PCI DSS and the Road to Compliance
When you’re in the world of cyber security and researching new products, there’s no doubt that you’ll run into a plethora of acronyms. With the large amounts of advanced technology and the technical terms there are, it’s easier to shorten them to save some time and space. However, sometimes all the terminology begins to run together. PCI DSS is one of those acronyms that we hear often, but might gloss over.
But if you’re a website owner and especially if you handle payment, there are more than a few reasons why you should understand the nuances of PCI DSS and how it can be easier than you think to get on the road to compliance.
PCI DSS: What is it?
PCI DSS stands for Payment Card Industry Data Security Standard. In short, it’s a security standard for organizations that handle major credit cards (think Visa, Mastercard, American Express, etc.) to decrease credit card fraud. Before this overarching standard, each organization could have had policies and regulations of their own. However, PCI DSS combined the slight differences in each so that policy would be regulated and maintained.
PCI DSS is not only talked about within the realm of cyber security, but in pretty much any industry related to payment. If your organization deals with payment and henceforth credit card data, chances are you’re going to need to comply with PCI DSS. It sounds simple enough, but the controls for PCI DSS compliance cover 12 different requirements. These requirements include maintaining a firewall, encrypting data, restricting access, and so on. Therefore, it can be daunting for corporations or organizations to meet the standards.
However, PCI compliance is a necessary not-so-evil and following just a few tips can put you well-on-the-way to meeting many of the standards. Today, we’ll give you three.
Three Tips to Get You Started on PCI DSS Compliance
1. PCI DSS Compliant Host
A PCI Compliant Host can reduce your PCI obligations, but this is a feat easier said than done. There are many ways that a host can be compliant. They may meet just one or many requirements. You can check the state of a service by contacting them directly. Unfortunately, hosts don’t always put the details where they’re easy to find. However, don’t take their word for it: ask for proof of compliance. Self-assessment says nothing. However, if they’ve been assessed by QSA (Qualified Security Assessors), you’re on the right path.
The benefits to a dedicated web host is are many. While they might be a bit pricey to start out with, it can greatly reduce the security measures you must take and save you costs in the long run.
2. Don’t Retain Cardholder Data
Standards for PCI DSS differ for all vendors. For example, if you store cardholder data, your process becomes much more complex because now you’re holding sensitive information.
However, if you choose to go the other route and refrain from retaining cardholder data, it greatly simplifies security measures. Make sure that whatever payment method you’re using (payment processor, card reader, POS, etc.) doesn’t retain data. Additionally, check with payment vendors on their methods regularly, just in case anything has changed. Per a survey conducted by the Ponemon Institute, 85% of the companies that didn’t retain cardholder data didn’t suffer any data breaches over a two-year period as opposed to 40% who did retain data.
And if you must retain cardholder data? It is understandable as many people have recurring billing as an option for payment. However, in this case, try to make it a bit easier by asking your payment vendor if they have options for inputting, storing, and encrypting data on their systems, not yours.
3. Web Application Firewall
Not only is using a WAF a smart choice to protect your website from hackers, it’s also a great way to get started on the infamous PCI 6.6 Compliance. This standard covers how to protect online environments to keep data safe. To meet compliance one can get a WAF or get an application code review. An application code review is an expensive process. Now, by no means am I saying that owning a WAF will be cheap. However, the good news is that there are options out there. Some options are even free for up to a certain amount of traffic, and even provide SSL as an added service.
So now what?
Now, following these three tips won’t guarantee that you’ll meet all 12 different requirements. But if you’re striving for compliance within a complex standard like PCI DSS, the best things you can do are a) try to do it in a cost-effective way and b) minimize the number of requirements by using fewer solutions that still produce outstanding effects.
As they say, half of the battle is getting started, so get on that road today. It might prove easier than you originally thought.