Handling PCI DSS Compliance | Data Retention & Protection
What is PCI DSS?
Almost every business today accepts payments from credit cards. It’s so commonplace that for many Americans, they are getting in the habit of not carrying much cash on their person. If you want to stay with your competition, you have to accept the same ease of currency.
When you register to start accepting payments, what do they mean when it mentions PCI DSS compliance? Does it even apply to your business? PCI DSS stands for Payment Card Industry Data Security Standards, which are standards and rules that include operational policies that businesses must follow to secure and protect the credit card data of their customers. Does it apply to you? If you’re accepting credit cards, it absolutely does.
Who Must Comply?
All business owners who handle customer credit data must comply. These standards are important for all merchants to follow that handle credit card information. They are important policies and procedures that not only protect your consumers, but also your business, and in a sense, they are used by other merchants to protect your business and wallet as well.
Keeping businesses following the same standards helps keep everyone a little safer. It’s no secret that there are a variety of ways to access and misuse someone’s credit information or personal identity. When a customer trusts you to handle their data, they are entrusting you to handle that information with care. The PCI DSS is a way to keep everyone on the same page.
In order for you to understand how to be in compliance – it’s good to get a handle on what the PCI DSS standards are and which ones directly affect you and your business. The PCI can be broken down into components that to help you understand them and reach federal levels of compliance. PCI elements can be divided into 6 major requirements, 12 essential elements, and 78 fundamental provisions. It also includes over 400 testing methods. Divided this way, tackling PCI compliance can be compartmentalized and easily learned to be incorporated into daily business procedures and practices. The first key would be to manage the 6 major requirements:
- Create and maintain a secure network and system.
- Protect cardholder information.
- Continuous vulnerability administration.
- Accessibility monitoring.
- Continuous oversight and testing of deployed networks.
- Policy and procedure support and documentation.
Breaking PCI compliance into easily structured tasks makes it much easier to handle. Many companies spend a large portion of their data and privacy compliance expenditures on PCI DSS compliance. It doesn’t have to break the bank for any business. There are ways to be completely secure, protect your data and that of your consumers without going bankrupt. Step through the major 6 components of PCI compliance to see if your company is on the right track.
When facing PCI DSS compliance and security for the first time or even to strengthen current security measures the PCI Council published the PCI DSS Prioritized Approach for PCI DSS 3.2.1 (Prioritized Approach or Approach) which is a helpful go-to tool for small business owners and large corporations alike.
Keeping a secure system is a vital part of following the PCI DSS standards. The first of the six major requirements of PCI for you to follow is to create and maintain a secure network and system. Of the 12 essential elements, it further breaks down these standards. The first four elements cover network and system security and protecting cardholder data. These are:
- As a merchant, you are required to install and maintain your network and systems. Installation of firewalls and preserve cardholder data with continuous updates.
- Change your passwords. Do not use vendor-supplied passwords or any other defaults for system security.
- You must protect cardholder data. This can be misleading and add undue costs to your security expenses. According to the PCI Security Standards Council, this requirement only applies to you if you store the cardholder data. In fact, those merchants who bypass the storage of card data, automatically provide the best protection for consumers. By not storing card data, as a merchant, you have eliminated a target for thieves.
- When sending cardholder data across outside networks, encrypt all transmission. Using encryption technology is the most comprehensive way today to transmit data and protect it from prying eyes.
Data Retention & Vulnerability
If you intend to retain data, it is extremely smart to use an intelligent data redaction system to redact all unnecessary personally identifiable information immediately after the transaction. Keep only the information required helps reduce the risk to both the consumer and your company. According to PCI standards maintaining a vulnerability management program is essential. In fact, as you go further down the list of the 12 essential elements, protocols 5 and 6 cover vulnerability.
- As a merchant, you are required to regularly update your antivirus software programs and continuously protect all systems against malware.
- Establish secure systems and applications throughout your business. Protect these systems and applications with ongoing maintenance policies and procedures.
Access monitoring is a part of the 6 major requirements and as a merchant being able to implement strong access control measures is further broken down into manageable understanding segments in the 12 essential elements.
- Control access by creating restrictions or barriers to cardholder data. Keep this prioritized customer data on a need to know basis only.
- Establish an identity trail of individuals who have contact with the data. Use authentication methods to prevent unwarranted reach.
- Use physical barriers to keep the card data away from those who don’t require access to consumer financial data.
Oversight & Testing
Knowing your system works and continuously remains secure is important. Being lax about oversight or periodic testing of data handling procedures will lead to vulnerabilities. Vulnerability leads to data loss and privacy law violations. Essential elements 10 and 11 of PCI DSS standards cover this area.
- Follow and supervise all access to both the networks and any handling of consumer card data.
- Set up periodic testing schedules to check the status of all systems, policies, and protocols of data handling.
Creating written policies for your data processes, data handling policies, and review procedures is not only beneficial for you as a merchant, or your company, but it’s also valuable for your employees as well. Having a written policy that every employee can read and refer to is covered in the last element of the PCI standards. Documentation can, for added security, include confidentiality agreements with your data handling employees and administration.
- Keep an updated written policy on hand for all personnel to develop clear lines to follow for information security handling.
While merchants may keep certain data for a set amount of time, depending on their needs or legal requirements, what happens when the data is no longer needed? Delete? No. Deleting still leaves the data hidden within your system and a good data fishing trip by a black hat actor will find what they are looking for. Redaction is the method of choice as it removes the data entirely. Using a quality redaction software system can target specific information in your data like phone numbers, zip codes, and even credit card data and remove it from your system entirely. Finding a redaction system of intelligent design with comprehensive machine learning, AI, and automation will locate and remove the data from a variety of sources. This can include documents, videos, and even voice files. Data destruction through redaction is the only way to be absolutely sure that the data has been wiped clean.
Reducing Company Costs
CaseGuard provides quality redaction software which when used along with carefully planned and developed privacy policies and data handling procedures can reduce the costs for a company when it comes to PCI DSS compliance. CaseGuard also helps reduce company costs in many other areas.
The number of features included along with the redaction capabilities can be used in a variety of ways and incorporated with your company needs. The software can provide automatic captioning on video surveillance systems and translate a variety of languages from both video and audio files. It can use AI to automate your transcription needs. All to make your company compliant with a variety of federal regulations with just one software application.
Reaching Compliance Goals
Breaking down the PCI DSS into segments and elements makes it easier to understand and to comply with its standards. There are companies who are spending fortunes to keep their data secure when they could save costs dramatically by implementing their own in-house redaction through an intelligent redaction software system like CaseGuard. It saves money on the need to hire outside services, on handling data breaches, and protecting your company from privacy violations which could lead to lengthy court battles, high penalties, and loss of consumer trust. You, as a merchant, can breathe a little easier at night, knowing there is a software package that can help your company succeed.