This article about PCI should be read by any merchant who accepts credit cards. It is particularly relevant if your POS system stores credit card data. Some POS systems may retain credit card data without you being aware of it. Should the computer with the POS system be stolen, or hacked, your company could be liable if those stolen credit cards are used. Read on for more details and tips on keeping data secure.
All merchants, no matter how small, who accept credit cards or debit cards are required to comply with a security standard called the Payment Card Industry Data Security Standard (‘PCI DSS”, or just “PCI”). Failure to do so can result in significant fines, legal risks, or even loss of card-processing privileges. Here are some key things you should know about PCI:
1. Know your real goal (security, not compliance)
At the end of the day, PCI is all about helping merchants protect their customers, so you shouldn’t be looking to do the bare minimum to ‘pass’ PCI (just like you should aim to ‘just pass’ a doctor’s examination when all that really counts is the underlying reality: your health). Merchants who concentrate on their customers’ safety will have a better business, less risk, and will find that PCI success comes almost as a painless symptom of doing the right thing.
2. Know your obligations
PCI covers a broad-range set of security requirements, many of which are highly technical (for example, it covers everything from how you configure and manage your computers and data, to how you train and manage your staff). You can learn a lot more about PCI at http://www.panopticsecurity.com/faq.html, or look at the official Self-Assessment Questionnaires created by the PCI council (https://www.pcisecuritystandards.org/saq/index.shtml). These don’t cover everything you need to know, but do give you a quick sense of what you need to do, and what to worry about most.
3. Take Action
It is critical that you don’t wait until something goes wrong and then try to react. Doing so never works with security issues, and often leads to expensive disasters. The only approach that works is to think about these problems in advance, and fix them before disaster strikes. Doing the PCI self-assessment is not only required of you, it gives you a good sense of what things you need to improve.
One of the good things about security (and PCI) is that you can often avoid problems, rather than confront and conquer them. This is not a ‘cheat’, but the best possible approach, as well as the cheapest and most efficient. The next few tips explain this in more detail.
5. Limit the scope
PCI is only concerned about those things (computers, people, paperwork, etc) that might deal with cardholder data such as credit card numbers. If you separate your world into an “affected by PCI” zone and a “not affected by PCI” zone, you can simplify your life dramatically by keeping the PCI zone small and simple. Every computer or piece of software you add to the PCI zone means more paperwork, more danger, and more expense. For example, if you have a computer that is used as a Point Of Sale, don’t use it for surfing the web as well: get a separate computer for surfing and ‘everything else’ and keep it completely separate from the PCI zone.
6. Don’t store cardholder data unless you absolutely have to
The biggest and messiest area of PCI has to do with any cardholder information that you store electronically. The best and cheapest answer is to simply NOT keep any such records: doing so makes your business is significantly safer, and makes PCI a much simpler, easier process to worry about.
7. Don’t use unnecessary technology
Every new piece of technology that you introduce into the ‘PCI zone’ makes your life more complicated and risky. For example, wireless computer networking might be convenient, but if you use it in a way that overlaps with PCI, you have to worry about a number of highly technical questions (about device configuration, encryption, key management, and so on). If you possibly can, keep ‘messy’ technologies like wireless completely separated from anything to do with cardholder data.
8. No silver bullets
There are lots of companies out there promising that their product will make all your PCI worries go away, and these companies are all twisting the truth. There are many products that can help you, but don’t get fooled into believing that there’s a “silver bullet” that will kill all your problems. PCI is complicated and demanding, so don’t get fooled by snake-oil salesmen.
9. Keep at it!
Security is like physical fitness: you have to keep working on it all the time, rather than just making a big effort once a year or so. The right approach is to make it a small, but steady, part of your everyday life.
About the author - Tim Cranny, PhD - CEO
Tim is a leader in the information security space, having played key strategic and technical roles in a variety of high-tech startups. He has worked extensively and directly on cutting-edge technology (ranging from cryptographic networks to SaaS solutions built around artificial intelligence engines), but has long experience in embedding technology in its strategic and business context, and positioning his companies to exploit emerging trends in business and technology. Tim has worked extensively as a communicator and evangelist of security issues, having spoken at dozens of international conferences and written dozens of whitepapers and journal articles.
Education: Bachelor's Degree with First Class Honors (mathematics and physics), a University Medal, and a PhD in pure mathematics (obtained at age 24). CISSP
Panoptic Security is a technology security company that specializes in PCI compliance programs for small and mid-size merchants, ISOs, Acquiring Banks and credit card processors. Our executive team includes some of the security industry's leading technologists and PCI compliance experts.