Understanding the Many Aspects of PCI-Compliance
Within the last year, over 20 hotels were identified as having been hacked by a particularly batch of cyber-attacks. The hacks themselves came in a variety of forms including guest wifi intrusion, phishing backed by fake phone calls from “customers”, and physical skimming devices but all the attacks were targeting the same data: credit card numbers. This recent wave of high profile hacks is, in fact, just a development of something that eCommerce and retail merchants have been struggling with for some time. Payment cards have been targeted by scam artists since their invention and the increase in use and customer data storage has only created more tempting targets full of hundreds to thousands of credit card numbers to steal.
If you are a hotel, restaurant, eCommerce vendor, or retail merchant who processes credit cards, then this recent rise in hacker activity should be particularly concerning. Of course, until there’s a ‘hack them back’ virus, our best defense is superb cybersecurity. That’s where PCI compliance comes in.
PCI Compliance Explained
You’ve probably heard the term PCI compliance bouncing around the industry but many businesses don’t quite realize what it means yet. Practically, PCI compliance refers to a particular way to configure your payment devices and business network for the maximum possible data security against hackers. However, it’s not just some commonly shared list. PCI compliance is actually the security standards established by the payment card industry itself in an effort to work together with merchants to protect consumer credit and debit cards. The full name is really PCI-DSS Compliance, short for Payment Card Industry-Data Security Standard.
The reason this special list of devices and programs isn’t just a friendly guideline for business data security because something special happens when you meet every one of the PCI standards. Your payment processing and data security become as safe as modern techniques know how to make it. When you achieve PCI compliance, this is something you can assure your customers with, use as leverage with a bank, and then use the standard as a strong starting place for keeping up with future anti-virus and security updates. After all, cybersecurity is a constant battle. What is PCI-compliant this year is likely to be updated in the future to account for the new kinds of attacks that hackers will devise.
The payment card industry data security standard is based on a combination of best practices and defenses designed to counteract known threats. One of the most important of these best practices and something you can start implementing before you even invest in any of the PCI-approved products is encryption from the moment a customer interaction begins. This ensures that no matter what stage a hacker invades, any stolen data will be useless to them. The information on the magnetic strip of a credit card, commonly known as a ‘swipe’ is read by the device and will ideally be encrypted right at that moment or as soon as possible afterward. Your point of sale device should still be able to work with the information and then safely delete any records of the swipe data.
If you work with credit card numbers along with any other recorded information about your clients like names, addresses, and phone numbers, all of this information should be encrypted as well. While it’s understood that many companies include holding onto this information as part of their business model, all databases should be encrypted and the information should be thoroughly deleted whenever it is no longer needed.
Another major aspect of PCI compliance is cloud hosting your sensitive data. Hackers almost universally attack the local computers, devices, and your local network. However, connection to your network will not give them access or allow them to infect a server hosted in half a dozen distant cloud data centers. Most of the big-name and many of the small-name cloud hosting services adhere to PCI-compliant practices and would be happy to talk with you about how their servers can help you maintain customer payment card security. If you are going to store sensitive customer data, encrypted or not, it’s best to keep it on a cloud server and access it remotely through a secure platform and, in fact, the more of your network you can get on the cloud, the more secure it will be from malware and other local risks.
Point of Sale Computers
The first physical aspect of PCI compliance point of sale devices and computers which usually run card information through the registers even if you don’t store it. To achieve PCI-compliance, you’ll need to work with point of sale devices and computers that have been approved by the payment card industry as being properly secure. This means that the systems have no known security vulnerabilities and come at least part-way preconfigured to help you resist unwanted access or malicious programs. Many point of sale vendors have worked hard to get their products up to PCI-compliance so you should have no problem finding a model that suits your needs. However, once you have a PCI compliant device, it’s your responsibility to ensure that it is properly configured.
PIN Entry Devices
PIN entry devices are the machines used to swipe credit and debit cards and enter PIN numbers, hence the name. Most people don’t think of their swipe devices as being part of network security but they are a networked end-point that handles payment data. Hackers have figured out ways to compromise some models for PIN entry devices and ‘skim’ the swipe data directly from the device. The best way to resist this unusual attack is to ensure that you have a PCI-compliant PIN entry device. The security vulnerabilities that allowed older models to be hacked have since been fixed in newly approved devices. In most cases, you should be able to get compliant swipe devices from the same vendor as your point of sale computers.
Modern businesses need to run payment information through certain software in order to function properly meaning that your PCI compliance journey isn’t over until your new devices have been set up with the right software installation and settings as well. Fortunately, there’s a fairly wide selection of business payment application software for you to choose from as well. If used correctly, the approved programs can help you manage payment information safely while encrypted.
The final step for complete PCI-compliance is a well-trained staff who understands how to maintain all the necessary security standards. Your new setup should be very secure but your staff still have to be the ones that use the special software and operate the new secure devices. While activities like turning the monitor around to display sensitive information are obviously to be avoided, they will also need to understand all the new procedures and how to avoid things like phishing attacks. Train your employees to be very careful about web surfing, links in emails, and giving contact information to suspiciously pushy customers.
PCI compliance is something that any business can achieve with time and investment. That said, if you’re going to pace yourself with the upgrades, make sure to stay current on the most recent PCI compliance standards. Cybersecurity is not a static thing. The hackers keep thinking up new ways to hack and we keep inventing new defenses to stop them.