LOOMING DEADLINE: What Operators Need To Know About Credit Card Rules

Posted on April 20, 2010

JULY 2010 marks a key deadline for Payment Card Industry (PCI) compliance in the credit card processing industry.

By Crystal Sulzer

By July 2010 all merchants must be certified that they are compliant with the Payment Card Industry Data Security Standards. With more and more diversity on how we take credit cards, it has become more confusing to the merchant as to whether PCI applies to them or not. 

PCI APPLIES TO EVERYONE, even the companies that take only one or two cards a year. There are 12 requirements that a merchant must follow and adhere to when dealing with customers' credit card information.

Install and maintain a firewall configuration to protect cardholder data. 

  • By installing a firewall, this helps minimize the exposure from people trying to hack into your system.  There is not guarantee that someone cannot hack a firewall; but it does help minimize the accessibility of your system from people just randomly surfing systems.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.
  • Again, some of this is common sense. Use a password only you are going to know. Keep a list of your passwords accessible for your eyes only. Some systems will even tell you how secure your password is.

Protect stored data

  • Do not store cardholder data unless it is really necessary.
  • Do not email sensitive information such as full card number and expiration dates.
  • Do not locate servers or other payment card system storage devices outside of a locked, fully secured and access-controlled room.
  • Once information is stored, you should not have the full account number or the expiration date accessible at all.

Encrypt transmissions of cardholder data across open, public networks

  • Again, the full credit card number should never be seen.
  • If you are working on a system that has multiple users, make sure they only see the data on a need to know basis and only have access if absolutely necessary.

Use and regularly update anti-virus software

  • Virus software doesn't also help protect your data, it also helps protect your emails
  • Viruses can attach them selves to emails and kill you computer.
  • The recommendation is not to use just free anti-virus software. Remember you get what you pay for.

Develop and maintain secure systems and application.

Know what software you are putting on your system. Downloading applications from the Internet can have spy ware, leaving your computer compromised even if you have a firewall, because you gave it permission to be on your system.

Restrict access to cardholder data by business need to know.

Not every person in your company needs to know the billing information of your clients.  Passwords restrict those who don't need to know.

Assign a unique ID to each person with computer access.

By assigning unique IDs, if a compromise does happen it's easier to trace who actually accessed information that they didn't need.

Restrict physical access to cardholder data.

If you are storing actual receipts, make sure they are in a secure location under lock and key, filed, and secured with limited access to only key personnel.

Track and monitor all access to network resources and cardholder data.

Simply test your networks to make sure there are no breaches.

Regularly test security systems and processes

  • Have some type of policies and procedures in place to assure when employees leave, they no longer have access to secure data.
  • There are SAQ's (Self Assessment Questionnaires) available to help in these areas.

Maintain a policy that addresses information security.

Have procedures in place to address the employees need to know basis.

Just because you believe you've completed the above, does not make you compliant. 

This is a continual process and must be done once a year to ensure the best possible safety for the cardholder data that you store. One company does not make you compliant, because as you can see, there are many moving parts. If the engine breaks down, the whole car doesn't run. It's the same here. Look at the big picture of processing; you as a consumer want to make sure your data is protected by companies you're dealing with. It's the same for you're clients. 

It is always my recommendation to make sure you have an IT company that can assist you in the above areas that you may not be comfortable with, or may not know about.  Using the everyday Router with firewall for your home is not as secure as a company that specializes in these types of security for major networks. 

PCI may seem overwhelming, but it really comes down to good security, good practices, and good employees.

PCI may not be cheap, but in the long run, it can save you hundreds of thousands of dollars of fines. Visa/MasterCard and the Association are working hand in hand with the Payment Card Industry Standard Security Council to make this a smooth transition for all companies. Ultimately, it really is up to you as a merchant to know who you are dealing with and how to protect your clients' information and to adhere to the guidelines set forth by the PCI SSC.

To learn more about PCI Compliance please go to https://www.pcisecuritystandards.org/index.shtml or go to FERRARI MERCHANTS WEB SITE. Go to News and download the Understanding PCI Compliance -- a quick reference guide to PCI-DSS.

Crystal Sulzer is the managing partner of Ferrari Merchants in Tomball, Texas.

Related Topics: credit card compliance, credit card processing, Ferrari Merchants

Comments ( 0 )
More Stories
Durieu with his Cadillac XT6

Uber Black Driver Sees the Light

eNews Exclusive: Jordan Durieu started out with the TNC, but quickly realized it was time to provide service with higher standards.