5 ways to help prevent a PCI compliance audit failure...
By Haptic Networks
March 25, 2014
Cybercrime and identity fraud are big business…worldwide.
If your organisation processes credit/payment card information it becomes your duty to protect their data. In the wake of the recent prolific UK Bank hacks it demonstrates that even those with high security focus can be caught short.
It is essential for companies that accept and process payment cards to be compliant with the PCI Council’s latest payment card industry (PCI DSS) compliance requirements.
Working with organisations as varied as banks, legal firms, gambling companies and council offices has given us a wide experience of the various different ways you could possibly fail a PCI compliance audit.
1.Physical or Primary Security. A relatively lo-tech starter, your company must secure the environment where payment card information is kept. For example, in order to gain access every single entry point, someone must be required to ID themselves through at least one if not multiple physical barriers, a badge-in requirement, a key, or an admin area that is constantly manned. CCTV systems are also a basic requirement of the PCI Council (ask us about our HD IP CCTV solutions)
2. Network security. Your company needs to have a secure network that is able to protect customers’ data. Sadly a firewall alone won’t cut it, it’s important to have strong ACLs (access control lists) on all network devices to prevent breaches by would-be hackers. An additional level of security – like a separate area inside your network (a DMZ or similar structure) – would create a secondary level of access control to ensure that connections to internal sources are legitimate and access is restricted to rogue clients.
Haptic provide world leading, fully patented network security scanners and WiFi devices that give your company full visibility on any attempted rogue activity, whilst giving you the ability to ‘in-house’ your PCI Audit procedure.
3.Your processes. Focused heavily on policies and procedures achieving PCI compliance, is more than just physical/tech related your company must draft a detailed Information Security Policy this should contain documentation for antivirus, network configurations, physical security etc. Ultimately this should be signed off by IT Director, Network Manager Security Officer) This can appear daunting, however the majority is common sense and good organisation.
4. Encrypting Data. The PCI audit focuses heavily on the encryption for credit card data as it moves around your organisation. The PCI Council requires the use of high levels of encryption; these are incredibly valuable as they require a complex decryption protocol or methodology, usually a decryption key that must be used by the authorised party to receive the credit card data.
5.Talk to us. Aside from being able to assist with your pursuit of PCI Compliance, we can consult and demonstrate the tools and technology we deploy to not only aid your PCI audit but also to give you a fully protected wired and wireless network.
