Strengthening your payment chain
The purpose of the PCI DSS is to keep every link in your transaction chain as safe and secure as possible. If your business accepts card payments face to face, on your website, or over the phone, this includes:
Covering all the angles
By complying to and implementing the PCI DSS standards, you’re protecting your business and customers against the following:
‘Trojans’ and other malicious viruses can sneak into your system to change cardholder payment records from ‘paid in full’ to ‘unpaid’ to make unapproved transactions. Keeping your anti-virus software up to date helps you keep these attacks at bay.
Denial of Service
A loss of connectivity is a huge issue if you rely heavily on the Internet to do business. This can be reduced, and even prevented, by building and maintaining a secure network that’s protected by one or more firewalls. For further help and advise speak to a QSA or your PCI SSC approved Internal Security Assessor.
See our Qualified Security Assessors here
Whether it’s face-to-face, online or over the phone, each card transaction you make sends information across public networks. By encrypting cardholder data ‘in transit’, private details such as name, address, account number and expiry date are kept safe and hidden.
It’s not just attacks from outside of your business that you need to protect against. Sometimes the threat is closer to home. Having secure internal access controls helps you protect yourself and your customers’ data from dishonest insiders as well as external fraudsters.
Company webpages and interactive forms are a big target for hackers and fraudsters. Ensuring your network is protected helps prevent ‘defacement’, where slight alterations to web data entry forms trick customers into revealing sensitive data.
With so much information going back and forth, it’s easy for things to slip through the cracks. Constant and thorough monitoring of your transaction activity prevents critical log and audit data being tampered with or erased. It also makes it easier to trace attacks back to their source.
You can’t always be around to monitor how employees are using their computers. But with the correct measures in place, you can avoid having illegal pornography, unauthorised software or pirate movies being accessed and/or copied onto your business hardware.
Working with the controls set out by the PCI DSS will help you with other governance and legal requirements that may be relevant to your business. For example, the Information Commissioner considers cardholder data to be personal data. Merchants and service providers are therefore expected to be compliant with the PCI DSS in order to remain the same with the Data Protection Act.
Payment cardholder data is not the only important asset that the PCI DSS protects. The scheme guidelines can also be applied to wider information security projects such as Information Security Management Standard ISO 27001 implementation projects
see projects here
and search ISO 27001.