Is your business PCI Compliant?
ERP System Solutions takes our clients’ system security very seriously. For those organizations that process payment transactions via credit, debit, gift cards or other payment applications, this includes achievement and maintenance of Payment Card Industry (PCI) Compliance. Compliance is achieved through adherence to a set of strict standards set forth by the Payment Card Industry Security Standards Council.
In response to an increase in credit card data security breaches, five major credit card companies – American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc. – formed an organization called the Payment Card Industry (PCI) Security Standards Council. The organization is tasked with developing and managing the Payment Card Industry Data Security Standard (PCI DSS). Failure to comply with this standard may result in fines or termination of credit card processing privileges.
The current PCI DSS is comprised of the following 12 requirements::
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security
PCI compliance is measured through 2 metrics:
- Quarterly system scans by an Approved Scanning Company. Merchants must provide all pubic-facing access points (IP addresses) to their networks. The scanning company will then access each IP and test for security breaches. Scan failures are typically caused by missing firmware or OS patches, invalid communication protocols, and unsecured open network ports. These scans are repeated until each identified vulnerability is addressed. If systems are not properly maintained, it is not uncommon for an organization to have successful scans in the current quarter only to have them fail in a subsequent scanning period.
- The Annual Self-Assessment Questionnaire is a very lengthy document that addresses virtually every IT process an organization has. This ranges from such simple items as a list of payment devices used by an organization to detailed network mappings to processes for securely maintaining and updating system passwords across the entire infrastructure.
ERPSS is adept at handing all aspects of PCI compliance. Whether your quarterly scans are failing for reasons you cannot decipher or the PCI SAQ is beyond your grasp, contact us today so we can help you achieve and maintain PCI Compliance.