PCI Compliance Checklist for eCommerce Businesses
Any business that accepts credit card transactions should follow the standards of the Payment Card Industry Security Standards Council. This includes companies that transmit cardholder data and those that store or process it. It definitely includes all types of e-commerce companies.
Breaches of customer data make the news on a regular basis. The response is typically temporary outrage by the public until the next crisis. The stories that don’t get told about these events should concern every business that touches credit card information.
When hackers steal identities, companies go out of business. Consumers lose thousands of dollars, and confidence in the business heads toward zero.
For companies that survive, costs of repairing the damage soar. Also, company information often gets held for ransom. You must pay the hackers to get it back.
Here is a checklist of PCI requirements for eCommerce Security.
- Use firewalls and maintain them.
- Avoid passwords the vendor gives you, or that come with software. Change passwords often.
- Keep cardholder data under protection
- Encrypt data you store and make sure it is encrypted when you send it.
- Protect the entire system by applying updates. Take advantage of new security software.
- In addition to systems, make sure applications are secure.
- Start a policy that allows access to cardholder data on the basis of a strong business case. Make people who request access justify their need.
- Use authentication for access to any part of the system.
- Grant physical access to servers only to personnel who are cleared.
- Monitor data at all times for changes.
- Perform tests and “fake” attacks to see if defenses work properly.
- Perform all tasks according to a written policy.
Stay up to date on all industry related news and events, one suggestion is to attend cybersecurity conferences. Otherwise there are numerous PCI training online similar to eLearning courses.
The PCI Council does not enforce the suggestions in the checklist.
No one comes knocking to check on the security of your company. No one but hackers.
Your obligation is not to the Standards Council, but to your stakeholders and customers. PCI compliance is only the starting place for company security.
Changing Security Needs
Even if you perform every task on the checklist, your security needs to change. Doing the checklist once won’t protect you. Hackers constantly learn new ways to break in, and over time, all security systems get weak because of this.
Business growth changes your security needs. As you add new procedures and technologies, you create more doorways for hackers to walk through. You can’t expect your current security methods to handle all future cases.
Consider these scenarios.
- You granted system access to an employee who is no longer with the company.
- Your company starts allowing staff to work from home. They will need access to credit card information and security for their wireless service, plus guidelines on protecting the information they receive.
- You hire a someone to create a new website for you. This person will need to include security for the new site. Test the website for bugs.
- Software updates come out regularly, but you don’t install them.
- Employees receive emails asking for company information.
Any development like this signals the need to upgrade security.
Many companies leave a back door open by assuming vendors have security. Hackers can enter vendor systems, then find access to your files.
If you use a data center for storage, you should know that center’s security measures. An off-site data storage service requires transmission from your servers. Check to see that you only send encrypted information. Also, make sure the information gets stored as encrypted files.
Outside companies that provide maintenance of your systems must have to things.
- Their own security to protect information they have about your company.
- Knowledge of your security standards so they can maintain and upgrade them during regular maintenance or fixes.
Check anti-virus providers. Fake anti-virus software continues to make its way through the business world. Many companies purchase scanning solutions, only to find that they have malware embedded in them. Use reputable sellers, and scan their software for suspicious files.
Artificial intelligence disrupts current security methods. This game-changer makes current security measures old-fashioned. AI offers the power to analyze systems and reconfigure them regularly so that your information becomes a moving target.
The bad guys already use AI to crack your security, so you must fight fire with fire. Look into AI-based security systems that can learn to recognize suspicious patterns and files. Called machine-learning, the capacity to change and grow with new hacking techniques can effectively protect your company.
Also, AI can shut down systems in the event of a breach. By closing pathways to a virus, AI quarantines the threat so IT staff can get rid of it.
You can expect an upgrade to the PCI Compliance Checklist that embraces AI. But you don’t have to wait for that. Your company remains vulnerable today if you don’t have AI working for you.
The Bottom Line
An e-commerce website has special security needs. You must send information through public channels, and you receive it the same way. Any information in transit can disappear if you don’t have solid protection in place.
As customers increasingly opt for storing their credit card information for future purchases, company responsibility grows. One breach can ruin your reputation. Customers routinely change companies they do business with if they don’t feel safe.
By the time you read this article, your security needs may have changed. By making sure you have a dynamic, growing e-commerce security system, you increase your chances of staying safe.
One of the secrets of the security industry states that when hackers find too much difficulty, they move on to a new victim. You can be the one they move on from instead of the one they move on to.