The Verizon 2015 PCI Compliance Report indicates that the number of businesses validated as PCI DSS compliant during the interim assessment continues to rise. But with less than a third (28.6%) of organizations still fully compliant just a year after successful validation, it's clear that sustainability is a challenge.
Often, security controls put in place in order to achieve PCI compliance are short-circuited once the assessment is successfully completed. The pressure from increasing customer demands; emerging technologies; and changes in an organization's goals, structure, and technology infrastructure can create compliance gaps. But it doesn't have to be that way.
Include PCI compliance tasks in everyday activities
For merchants seeking to protect their businesses and their customers from damaging data breaches, PCI compliance must be a continuous process throughout the year rather than validation at a single moment. Business owners must adopt the philosophy that complying with the standard means including people, processes, and technology in a comprehensive plan that incorporates security practices into everyday operational activities.
Most of the requirements to achieve PCI DSS compliance are common-sense practices that businesses should be following anyway. But sometimes the specifications may not be as clear as they could be.
That's why you'll want to keep this PCI compliance checklist handy when you're talking with clients. It can help you identify any weak spots in the point-of-sale (POS) solution and recommend hardware and software upgrades and procedural improvements that will leave customers with a more secure POS system.
12-point PCI compliance checklist
- Install (and update regularly) a firewall between any public networks and payment-card data locations.
- Change vendor-supplied default passwords for network equipment or payment-processing software or hardware.
- Don't store cardholder data in your POS system.
- Encrypt cardholder data when they pass across unsecured or public networks.
- Install (and update regularly) anti-virus software on all equipment that has contact with the cardholder data environment.
- Confirm that card-processing applications and systems carry vendor-supplied security patches.
- Limit access to cardholder data to just those employees with a legitimate need.
- Create a unique identification for each person with access to the cardholder data environment. Make it very difficult for someone to use another person's identification code.
- Restrict physical access to all devices where cardholder data can be accessed.
- Monitor and record access to networks and other places where cardholder data might be found.
- Test security systems and the network environment regularly, but don't be too predictable. Most businesses require penetration testing every year, and following a significant infrastructure or application upgrade or modification.
- Create and update a business policy to keep information secure.
As you can see, PCI compliance requires a few one-time actions and a host of other administrative and business processes that must be maintained on a regular schedule.
What PCI compliance strategies have been most successful for your clients?