PCI - Security Metrics
What is PCI?
In this article I wanted to briefly outline what PCI means within the payment card industry, then I will discuss how following the guidelines of the Payment Card Industry Data Security Standards(PCI DSS) documentation can help you stop fraud attacks at your small business.
Every merchant that wants to accept credit card payments must ensure that if they store any account details they must remain in a secure environment. If you fail to meet these standards or a security breach occurs, you could be hit with large fines or have your payment processing privilege confiscated.
This must sound terribly complicated for new business owners who already have enough on their plate trying to get approved for a merchant account and finding the best rates on transaction fees, some banks even charge for ensuring you are PCI compliant. My recommendation is to contact a dedicated merchant services company who specialize in setting up payment systems, banks look towards the naiveness of beginners and this isn't their financial area of priority.
Below I have detailed some of the main security issues that business should be aware of, although technology has evolved greatly over the last decade with the introduction of Chip and PIN on card machines the merchant must still do their part in order to protect card holder information after a purchase has taken place.
- Only purchase PDQ machines from a PCI compliant vendor, the PCI Security Standards website lists all of the approved devices under the individual brand names.
- Try to purchase a wireless router that encrypts data.
- Choose strong passwords for your router, never keep the password given to you by the supplier because criminal acquire lists of these default passwords.
- Use a premium Antivirus software such as Norton 360 which has a secure Firewall.
- Criminals always find ways to exploit new technology, you should always check your card processing machines for attachments which are used for 'Skimming' and to 'Clone' cards.
- Choose strong passwords for your auditing software and only store card holder details if it is completely necessary.
- If you have an online shopping cart or e-commerce website, make sure that the software used is also PCI compliant.
- Use added protection on your online store such as 3D secure approved by Visa.
- Inform your staff of these practices and how everyone must play their part in checking for vulnerabilities.
You may have heard the term 'Security Metrics' when researching PCI compliance and it actually refers to administrative vendor that can grant your business approval after undertaking on site PCI tests. It currently has the largest support staff in the industry worldwide and you seek support from them or another approved scanning vendor such as Global DataGuard.
If you are unable to find or contact a vendor directly, speak to your merchant account provider who will assist you.
Memorable Flow Diagram
Above is a memorable flow diagram to help you remember to continuously monitor and fix any vulnerabilities that might be discovered and then report them to the relevant authorities to show your compliance.
Below there is also a slightly cheesey but effective song which helps you remember, I actually liked the harmonica because I play one!