecting software known as “malware” to perform the task of intercepting data in transit and searching for stored data.
PCI DSS 1.2 Requirement: Change all default passwords. Default passwords provided when first setting up software are discernible and can be easily discovered by hackers to access sensitive information.
PCI Compliance with PCI DSS Goal 5: Regularly Monitor and Test Networks contains the following requirements:
5.1 Requirement: Keep system activity logs that trace all activity and review daily. The information stored in the logs is useful in the event of a security breach to trace employee activities and locate the source of the violation. Record entries reflect at a minimum: the user, event, date and time, success or failure signal, source of the affected data and the system component.
5.2 Requirement: Each quarter, use a wireless analyzer to check for wireless access points to prevent unauthorized access. Also, scan internal and external networks to identify any possible vulnerable areas in the system. Install software to recognize any modification by unauthorized personnel. Additionally, ensure that all IDS/IPS engines are up to date.
Be sure to adhere to these PCI DSS compliance mandates for the protection of your business and your customers’ sensitive personal information.