05 Jun So what is PCI Compliance?
Whether you are a small utility of large utility with 100,000 customers, maintaining compliance with the Payment Card Industry Data Security Standard (PCI DSS) is a must for all utilities that take credit card payments.
Criminals are targeting payment card information because it’s a high value target, so the PCI DSS was put in place to help reduce risk to your business and protect the customers you serve. Just as you lock the doors of your business each night to protect your physical assets, you need to lock the doors to your company’s network to protect your digital assets.
In order to protect cardholder data, it’s important to understand what it is and where it can be found. The PCI DSS applies wherever account data (such as a primary account number from a credit card) is stored, processed or transmitted.
Account data consists of Cardholder Data:
- Primary Account Number (PAN)
- Cardholder Name
- Expiration Date
- Service Code
Sensitive Authentication Data:
- Full magnetic stripe data or data on a chip
- CAV2 / CVC2 / CVV2 / CID
- PINs / PIN blocks
PCI compliance may seem like a nuisance, or another confusing job to add to your endless list of tasks for you and your employees. But in fact, becoming compliant with the PCI DSS can secure your utility and help you avoid very serious consequences that could impact your utility and your revenue.
By complying with the PCI DSS you can:
- Minimize the risk of a security breach and lost profits
- Avoid losing the ability to process payment cards
- Avoid heavy fines and fees
- Protect brand integrity and reputation
- Provide peace-of-mind that you are protecting your business and customers
Although compliance is mandatory, it is best approached as a means to strengthening security, instead of simply meeting compliance standards. By implementing a comprehensive solution, like Trustwave, you can achieve both. Key security steps include:
- Install and maintain a firewall with proper configurations
- Use a PA-DSS compliant Payment Application
- Ensure regular system and anti-virus updates are installed
- Change passwords often
- Use unique user IDs for all employees
- If you provide Wi-Fi hotspot access for your customers, ensure it is properly configured
- If you need remote access, use two-factor authentication
Continually monitoring and updating security is essential for every organization. This helps to identify and remediate any threats and vulnerabilities found to ensure your network is protected and keep your business compliant. Key processes for monitoring and testing your systems include:
- Perform quarterly Approved Scanning Vendor (ASV) vulnerability scans
- Complete an Annual Penetration Test
- Aggregate and review device and system log reports
- Implement File Integrity Monitoring