The Merchant Processing Guru Tip# 37: The 12 requirements of PCI Compliance – Requirement #8

The Merchant Processing Guru Tip# 37: The 12 requirements of PCI Compliance – Requirement #8

Password Authentication
Assign a unique ID to each person with computer access. This requirement is requiring authentication for access by administrators, users and applications to any database containing cardholder data and the restriction of any database queries to administrators only.

You must assign a unique user name to each employee before allowing them access to any of your system’s components. Additionally you have 3 options for authenticating each user: A password, an access card or physical device and third biometric scanning or other recognition software.

If accessing the system via remote VPN or any other remote access to your network you should incorporate a two-factor authentication. For example one factor is login & password, the other using tokenization or some other dual-factor authentication method.

Of course passwords should be unreadable to others using strong cryptography and you should ensure proper user identification & authentication management on your system. This should include verification of the user’s identity before resetting a password. Control the addition, deletion or modification of a user’s credentials. Set all first time passwords using a unique value and require that the user change them immediately after first time use. Immediately revoke access to any terminated users and remove inactive user accounts every 90 days. Monitor vendor remote access and limit their access to the time period needed to perform their task. Require a minimum password length of at least 7 characters utilizing both numeric & alphabetic characters and limit the use of the same password within a period of at least one year. Limit repeat access attempts to no more than six before locking out the user & set the lockout for at least 30 minutes or until an administrator enables the user ID. Require the user to re-authenticate after being idle for 15 minutes. Do not use any group, shared or generic accounts & you should communicate all these policies & procedures to all users with access to cardholder data.

Russell Harverson has over 9 years experience in the credit card processing industry and has built a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Services, shedding light on the credit card processing industry. To contact him via email: [email protected]
Or call him at: 1-888-368-GURU (4878)

Posted in PCI compliance | Tagged , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

The Merchant Processing Guru Tip# 35: The 12 requirements of PCI Compliance – Requirement #6

The Merchant Processing Guru Tip# 35: The 12 requirements of PCI Compliance – Requirement #6

Software Security Updates
Develop and maintain secure systems and applications. This one is probably the most technical and complicated of all the requirements but unless you are developing software yourself for use with credit card processing most of the items in this requirement should not apply to you. Much of this requirement is geared to developers & so should you be utilizing software applications that have been developed by others just make sure they are PCI DSS level one certified, then not everything in this requirement will apply to you but the developer, please make sure however to implement what does apply to you such as the following:

Firstly you are required to install the latest vendor supplied security patches for all software on your systems within one month of release. Scan at least annually all public facing web-applications and make sure there is a web-application firewall in front of public-facing web applications.

Again, my summaries of each requirement are to help explain the requirements in an easy to understand manner, please refer to the PCI DSS and follow its guidelines to become fully compliant. We are now half way through the requirements and as you can see they are a common sense approach to protecting the security of your customer’s credit card data. I hope this series is making it a little less daunting to comply with PCI DSS. Please don’t hesitate to contact me with any questions.

Russell Harverson has over 9 years experience in the credit card processing industry and has built a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Services, shedding light on the credit card processing industry. To contact him via email: [email protected]
Or call him at: 1-888-368-GURU (4878)

Posted in PCI compliance | Tagged , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

The Merchant Processing Guru Tip# 34: The 12 requirements of PCI Compliance – Requirement #5

The Merchant Processing Guru Tip# 34: The 12 requirements of PCI Compliance – Requirement #5

Network lock
Use and regularly update anti-virus software or programs. This one really is simple and so this post will be a short one. Here I would invest in a complete security suit from a top rated, professional security software provider that includes not only the anti-virus software but also anti spyware, malware and every kind of known malicious software out there. You can also get it with a firewall which will not replace the firewall required in requirement #1 but enhance it with the required PC software firewall on each system.

You must keep this software up to date and current with all security updates and it must be capable of generating audit logs. Again, this needs to be loaded on each system that is on your network from the server to every station and device that connects to the network.

Russell Harverson has over 9 years experience in the credit card processing industry and has built a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Services, shedding light on the credit card processing industry. To contact him via email: [email protected]
Or call him at: 1-888-368-GURU (4878)

Posted in PCI compliance, Uncategorized | Tagged , , , , , , , , , , , , , , , , , , | Leave a comment

The Merchant Processing Guru Tip# 33: The 12 requirements of PCI Compliance – Requirement #4

The Merchant Processing Guru Tip# 33: The 12 requirements of PCI Compliance – Requirement #4
Network lock
Encrypt transmission of cardholder data across open public networks. I will explain first what the open, public network means and the different ways you can be transmitting across your network and how this affects you. An open  public network basically means any network connected to the internet as once your data leaves your network, even if your network’s sole use is for transmitting credit card data, you are transmitting over the public internet. If you are transmitting cardholder data via the internet in your business, either via an internet enabled terminal, a virtual terminal or a wireless device that is either Wifi enabled or has a dedicated data connection you should be using an industry accepted form of encryption such as IEEE 802.11 for wireless, otherwise known as WPA2. WEP is no longer accepted as an approved encryption method for wireless where the transmission of cardholder data is conducted.

When using a virtual terminal or selling items on the web you must have an SSL secured gateway where your customer’s cardholder information is entered for purchase of your product or service. You will know if it is secured when you are on the payment screen and in the URL at the beginning you will see https:// (The `s’ indicates an SSL secured page).

You might say that you are using a dial up terminal through a phone line so this does not apply to you. Well if you are using an analog POTS line (Plain Old Telephone Service), you may be right but should you be on a system such as VoIP then you are in fact transmitting the data over the internet as VoIP translates your sound waves to a digital signal and sends it as packets over the internet which is then vulnerable to hackers.

There are terminals that are emerging in the market that are End-to-End Encrypted so that no matter what happens to the data, it cannot be decrypted by anyone other than the processor with the key in their own data centers. This is the wave of the future as even a WPA2 encrypted wireless network is still not 100% secure. The best example of this is Verifone’s Vx510 VSP, this terminal uses SSL encryption as well as triple DES encryption. It encrypts the information as you swipe the card on the card reader itself, before it goes anywhere else and the encrypted card information is transmitted from the terminal over the internet to the processor directly and only then as it reaches the processor is it decrypted in their secure data center. This terminal is tamper proof and will not allow anyone to change it’s configuration. It can only be programmed at the processor’s secure facility, so no one who is not authorized can load anything into the terminal. Verifone has also recently launched a new line of Vx terminals that they are calling the Vx Evolution, I have yet to try any of these so I cannot talk about them yet. These newer Vx Evolution terminals are reported to be PCI PTS 3.0 certified and are all End-to-End encrypted which just confirms the industry shift to a higher level of encryption. Verifone is the industry leader in credit card processing terminals manufacturing and has recently purchased Hypercom their largest US competitor.

Russell Harverson has over 9 years experience in the credit card processing industry and has built a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Services, shedding light on the credit card processing industry. To contact him via email: [email protected]
Or call him at: 1-888-368-GURU (4878)

Posted in PCI compliance, Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

The Merchant Processing Guru Tip# 31: The 12 requirements of PCI Compliance – Requirement #2

The Merchant Processing Guru Tip# 31: The 12 requirements of PCI Compliance – Requirement #2

Password
Do not use vendor-supplied defaults for system passwords and other security parameters. This one is actually fairly simple but many still do not change vendor passwords on their security devices this requirement asks for them to be changed on. The reason for this is quite simple, the vendor default passwords are so widely known that it is easy for a hacker to try this first when trying to gain access and they are likely to know pretty much all default passwords or can find them out with a simple search.

To be clear you must change the vendor default password on everything that is connected to your network including routers, POS systems, wireless devices, credit card terminals etc. This requirement also asks that you implement and update regularly your system configuration standards and encrypt any web-based administrative access via VPN. If this is beyond your technical abilities, please look into hiring an IT company to help you do this, it is so important and it will not cost that much to have an IT company do these things.

With these first 2 posts you should have a good idea of what securing your network means and that it really is not overly burdensome but is basically a best practice anyway to securing your data and that of your customers. You are now well on your way to understanding what PCI is and what you need to do to become compliant. Again, this is just a summary so please refer to the PCI DSS Requirements for more information as there are particular requirements that they have and I do not cover everything in this summary. You can find a great resource here for the PCI DSS Prioritized approach to becoming PCI compliant: PCI DSS Prioritized Approach

Russell Harverson has over 9 years experience in the credit card processing industry and has build a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Services, shedding light on the credit card processing industry. To contact him via email: [email protected]
Or call him at: 1-888-368-GURU (4878)

Posted in PCI compliance | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

The Merchant Processing Guru Tip# 30: The 12 requirements of PCI Compliance – Requirement # 1

The Merchant Processing Guru Tip# 30: The 12 requirements of PCI Compliance – Requirement # 1

PCI Secure Network
What I will try to do in this series is summarize the main objectives of each of the PCI requirements, giving you an easy to follow & understand overview of what you need to do to become compliant. Please keep in mind though that this is a summary, so please refer to the PCI Security Standards for a full description of what is required of your business.

Requirement #1. Install and maintain a firewall configuration to protect cardholder data. Sounds simple right? Got Firewall, good to go! Unfortunately just having a firewall does not fulfill this requirement, there are steps that you need to take to make sure your firewall is not only in existence but PCI requires that it be configured in a certain way, which I will specify, have periodic tests and procedures in place to make sure your firewall is effectively doing what it needs to do. Of course if you have a network, they are referring to a physical firewall in your router or some other standalone device, not a software firewall. Configuration should include restricting the flow of traffic from unknown sources, prohibit public access to any cardholder sensitive information and in addition, have personal firewall software on any wireless device or personal computers that have access to your network. This also means that if you are allowing wifi connectivity to the public (your customers, visitors etc.),  you should at  a minimum have a password on it that you change periodically and limit access to the rest of your network. But the best solution would be to have a separate network for your public wifi access.

If you have a network and do not have an IT person on staff who can configure this for you then I suggest that you find an IT company who understands these requirements and has had experience implementing networks that adhere to these requirements in other businesses.

Russell Harverson has over 9 years experience in the credit card processing industry and has build a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Services, shedding light on the credit card processing industry. To contact him via email: [email protected]
Or call him at: 1-888-368-GURU (4878)

Posted in PCI compliance | Tagged , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

The Merchant Processing Guru Tip# 28: PCI Compliance – Where to begin?

The Merchant Processing Guru Tip# 28: PCI Compliance – Where to begin?


You could say the first place to begin is to identify what level of merchant you are, so you know what is required of you.  See the chart below  so you can determine what level you fit in to. Don’t be fooled by the chart though, most level 3 & 4 merchants look at the chart and think that they only have to complete a “Self Assessment Questionnaire”, have a quarterly scan completed on their network every quarter by a PCI approved vendor and validate PCI compliance with the Acquirer. This is not necessarily true as they are assuming at this point that you have completed steps 1 thru 12 of the PCI requirements. If you have not gone through each one of these requirements and fulfilled every requirement then you are not compliant! I will go through each of these 12 requirements in my next several posts and explain the steps you need to take in each one to help you understand what you need to do to become compliant.


PCI Merchant Levels

Meanwhile a really good white paper was released last Monday by ControlScan, a leading authority in the PCI compliance space, that explains the main steps a merchant should take to become PCI compliant. It is a great overview of the best practices any merchant should take. It gets a little technical in places but don’t let that alarm you, this information can help you hire the right IT or PCI Security people to help you take the steps necessary to secure your network. Basically, if you need help becoming PCI compliant get the help, it could mean the difference between building a thriving business or going out of business, it’s that simple!


Here is the link to the white paper from ControlScan:

www.controlscan.com


Russell Harverson has over 9 years experience in the credit card processing industry and has build a reputation for “being there” for all his merchants! The goal of The Merchant Processing Guru is to provide you with the right, cost effective processing solution for your individual business needs, no matter how large, small or different, he has done it all. He is your Guru of Merchant Processing, shedding light on the credit card processing industry. To contact him via email: [email protected]
Or call him at: 1-888-368-GURU (4878)

Posted in PCI compliance | Tagged , , , , , , , , , , , , , , , , , , , , , | 4 Comments