When you run a business that accepts card payments, you?re almost definitely going to be covered by PCI DSS requirements. PCI DSS stands for Payment Card Industry Data Security Standards and to put it simply, these are the legal requirements you have to fulfil when processing card transactions.
These requirements are created to protect you and your customers from card fraud. Take a look through our list to be sure you?re following the mall. Failure to do so can leave you open to a lawsuit and uncovered by insurance if fraud does occur.
1. Maintain a Firewall
A firewall must be used to prevent unauthorised access to your systems from outside of your network. The firewall should be properly enabled and updated so it only allows what you want to pass through it.
2. Use of Anti-Virus and Anti-Malware Programs
Anti-virus and anti-malware seem like obvious things to have, yet there are still people and businesses who use inadequate coverage. It?s best to go with the most reputable brands, regardless of cost. The programs should be configured to work with your systems in the best way too, and of course they should be updated regularly. Remember to actually use these programs and scan regularly too.
3. Change All Default Settings
Never keep default accounts or passwords on your system.Change or delete every one of these before setting up your network. Some programs may come with default settings which can be exploited, be wary of this and set up all software thoroughly.
4. Use of Secure Digital Storage
Any data which is stored must be done so in a secure manner.This means even if you are taking credit card payments over the phone instead of online, you can?t just jot the details down on a notepad. Everything should be inputted through your system, which should use various forms of hashing and encryption to store it all securely.
5. Maintaining a Secure, Updated System
Your entire network should also be updated regularly. Any software which isn?t updated with the latest patches could be vulnerable as an entry point for attackers. Stay safe and stay up to date.
6. Restriction of Access to Data
Access to the sensitive data you hold should be restricted and given only when truly needed. Using a system which logs access and uses identifiers to see who accessed the data is a great way to spot unauthorised usage. Only allowing access when the account in question needs it is also a great idea.
7. Restricting Physical Access to Devices
Online security is one thing, but you still need to think about offline too. It?s no good if somebody can just walk into your server room and swipe your raw data to try and figure out at home. Keep your data servers in a physically safe location, under lock and key where access is restricted.
8. Security Testing
Regular testing can alert you to vulnerabilities in your system before they become a serious problem. Take advantage of this and test often. Use qualified personnel and be sure to have a good network administrator around to spot weaknesses.