Best practices for PCI compliance

Like most people, you probably shop online. Many online retailers use cloud-based payment systems to accept credit cards, so you’ve likely thought about how to keep your own payment information secure. However, once your online payment is processed, your information is now in the hands of a third party. Or, at the very least, is transmitted to and stored electronically with that retailer.

How that credit card information is stored is regulated by the PCI standards. If you’re on the business side of this equation, using credit card data means your organization needs to think about PCI compliance. By understanding your organization’s PCI compliance scope, you can efficiently and effectively prepare your organization to stay in compliance. 

A quick overview of PCI 

The PCI DSS standard is used by major credit card companies like American Express, Mastercard, Discover, VISA, and JCB. It outlines credit card data security expectations for companies who accept credit cards. Banks require you to meet these security requirements if you want to take credit cards online, by phone, or directly in person. PCI DSS is, technically speaking, not a law, but staying compliant with PCI standards is important to your business if you want to avoid potential fines and penalties. 

If your company accepts credit cards, you probably need to follow the following PCI compliance requirements: 

• Secure your network: Use a firewall and avoid default security settings. 
• Protect cardholder data: Safeguard credit card data you store and encrypt credit card data you transmit through public networks. 
• Address vulnerabilities: Watch out for malware, keep all antivirus systems up to date, and fully secure applications using, storing, and transmitting credit card information. 
• Control access to data: Limit credit card data to employees who can’t do their jobs without cardholder information. Authenticate your credit card data users properly. Keep physical access to data limited. 
• Monitor and test your network: Watch your network traffic and monitor how employees use your network infrastructure. 
• Secure your information: Create a policy for how employees secure and use credit card information. 

Essentially, these are the credit card guidelines established by the credit card companies to help you protect your organization, your employees, and your customers. Follow these best practices within your own risk management and PCI DSS compliance program. By owning the PCI compliance plan and process, your organization can do more to keep credit card data safe and out of the wrong hands. 

PCI best practices for merchants 

If your company accepts credit cards and uses credit card data, you’re a merchant. These merchant best practices can help protect your company. 

Restrict credit card information access 

Given that there is an inherent risk anytime one of your employees has access to customer credit card information, one of the best ways to reduce that risk is by restricting the number of people who have access to credit card data. Fewer people using protected information means there’s less activity to monitor and, likely, fewer opportunities for breaches to occur.  

• Avoid sharing passwords and logins, if possible, or use a password access manager for shared login information. For instance, if you use payment processing software and only have one login for a department, you can store the username and password through an enterprise password management system. A single sign-on (SSO) portal gives users in your organization access to all of the cloud applications they need with a single credential. 

• Train your team to protect their usernames and passwords and to avoid providing them to other people. Show your team how to identify IT employees and outline your organization’s policies about working with outside vendors. 

Collaborate across teams

PCI standards apply to your entire organization and anywhere you use or handle credit card data. As such, collaboration between departments is important. You should be prepared to scan your network for PCI compliance and to work with other teams to make sure everyone knows how to protect credit card information. 

To collaborate effectively, you need to be on the same page with regard to PCI and what your organization’s information security policies are: 

• Know who owns PCI compliance in every relevant department. Make sure every department that should be involved in complying with PCI actually knows about this responsibility.

• Rather than leaving compliance to chance, share visual representations of workflows and cloud data flows inside your organization. 

• Collaborate with security professionals. Some organizations need to bring a PCI security specialist on board, provide PCI compliance training, or even hire a penetration tester to help develop a PCI compliance process. Working with a penetration tester may reveal vulnerabilities you otherwise wouldn’t notice. Contracting with an outside security testing firm is one option that can help companies find creative security solutions and locate hidden security issues. 

As you work together on compliance issues, remember to make sure everyone in your organization has the tools they need to collaborate. Conduct audits regularly so you can catch compliance issues. 

Review your cloud architecture regularly 

When you plan and implement changes to your cloud architecture, consider verifying how PCI compliance rules apply to your network. Changing the cloud applications you use, your hardware and software, or making other adjustments to your cloud use can unintentionally change your compliance with PCI. 

To be on the safe side, develop a plan in concert with security specialists so you know how often to review your compliance. 

• Create an internal audit schedule: Create your schedule in consultation with Qualified Security Assessors (QSAs) who can help you understand updates to PCI DSS and who can assist you with responding to these changes. Get expert advice and be prepared when you do your PCI compliance check. 

• Review your transaction map: As you conduct your audit, map out any paths credit card transactions take within your organization. Check this map against prior reviews, if possible, to see how you’re doing and how new changes may impact today’s compliance. 

Audits and review sessions are a great way to protect your organization and reduce risk. Involve the right people in this process, develop your PCI compliance plan, stay consistent, and use visuals to help everyone collaborate. 

Visualize your cloud architecture

How your cloud architecture fits together can be difficult to imagine. Providing your organization with cloud architecture diagrams ensures everyone in the compliance discussion is on the same page and can quickly spot issues and flag elements that need rework. Import your cloud architecture data and visualize your cloud environments so you have constant visibility into what exists. 

With Lucidscale, you can automatically visualize your cloud architecture as a diagram by simply connecting to your AWS, GCP, or Azure accounts. You can collaborate with your teams to tackle your cloud initiatives, including your organization’s PCI compliance. 

You can even maintain and prove compliance during audits and certifications by submitting an up-to-date network diagram as evidence.

With the right insights, you can adjust your compliance process and do more to protect cardholders and maintain trust among customers.