PCI DSS Compliance for Small Business
Companies that take credit card payments are required to be PCI DSS compliant. The Payments Security Standards Council (PCI SSC) has outlined various security measures for organizations that handle credit card data to comply with in order to protect this data. The guidelines contain information about cardholder data and how it should be transmitted and stored securely.
Read on for an overview of the information security standards your organization must maintain to be PCI-DSS compliant.
The Scope of PCI Compliance
If you handle cardholder data in one way or another, you have to determine the appropriate scope of PCI DSS compliance for your firm. To determine the scope, you have to define the cardholder data environment (CDE). In a nutshell, the CDE is the area in your organization, (for example, a server), where you receive, store and transmit cardholder data or sensitive payment authentication data.
PCI DSS standards require any system components that interact with CDE to be secured. The “system components” are defined as computing devices, servers, network devices, and all IT applications.
Here are specific examples cited in the guidelines:
- Internal and external applications
- All types of servers
- Network components
- Accessories such as hypervisors, desktops, switches, routers, and appliances
- Security and related services
- Anything connected to the cardholder data environment
Organizations need to carry out annual reviews to ascertain the accuracy of their PCI DSS compliance and mitigate any risks that may be identified.
Is Network Segmentation Mandatory for PCI Compliance?
Network segmentation refers to the process of isolating cardholder data environment from other information in your company. Network segmentation is not a mandatory requirement for PCI DSS compliance. However, the segmentation helps to reduce scope, risk, cost, and difficulty of implementation.
If your network is not segmented (i.e., a “flat network”), then the whole of it falls under the scope and should be reviewed for compliance. Separating your network into subnetworks by keeping routers and internal firewalls separate can help to improve the security of the data you hold.
It is good practice to restrict cardholder data to as few locations as possible. A data flow diagram makes it easy to document CDE for compliance purposes.
After network segmentation, IT should verify that the systems that transmit, process or store data are indeed in their separate subnetwork. However, if you still rely on some legacy systems, carrying out successful network segmentation can be challenging. Legacy systems that use non-standardized technologies can make mapping difficult.
Wireless Networks and PCI Compliance
The CDE encompasses any line-busting technology, point-of-sale technology (including websites), and WLAN used to transmit process or store cardholder data. All these technologies must be PCI compliant.
If you are using wireless technology for non-sensitive data only, then PCI-DSS compliance will not be very cumbersome.
Outsourcing PCI-DSS Compliance to Third Party Service Providers
You can outsource your PCI-DSS compliance requirements to a third-party service provider. However, you should assess the company’s services carefully. In the contract, it should be clear what parts of compliance the service provider will be handling and what parts your organization will be responsible for achieving or maintaining.
The service provider should be PCI-DSS compliance. There are two ways of proving compliance:
- Carrying out independent annual assessments and providing the results to clients
- Carrying out multiple on-demand assessments as required by clients
If you want to partner with a service provider that carries out its annual assessments, ensure PCI-DSS compliance is fully covered as part of the contract.
Implementing PCI DSS into Everyday Business Operations
Implementing PCI-DSS compliance in your everyday business process will help to create a culture of compliance among the employees. Here are six ways in which you can make this happen:
- Monitor all data transmission, access, and storage in your firm
- Have emergency measures in place to mitigate data security risks
- Review any changes to the CDE before implementing them
- Review the impact of mergers and acquisitions on your PCI-DSS scope and requirements
- Carry out periodic reviews to ascertain compliance and document everything to back up your reviews
- Review all hardware and software used in your CDE and ensure they are PCI-DSS compliant
Sampling Business Facility Components for Security Assessment
Carrying out a PCI-DSS audit is critical for all organizations that have cardholder data environment. If you manage a large organization that operates from different locations, you can review random sample components during your PCI-DSS audit.
However, this does not mean that you should only select a few system components to review. Your whole CDE needs to be PCI-compliant. Random sampling should be precisely that; random. You should not be biased and choose a part of the PCI compliance requirements to sample while ignoring others.
Sampling should be done twofold; business facility sampling and system components sampling.
Business facility refers to the physical location where the cardholder data is stored while systems are the hardware and software used in the physical locations. Carry out a large enough sample security assessment to get an accurate picture of the overall PCI-DSS compliance status of the organization.
Using Software for Business Security Assessment
For large organizations, using an information security management software can help to make PCI-DSS compliance easier. Through the software, you can quickly identify the areas of your organization that comprise of CDE and review them for compliance.
Using compliance management software makes it easy to identify and track compliance issues. Often the software can be geared to the standards you’re trying to achieve and maintain in your organization, and this can simplify PCI compliance.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.