PCI DSS Compliance
In summary, the Payment Card Industry’s Data Security Standard (PCI DSS) applies to organisations that store, process, or transmit cardholder data, therefore the standard must be applied to cover the entire Cardholder Data Environment (CDE).
In my opinion, when applied correctly PCI DSS Compliance is simple to achieve, maintain and check. We can help, so whatever your concerns, please feel welcome to contact us.
‘Get an objective 2nd opinion’
The PCI’s Data Security Standard is straightforward to understand and simple to implement.
However, it is vital that the person responsible for checking the PCI DSS compliance is not the same person who fitted the point of sale equipment, because in my experience routine checks will be skipped, ignored or forgotten.
The correct way to check for PCI DSS compliance is to get an objective 2nd opinion.
Every organisation that accepts payment cards has already committed to comply with the PCI DSS requirements, therefore non-compliance results in hassle and potentially a fine. In my experience the most common PCI DSS failures can be grouped into 3 areas; ‘planning and installation’, ‘operation and management’, and ‘policies and documentation’.
Refer to the 3 tabs below for more details and check my PCI DSS Compliance tips.
Planning & Installation
Since your system was fitted, it may have changed in which case it is likely that the initial scoping that was used to protect the point of sale will have changed too.
Maintaining an asset register is worthwhile, and this register ensures that when new computers are added to the network the appropriate access controls are also applied and documented.
Network changes such as a new customer WiFi will certainly modify the security scope, and even if only adding new apps or services, it is worth reviewing to check if the scope has changed.
PCI Compliance Tip 1: Check the scope of the point of sale system on a regular basis.
Operation & Management
The point of sale equipment must be maintained and this includes applying security updates.
Work out who is responsible for the upkeep of the system and who will make the checks. Checks should include regular virus scans, keeping the user accounts current and with minimum privileges, ensuring accounts are not shared and keeping a log of events, checks and changes.
Insufficient monitoring is often the first sign that the point of sale is unmanaged, consequently if the log can’t be presented to prove the system is managed, it isn’t adequately managed.
PCI Compliance Tip 2: Apply security updates and patches on a regular basis.
Policies & Documentation
Reviewing and documenting how the point of sale equipment is used on a regular basis and at a minimum every 3 months is important. This straightforward check is used to identify any unusual access and perform vulnerability scans.
Checking that the system settings are appropriate and that passwords have been changed. Also check that passwords are not shared or used in other places.
Policies and documentation are used to control and minimise the risk.
PCI Compliance Tip 3: Update the documentation when changes are made to the system.
PCI DSS Summary
When your organisation handles cardholder data, you must be able to prove that your security controls meet the requirements for the PCI’s Data Security Standard.
The keyword is prove, you must be able to demonstrate the protective measures you have implemented and that you have a straight forward system of checks in place to maintain them.
Why choose to work with Sytec?
- We focus on reducing risk
- Our work and checks are seperated independent processes
- We consider compliance and security checks as the default
- You will know which engineer has access and when they took action
- You will have phone, email and face to face access to certified engineers
Sytec use a blend of skills to handle the management and security of systems, we are good at this. If you would like us to get involved and assist with you PCI DSS compliance checks, conduct an audit, provide training, or perform a vulnerability scan please get in touch.