PCI compliance insurance

To properly protect credit card transactions and keep customers’ payment details confidential, most credit card companies mandate PCI DSS compliance, or payment card industry data security standard compliance, from any business, merchant, or financial institution that handles credit card payments.

Created and regulated by the PCI Security Standards Council (SSC), these PCI DSS standards are a crucial part of the payment security protocol for Visa, Mastercard, American Express, and many other credit card brands.

There are 12 PCI DSS compliance requirements:

• Implement a strong firewall configuration to restrict access by hackers and other unauthorized users
• Update all default passwords from third-party vendors and service providers
• Restrict what credit card data you store and for how long it’s stored
• Encrypt sensitive data that’s transmitted through unprotected or public networks via text, email, or instant messaging systems
• Update anti-virus software on time and perform regular vulnerability scans to confirm that it’s working
• Develop and maintain secure systems and applications, ensuring that critical software updates are made on time
• Limit access to cardholder data based on employee roles and responsibilities
• Designate user IDs and require authentication by every employee with computer access
• Regulate physical access to areas where credit card information is stored by adding proper facility entry controls and cameras
• Monitor who is accessing network resources and cardholder data with audit trails and activity logs
• Perform regular pulse checks on security controls and procedures
• Uphold a security policy and response plan that all employees are trained on

If your business handles cardholder information in any way, you need to be PCI compliant. This applies to all companies that process, transmit, or store data from credit, debit, and prepaid cards.

Some of the businesses that typically fall into this category include:

• Retailers that accept credit card transactions on their e-commerce sites or with point-of-sale devices (POS) in-store
• Professional service providers that store or transmit cardholder data for another party
• Healthcare providers that accept credit cards for payment of services in the office or through an online patient portal
• Restaurants and food delivery services that take credit card payments on site, over the phone, or online
• Charities and nonprofit organizations that receive one-time donations or regular, automated donations via credit card
• Payment processing companies that facilitate credit card transactions, such as Stripe or PayPal
• Financial institutions and credit card providers that handle cardholder data
• Real estate professionals who facilitate payment of services on behalf of their clients

PCI compliance isn’t something you achieve and then cross off your to-do list. As part of your risk management strategy, staying PCI DSS compliant requires a continuous commitment to cybersecurity protocols and standards.

These are some of the key steps you can take to uphold PCI compliance:

• Require strong, unique passwords and multi-factor authentication (MFA) for all company logins
• Implement firewalls and anti-virus software on all company devices
• Ensure that your team is using updated software with the latest operating system patches
• Only store necessary data, properly disposing of sensitive information you don’t need
• Train employees on how to spot social engineering and phishing attempts, such as suspicious email links
• Require SSC-approved card readers and payment software
• Make sure your SSC documents are up to date, including your compliance certificate
• Confirm that your third-party service providers, such as receipt printing machines, are also PCI compliant
• Stay on top of news and updates on SSC’s website
• Report data breaches or other cybersecurity events promptly to avoid fines
• Perform regular cybersecurity audits to check your effectiveness against cyber threats
• Consult with PCI compliance experts for the best ways to protect your data

Pen testing, also called ethical hacking, is when authorized cybersecurity experts simulate cyberattacks on your systems to uncover any vulnerabilities.

According to the SSC, your business should conduct penetration testing at least once a year, plus every time your system infrastructure or software gets modified or upgraded. This ensures that all safety levers you already have in place are still working after the update.

Here are a few tips for conducting a successful penetration test:

• Clearly define the people, processes, and systems that will be examined during the test.
• Work with a pen tester who has experience with PCI requirements to perform the assessment.
• Make your remediation plan a top priority, tackling critical vulnerabilities first.
• Schedule regular pen testing to stay on top of evolving threats and cybersecurity advancements.