Alexandria, VA (PRWEB) February 29, 2012
In this electronic era, customer account data has increasingly become a target for criminals; data security is vital. Hackers use packet sniffers and other malicious software to intercept sensitive cardholder data. Over 80 percent of attacks target small business. All businesses, regardless of size, have the obligation and the responsibility of protecting cardholder data at the point-of-sale.
The fallout resulting from a security breach can be severe, including fines and penalties, the termination of the ability to accept payment cards as well as legal costs, settlements and judgments.
Transmitting Cardholder Data
- Utilize strong cryptography when transmitting cardholder data over public networks.
- State-of-the-art, point-to-point credit card encryption, also called end-to-end encryption, encrypts cardholder data prior to performing an electronic payment transaction; merchants never have contact with unsecured information.
- In general, merchants should never store payment card data unless it's required to meet the needs of a company.
- Sensitive data on the magnetic strip or chip should never be stored. Only the PAN, service code, expiration data or cardholder name can be stored.
- To prevent unauthorized storage, only use council certified PIN entry devices and payment applications.
- Destroy account information you no longer need in a secure fashion.
- Use strong cryptography to make cardholder data you store unreadable and utilize other layered security technologies to minimize the risk of activities by thieves.
- Never store cardholder data in an unsecure device, such as cell phones and laptops.
- Encrypt all the payment card information stored on the processor's computers.
- Don't store the validation code after authorization.
- Be aware some software programs may store data automatically. Review software and update preferences to ensure account information is not stored without your knowledge. Make sure the software is PA-DSS compliant.
- Create and enforce an information security policy which clearly states rules for employees who handle customer data.
- Only allow employees to have access to customer data when needed.
- Restrict the availability of hard copies of payment card data.
- Every employee with a computer access should have a unique ID.
- Make sure remote-access users are prohibited from copying, moving or storing data on local media.
- If payment solutions require an agent to enter cardholder data, make sure the data is masked after it has been verified.
- Require every third-party supplier with access to cardholder information to follow payment card industry security requirements.
- Use adequate firewalls.
- Make sure your payment card acceptance environment is appropriately segmented from the Internet and other public networks.
- Don't allow the PIN entry device to print out personal cardholder information.
- Never use payment card system storage devices not stored in a locked and protected access room.
- Ensure software such as operating systems are secure and updated.
- Use and update your antivirus software on a regular basis. Test your company's security system on a regular basis.
- Change security codes and system passwords from those supplied by software manufactures.
- Make sure your payment card terminals comply with PCI personal identification number (PIN) entry device security requirements.
- Verify your payment applications comply with Payment Application Data Security Standard (PA-DSS).
- Make sure third parties who process your customer's payment cards are in compliance with PCI, DSS, PED and/or PA-DSS as applicable.
PCI Free provides free PCI compliance solutions and resources. To learn more about properly securing sensitive cardholder data, visit PCI Free.
# # #