Run A Restaurant, Hotel Or Shop? Do You Transmit Cardholder Data? Are You Compliant? MUST READ!

Posted 08 August 2017 | 0 Comments

Are you PCI DSS compliant? Do you have a PDQ machine that transmits customer data? Then this post is an absolute must read.

One of our regular clients asked us recently to assist them with their PCI DSS  self assessment questionnaire with AIB merchant Services.  They needed some technical questions answered and this is where we stepped up.  Once we completed the assessment, planned in further attestations and reviews, we thought we’d let you know how important it is to understand what you need to do and why! We’re sure that you would have heard of this before and certainly come across it – if you don’t already have a system in place. But for those you who aren’t quite sure, we’ve gone into it in a little more detail.

Maintaining Payment Security – what is PCI?

The Payment Card Industry Data Security Standards help protect the safety of card transaction data. They set the operational and technical requirements for organisations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.

Maintaining payment security is serious business. It is vital that every entity responsible for the security of cardholder data diligently follows the PCI Data Security Standards.

Why you must meet PCI DSS requirements

The full requirements of the PCI DSS must be met if you are not using a hosted solution. If the card payment application is in the merchant environment or, if the code that links to the hosted payment page is integrated into a merchant’s shopping cart, it is recommended that as well as doing the indicated checks, steps are taken to enhance the continuous security of your website and to help mitigate the risk of compromise to card and personal data.

Merchants can complete a questionnaire called a ‘Self-Assessment Questionnaire’ (SAQ), if they process less than ‘x’ card transactions per year. ‘X’ can be confirmed by the merchant..

Where appropriate, software also has to conform to Payment Application Data Security Standard (PA-DSS) requirements.

PCI SECURITY

How to Secure

Following guidance in the PCI Data Security Standard helps keep your cyber defences primed against attacks aimed at stealing cardholder data. See useful links

 Assessing the Security of Your Cardholder Data

Most small merchants can use a self-validation tool to assess their level of cardholder data security. The Self-Assessment Questionnaire includes a series of questions for each applicable PCI Data Security Standard requirement. There are different SAQs available for a variety of merchant environments. See useful links

The PCI DSS requirements

Regardless which annual method of attestation is completed, the following activities are required. These actions need to be done EVERY year. If you don’t continue to do this, you will not maintain on-going compliance.

  • Scans have to be undertaken on a quarterly basis.
    Complete the annual Risk Assessment on the environment where the card data is handled or touches the cardholder environment.
    Ensure third parties that store, process and/or transmit card data or are connected to the cardholder environment provide evidence that they have maintained their PCIDSS compliance and are still registered with the Card Schemes.
    If using a third party payment application in your environment, you must ensure the product and the particular version you are using is PA DSS compliant and that the guidelines provided by the supplier are fully adhered to.
    If you use an integrator to bring the products together, ensure they are certified to the X standard to do so.
    Train your staff to follow PCI-DSS procedures. You can view the PCI DSS Quick Guide to find out more about being compliant
    Make sure that you are only keeping data that is essential and ensure it is encrypted and/ or masked.

Monitor and control access to your e-commerce environment (i.e. make sure you have security controls for your e-commerce environment).

Protect your data network by making sure that you are using not only a firewall but also compliant and up-to-date anti-virus software. There are many anti-virus products on the market but you should purchase yours from a reputable company

Ensure that the shopping cart application is patched with the most up to-date version available

Network scans have to be undertaken on a quarterly basis and undertaken by an Approved Scanning Vendor (ASV)

Discuss security with your web hosting provider, to ensure that they have secured their systems appropriately. Web and database servers should be hardened to disable default settings and unnecessary services. Many International system hardening standards exist such as those provided by the centre for Internet security –and merchants should encourage their web host provider to adopt these standards. See useful links.

With any software or hardware that you choose to use to process transactions, the vendor should have product approval from the Payment Card Industry Security Standards Council (PCI SSC). We would recommend that you check the council lists to check the product approval.

If you have any questions around being compliant, please speak to your Acquirer for assistance or give Think Cirrus a call.  Your Acquirer is the company that you have your merchant account with. Most Acquirers have programs in place to manage and support their merchants’ ongoing PCI DSS compliance and validation.

If you have any questions regarding PCI DSS, please contact your acquirer bank.

Useful Links

https://www.pcisecuritystandards.org/pci_security/

http://www.cisecurity.org/benchmarks.html

https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security

https://www.pcisecuritystandards.org/pci_security/completing_self_assessment