In 2020, less than 30% of organizations were reported to be PCI DSS compliant, with a downward trend of businesses adhering to standards. The lowest levels of compliance were noted across the retail, hospitality and financial industries. That lack of compliance, or insufficient standards for compliance, sets businesses up for major backlash, including steep fines and loss of consumer trust.
What is PCI DSS compliance?
Payment Card Industry Data Security Standards (PCI DSS) compliance is adherence to a set of 12 official standards overseen by the global PCI Security Standards Council (PCI SSC). The council consists of major financial services brands–Visa, MasterCard, American Express, Discover and JCB.
“This adherence is necessary for any company that stores, processes or otherwise handles cardholder data,” said Gary Burchfield, Senior Sales Engineer for Kinetic by Windstream. “If you touch it in any shape or form, or process it in any way, you must adhere to PCI DSS compliance per regulatory standards.”
Here are four steps to take to keep up with PCI DSS compliance standards.
(1) Upgrade your firewall
Every business that processes payment cards needs a firewall to protect their digital point-of-sale (POS) systems, whether that refers to a website or to various pieces of hardware like tablets and phones. Because POS systems rely on an internet connection to function, businesses need firewalls, or network security systems, to serve as a barrier between a private network and the public internet. Firewall devices are designed to filter network traffic per the security policies determined by an individual business, improving network protection.
Consider investing in an advanced solution that deflects hackers while maintaining the data safety and client-data protection standards mandated for your business. For example, Kinetic Business offers security and compliance management, with features including a PCI-compliant managed cloud firewall as well as intrusion prevention and detection. The right solutions can help businesses stay proactive.
(2) Ensure your wireless traffic is encrypted
“Make sure all the wireless traffic that’s talking to your POS devices is encrypted,” Burchfield said. “Anything transmitted can be received.”
This is one of the most basic cybersecurity best practices for businesses. Network encryption ensures that messages transferred through a network are unreadable to anyone outside the network. Check that your default network setting for your Wi-Fi devices is WPA2, or Wi-Fi Protected Access 2.
For an added layer of security, Burchfield said: “Make sure you’re using strong passwords for any one of the wireless access points that you’re attaching those POS devices to. Don’t use the same passwords out of the box from when you purchased your hardware.”
(3) Routinely inspect your devices and network connections
“For the POS devices you use for transactions, notice if the devices are acting funny or not processing like you think they should,” Burchfield said. “That could be an indication that the devices have been attacked or have had something attached to them.”
Credit card skimmers are a growing threat, for example. These devices, most commonly found at ATMs and gas stations, can be installed on card readers to accumulate numbers for fraudulent activity. “Credit card skimmers can be near paper-thin, and they can be easily snapped onto a POS device,” Burchfield said.
To stay in line with PCI compliance standards, visually inspect your POS devices – skimmers can be placed on top of a card reader, creating odd angles or covering arrows on the reader. Then physically inspect your devices: move your hands around the reader and jiggle it to see if a skimmer dislodges.
In addition to checking your devices for skimmers, also check to make sure they’re synced to the right network.
“Look for foreign networks in your area,” Burchfield said. “If your POS device is normally connected to your secure business network, but today it’s connected to another unknown network, that’s a sign it may have been hacked.”
Inspecting devices is a quick and easy routine to require of your employees.
(4) Stay on top of device updates
“From a security standpoint, make sure that the POS devices and the equipment and technology that you use to facilitate those POS transactions are updated and patched with the latest patches and releases available for that particular piece of hardware,” Burchfield said.
If your team is too busy to update devices when notifications pop up about the next version of software, it’s easy to check for available device updates in the settings section of your devices. Software updates are designed to revise software, from fixing bugs to patching gaps in security that otherwise leave your devices vulnerable to attack.
Start meeting PCI DSS requirements
When your business is compliant, you’re protecting your customers. Not just from credit card fraud, but from identity theft. From 2019 to 2020, reports of identity theft by way of credit card theft increased by 44.6%.
You’re also protecting your business. “If you lose data due to a hacker attack, you’re really ending up on the radar of the banks, credit card companies and payment processors that make up the PCI DSS consortium,” Burchfield said. “A company that suffers a hack or attack that results in compromised data is held to a higher standard in the form of an annual PCI DSS assessment that’s a full-scale detailed report, as well as a required vulnerability assessment against their infrastructure.”
If you need more guidance about PCI DSS requirements, visit PCISecurityStandards.org. At the same time, consider expanding your business’ cybersecurity budget to incorporate software that’s designed to protect your business and your customer data around the clock. Pair that with routine audits of your compliance measures as security threats evolve, and your business will have a long-term security and compliance strategy in place.