6 simple steps to maintaining PCI DSS compliance

It is your responsibility to protect your customers’ card data, regardless of who processes the data on your behalf. Maintaining PCI DSS compliance is one of the best ways to manage and process card payments safely and securely.

As thousands of shoppers descend on online shopping sites this Cyber Monday, ensure you are PCI DSS compliant with our 6 simple steps:

1. Take the PCI DSS Self-Assessment Questionnaire

The PCI DSS Self-Assessment Questionnaire, or SAQ, is a self-validation tool that businesses should complete to verify PCI compliance. It includes a series of yes-or-no questions about a company’s data security for each of the 12 PCI Data Security Standard requirements that are applicable to the merchant.

There are different questionnaires to meet different merchant environments, dependant on the number of transactions processed by a business annually.

2. Don’t Store Verification Codes

Did you know that you are not allowed to keep CVV data – the last three or four digits usually located on the back of a card? While businesses are permitted to store basic cardholder data, such as the customer’s name, PCI does not prohibit the storage of Card Verification Value codes.

Collecting this information prior to the authorisation of a purchase is allowed as it helps to reduce fraud but remember this data cannot be stored anywhere on your system.

3. Use Firewalls

One of the best ways to protect your network and systems from traffic that you don’t want or haven’t authorised is through firewall software. A firewall sits between your sensitive data and the internet and is configured with specific criteria to help block potential threats.

Firewalls are a requirement of PCI compliance. Click here for the PCI firewall basics https://www.pcisecuritystandards.org/pdfs/Small-Merchant-Firewall-Basics.pdf

4. Train your staff

It’s important that your employees know how to use and manage your security procedures effectively. Having a robust training programme in place, both for new members of staff and refreshers for long-serving employees, will help ensure best practice is implemented.

Make your data security policy is readily available to your staff, and make sure they are aware of how their failure to comply with PCI could have devastating consequences on your business.

5. Assign Ownership

Allocating a specific management-level individual responsible for coordinating security activities is a good idea to ensure continued PCI compliance.

They should be assigned overall responsibility for:

• Securing management support
• Coordinating the implementation and monitoring of the security controls
• Engaging key personnel or functional groups.

6. Monitor Security Controls

A key part of PCI requirements 10 and 11 is to monitor system events and changes within your environment. Conducting regular penetration tests will help you to meet these conditions and provide the visibility that PCI requires. Alternatively, partnering with a managed security services provider gives you access to the experts and technology required to monitor your networks 24/7.