Resources

PCI DSS Compliance Checklist

Credit card fraud is a serious problem, but it’s an avoidable one. If your company accepts payments by credit card, you’re responsible for complying with the Payment Card Industry Data Security Standard, or PCI DSS—an unwieldy acronym, to be sure, but a simple set of 12 steps that will make your life easier. More importantly, PCI DSS compliance will inspire confidence in your clients when they entrust you with their most sensitive information.

We’ve put together a PCI DSS compliance checklist that lays out the 12 requirements you should make sure your company heeds. Keep in mind that each payment card brand has its own method for validating and enforcing the standards, so check with the brands you work with to make sure you’re fulfilling their requirements.

PCI DSS Compliance Checklist 1: Install and maintain a network safeguards to protect cardholder data.

Now that most business is done online, little information needs to be kept in hard copy, making it easier for malicious actors to intercept appealing content residing in your network. A firewall restricts inbound and outbound traffic from untrusted networks and can specifically deflect all traffic that isn’t appropriate for the cardholder data environment.

In our minds, though, a firewall is becoming increasingly irrelevant, especially if you’re using the cloud. There’s little point in building the network firewall higher and higher if your data doesn’t even reside there anymore, and instead is stored on a cloud-based server. In that case, encryption is your friend.

PCI DSS Compliance Checklist 2: Don’t use vendor-supplied defaults for system passwords and other security parameters.

Rather appallingly, the most common password still used by businesses is “password.” Guessing passwords is the easiest way for a hacker to access a protected network, and leaving default passwords unchanged is like giving a hacker a key to your house. What’s more, recycling passwords across various services can also leave you vulnerable to attacks. Hackers can exploit the weakest security system to procure passwords, and apply them across other services to access a veritable trove of data. Changing a password takes mere seconds and is perhaps the easiest way to keep hackers at bay. Don’t hesitate to do it!

PCI DSS Compliance Checklist 3: Protect stored cardholder data.

Handling cardholders’ names and their credit card numbers, expiration dates, CVV codes, PINs, and information is par for the course in business transactions. But you shouldn’t store the data unless it’s necessary for the needs of your business, and even then don’t store it longer than you need to. Make sure you’ve established—and shared with your employees—a clear data retention policy that outlines how long cardholder information needs to be kept for business, legal, or regulatory reasons. Authentication information like tracking data garnered from the magnetic stripe, CVV numbers, and PINs cannot be stored at all.

PCI DSS Compliance Checklist 4: Encrypt transmission of cardholder data across open, public networks.

Cybercriminals lurk on open, public networks, and if you’re transmitting cardholder data this way, it’s imperative to protect it. Encrypted files will be unreadable even if they’re intercepted. This is where Sookasa can help you too: By encrypting files before they reach the cloud, Sookasa makes it remarkably simple and safe to store cardholder information on Dropbox, affording more security than any standard means of encryption.

PCI DSS Compliance Checklist 5: Protect all systems against malware and regularly update antivirus software or programs.

Deploying antivirus software regularly will thwart threats from malicious software (malware), which can enter the network undetected through an authorized user’s email or other online activities. That’s where you should also educate your employees. Malware is becoming increasingly sophisticated , and can slip in unnoticed by masquerading as a trusted email sender.

PCI DSS Compliance Checklist 6: Develop and maintain secure systems and applications.

You should regularly check for vulnerabilities in all of your systems and ameliorate them with vendor-supplied security patches. These perform a quick repair, and keeping your patches up to date will prevent exploitation of any detected vulnerabilities.

PCI DSS Compliance Checklist 7: Restrict access to cardholder data on a business need-to-know basis.

Make sure that sensitive data can only be accessed by those employees whose job requires that particular data. Take advantage of tools, such as those supplied by Sookasa, that allow you to update permissions in real-time and revoke access to files for users or devices as necessary.

PCI DSS Compliance Checklist 8: Identify and authenticate access to system components.

Providing each of your employees with a distinct ID ensures that interactions with sensitive data are only undertaken by—and can be traced to—authorized users. In other words, no group, shared, or generic IDs should be acceptable. A password, pass card, or biometric should also be used to authenticate users, and any remote users ought to be subject to two-factor authentication.

PCI DSS Compliance Checklist 9: Restrict physical access to cardholder data.

Businesses are required to physically secure or restrict access to printouts of cardholder data (including receipts), media where it is stored, and devices used for storing or accessing data. Cybercrime is certainly a menace, but you should always remember that old-fashioned physical theft is still a possibility that can derail your company if not properly preempted.

PCI DSS Compliance Checklist 10: Track and monitor all access to network resources and cardholder data.

Logging mechanisms help track activity across your systems and networks; check periodically for vulnerabilities here because in the event of a breach, you’ll need to know what went wrong. Sookasa lets you view which files have been accessed most recently and by whom, and team administrators can request such audits for all their employees’ files. If you do audits periodically, you can snuff out suspicious activity early.

PCI DSS Compliance Checklist 11: Regularly test security systems and processes.

New vulnerabilities are constantly being discovered by hackers and researchers and introduced by new software. Testing system components, processes, and custom software should become a part of your routine, and make sure to run an extra check if you’re changing something about the way you work.

PCI DSS Compliance Checklist 12: Maintain a policy that addresses information security for all personnel.

A strong security policy sets the tone for your company’s security, and it informs employees of their expected duties. Make sure your staff understands the importance of keeping cardholder data secure, and make sure you have an incident response plan so as to act immediately in the event of a breach.

If you’ve got the steps on this PCI DSS compliance checklist covered, your customers can probably breathe easy. But remember that remaining compliant takes more than a one-time check; it’s something that must be consistently monitored. For more information on the steps outlined in this checklist, take a look at the PCI DSS Quick Reference Guide.