This article by Mercury Payment Systems provides a clear and concise summary of how retailers can slay the PCI monster. We strongly recommend using Mercury’s SecureAssist® or a similar service from your bankcard processor to help you get and stay compliant: the $100,000 in breach assistance alone is worth a small monthly fee.
PCI MYTHS
If a merchant is running a PA DSS compliant payment application, nothing more is needed.
- Running a PA-DSS compliant application is only one of 12 requirements of PCI DSS.
My Dealer told me I’m PCI compliant.
- You may not be compliant unless you’re getting quarterly network scans and have completed your annual Self-Assessment Questionnaire. The dealer was most likely referring to the compliance of the POS application you use.
PCI compliance is just too complicated.
- Not necessarily. The requirements for PCI DSS are basically best practices that all businesses (regardless of size) should follow.
A breach won’t happen to me.
- For small merchants it is not a matter of if but when they will be breached. Data thieves are targeting small merchants daily and the average cost of a card data compromise can put a merchant out of business.
Merchant PCI DSS Responsibilities
- Install and maintain firewalls – Software firewalls and router/firewall hardware are not sufficient to properly protect your POS system. See #10 below.
- Change all vendor supplied passwords – Make sure that all administrative, remote access and default passwords are changed. Use complex passwords with both letters and numbers and are at least seven characters in length.
- Protect stored cardholder data – If your POS system stores any card data, it must be encrypted and secured. Paper receipts with full card number must be locked up and shredded when no longer needed.
- Encrypt transmission of cardholder data across open, public networks – Any transmission of card data must be made over SSL encrypted communication channels.
- Use and regularly update anti-virus software – Make sure that your anti-virus definitions are up to date and that you renew your subscription annually.
- Develop and maintain secure systems and applications – All merchants must use a PA-DSS compliant point of sale application.
- Restrict access to cardholder data to only those people who need access to it.
- Assign a unique ID to each person with computer access – Everyone who has access to the POS system must have a unique username.
- Restrict physical access to the cardholder data – Keep your POS computer in a locked cabinet or office.
- Track and monitor all access to network resources and cardholder data – Install a business level hardware firewall that is capable of inbound/outbound filtering – only allowing traffic from known sources (such as Mercury) to access your network.
- Regularly test security systems and processes – Have external networks scanned for vulnerabilities once a quarter by an Approved Scanning Vendor, and complete an annual Self-Assessment Questionnaire.
- Maintain a policy that addresses information security for all personnel.
Practical Steps to Reduce Your Risk
DISCONNECT security cameras, WiFi access points and other computers or devices from the POS network segment.
STOP all internet browsing from systems connected to the POS network segment.
CONDUCT a quarterly PCI vulnerability scan.
SCHEDULE regular anti-virus scans and definition updates.
APPLY all operating system patches and POS updates as soon as they are released.
ENABLE remote access only when needed; disable when done.
SEGMENT all other computers and devices from your POS network including WiFi, back office computers and laptops.
EDUCATE your employees annually about security best practices.
ENROLL in Merchant SecureAssist®, Mercury’s PCI compliance solution.
For more information about PCI Data Security, or how Merchant SecureAssist® can help you achieve PCI compliance, please contact us: 800.846.4472 | compliance@mercurypay.com.
The foregoing is provided for information purposes only, and is not legal advice. You should review your compliance obligations with your own legal or other advisors.