I’ve worked in the payments industry as a system administrator for more than 15 years and spent much of my career working with Payment Card Industry compliance, which pertains to security requirements involving companies which handle credit card data.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
PCI compliance is a very complex field with guidelines under which organizations in this industry are required to adhere in order to be permitted to handle payments processing.
What is PCI compliance?
PCI compliance is a structure based on requirements mandated by the Payment Card Industry Security Standards Council to ensure that all companies that process, store or transmit credit card information maintain a secure operating environment to protect their business, customers and confidential data.
The guidelines, known as the Payment Card Industry Data Security Standard, came about on Sept. 7, 2006 and directly involve all the major credit card companies.
The PCI SSC was created by Visa, MasterCard, American Express, Discover and Japan Credit Bureau to administer and manage the PCI DSS. Companies which adhere to the PCI DSS are confirmed PCI compliance and thus trustworthy to conduct business with.
All merchants that process over 1 million or 6 million payment card transactions every year, and service providers retaining, transmitting or processing over 300,000 card transactions every year, must be audited for PCI DSS compliance. The scope of this article is intended for companies subject to this annual auditing.
It’s worth noting that PCI compliance doesn’t guarantee against data breaches any more than a home compliant with fire regulations is fully safe against a fire. It simply means that company operations are certified compliant with strict security standards giving these organizations the best possible protection against threats to produce the highest level of confidence amongst their customer base as well as regulatory requirements.
Failure to comply with PCI requirements can result in hefty financial penalties from $5K to $100K per month. Businesses that are in compliance which do face data breaches can face significantly reduced fines in the aftermath.
14 best PCI practices for your business
1. Know your cardholder data environment and document everything you can
There can be no surprises when it comes to enacting PCI compliance; all systems, networks and resources must be thoroughly analyzed and documented. The last thing you want is an unknown server operating somewhere or a series of mysterious accounts.
2. Be proactive in your approach and implement security policies across the board
It’s a huge mistake to approach PCI compliance security as something to be “tacked on” or applied as needed where requested. The concepts should be baked into the entire environment by default. Elements such as requiring multi-factor authentication to production environments, utilizing https instead of http and ssh instead of telnet, and mandating periodic password changes should be applied in advance. The more security-minded your organization is, the less work will need to be done after audit time has completed.
3. Conduct employee background checks on employees handling cardholder data
All potential employees should be thoroughly vetted including background checks for those who will work with cardholder data, whether directly or in an administrative or support position. Any applicant with a serious charge on their record should be rejected for employment, particularly if it involves financial crimes or identity theft.
4. Implement a centralized cybersecurity authority
For best PCI compliance, you need a centralized body to serve as the decision-making authority for all implementation, management and remediation efforts. This is typically the IT and/or cybersecurity departments, which should be staffed by employees trained in this field and knowledgeable of PCI requirements.
Read Original Article At Source WebsiteRead Original Article At Source
*Note: Their will be lot of difference between article source and this article. We have changed the way of writing from original source website.