A PCI Compliance Checklist That Will Cover 90% of Your Obligations
If the Payment Card Industry Data Security Standard (PCI-DSS) isn’t currently on your radar, we don’t blame you. It’s a rough business environment right now and you’re probably laser-focused on staying in the black — not on stringent and bureaucratic compliance frameworks. Unfortunately, the PCI compliance governing body is equally strict in boom and bust economies.
A small- or medium-sized business (SMB) that processes just 50 credit card transactions per month and is out of compliance would be fined a minimum of $5,000 per month until issues are resolved. Would that push you into the red?
Don’t worry, you don’t need to ignore sales efforts to bury your nose in the PCI “quick” requirements list (which is 39 very dense pages). You can cover most of your bases by following our PCI compliance guide.
Checklist Item #1: Check Hardware and Software PCI Compliance Annually
Let’s start with one of the easiest rules to follow: confirming that your card-processing devices and applications are approved by the PCI compliance governing body.
Companies that sell these products and services rise and fall faster than you can say, “Please don’t jeopardize my cybersecurity.”
The company that sold you a credit card scanner last year may not have survived the COVID downturn. That would be all it takes to run afoul of the data security standards.
Checklist Item #2: Never Store CVV or Magnetic Strip Data
Regardless of whether you process 500 transactions per year or 500,000, you will face a PCI compliance fine if you keep any records of the three-digit numbers printed on the backside of customers’ cards. The same goes for data encoded by a credit card’s magnetic strip.
There’s no business purpose to retain either type of information so an infraction here is often based on ignorance. It’s neither unusual nor against compliance requirements to store the 16-digit number on the front of a card and some employees assume the three-digit number on the back is also necessary. If they are, tell them to stop doing that and to destroy any of those records.
In most cases, the ignorance surrounding magnetic strip data is far more sinister. An individual with minimal practice would only need a matter of minutes alone at the register to install an “overlay skimmer” (like the one pictured above) to secretly capture magnetic strip data. You can avoid becoming a victim of these scams by regularly inspecting your scanners and keeping them under constant video surveillance.
Checklist Item #3: Use Encryption Everywhere Credit Card data is Stored
It’s a smart idea to encrypt all of your data, even if it isn’t related to payment information. But for companies that accept credit cards, encryption is mandatory. The simplest way to follow this rule is to keep all of your company data stored in Office 365 apps, which come with industry-leading encryption features. Just make sure you have an expert configure them properly.
PCI-DSS also requires printed documents that contain credit card numbers be guarded by lock and key, literally. Any paper trail payment information must be kept in a safe or secured file cabinet.
Checklist Item #4: Follow Simple Security Best Practices
There are so many things your non-IT employees can do to simplify compliance. But these recommendations are often overlooked because experts use technical and off-putting phrases like “identity access management” or “principle of least privilege”. In reality, these best practices are quite simple:
- Never give an employee access to customer credit card data unless it is essential to their job description.
- Never let employees share accounts (e.g. “We can save the company money if everyone on our team uses the same Airtable account.”).
- Force everyone to use strong passwords.
- Change default and administrative passwords immediately after installing any new hardware or software. For example, the password for most WiFi security cameras right out of the box is “1234.”
- Install and periodically update antimalware software on every device that either connects to your office network or accesses company data.
A manager with almost no IT experience should be able to handle all but the last item on that list. In most cases, companies that have fallen away from PCI compliance didn’t have issues implementing these best practices. The problem was that no one was held accountable for enforcing them as time went on.
Checklist Item #5: Update Your PCI Compliance Security Policy Every Year
PCI-DSS requires compliant companies to maintain an up-to-date information security policy. The PCI compliance document should be as detailed as possible and approved by your senior management team. Although your policy should be drafted from scratch, this template will give you some idea of how much length and detail is necessary.
If you need to maintain compliance with compliance frameworks other than PCI, managed IT services providers like Iconic IT can create a unified policy that covers all of your obligations. This is huge for SMBs subject to the Health Insurance Portability and Accountability Act or the Family Education Rights and Privacy act.
Our team is a combined effort of celebrated cybersecurity and compliance experts in Denver, Dallas, Wichita, Southwest Florida, and Western New York. We have support packages to augment in-house teams or handle all your technology needs ourselves. Check out our pricing guide or email us at firstname.lastname@example.org for more information.