The world of PCI compliance is constantly changing – and merchants have more security obligations than ever before. It’s one thing for large companies with a CISO – or better yet, an entire information security department – to keep up with these demands, but it’s much harder for smaller organizations. However, no matter how many resources you have to allocate to your PCI compliance program – or how mature your current efforts – make sure you’re avoiding these critical mistakes:
Mistake #1: Incorrectly managing user permissions
Requirement 7 of the PCI Data Security Standard covers access control – specifically, “restricting access to cardholder data by business need-to-know.” In other words: all permissions must be appropriate for the applications and processes that a specific user deals with, and users should only have access to the data that is critical for their role.
The rationale? As the PCI Security Standards Council explains it, “The more people who have access to cardholder data, the more risk there is that a user’s account will be used maliciously.” By granting access on a need-to-know basis, you can reduce the risk of inappropriate access or use.
Mistake #2: Not monitoring log data
Proactive monitoring may seem like an easy task to cut from a busy to-do-list – but monitoring log data is one of the key facets of PCI compliance. However, monitoring doesn’t have to be a manual task; requirements 10.5 and 10.6 allow for automated tools that detect potential issues that require a more thorough review.
Mistake #3: Storing cardholder data as plain text
Less is more when it comes to cardholder data. Merchants should store as little of it on their systems as possible. However, if it’s completely unavoidable:
- Never store a customer’s entire 16-digit card number
- Do not keep PIN and/or CVV data in your log files
- Encrypt or tokenize all cardholder data
- Keep encryption keys in as few locations as possible
Mistake #4: Leaving executives and senior management out of the compliance conversation
Now more than ever, security and compliance are serious business concerns – not just for IT and Operations departments, but for executives and senior leadership. It’s important to set appropriate expectations for what it will take – in terms of both financial and time investments – to achieve PCI compliance. Some of the burden can be offloaded onto a third party (such as a PCI-validated Level 1 Service Provider, who can securely process, store, or transmit cardholder data on your behalf) – but your executive team must be part of your overall strategy.
Find out what’s new in the latest PCI DSS compliance standard.
Let Curbstone Help You Streamline PCI Compliance
If you accept credit card payments, there’s no way to completely avoid PCI compliance – but Curbstone can help you make the process simpler and less resource-intensive.
With our payment processing technologies, you don’t process, store, or transmit cardholder data on your system. This takes it out of scope for PCI audits. You can qualify for a much shorter – and easier – self-assessment questionnaire, while we complete annual third-party audits to ensure the secure handling of your customers’ payment data.
Find out how one of our customers used Curbstone to take their web server and shopping cart out of scope for the PCI SAQ-D – or contact us to learn how we can help you do the same.
This article is provided for general informational purposes only and does not constitute legal advice. If you have questions about your specific compliance requirements, please consult with your PCI-certified Qualified Security Assessor (QSA).