The need for strong data security in the current business environment cannot be overstated. The PCI DSS (Payment Card Industry Data Security Standard) was created to be a guide and a tool for merchants to employ as they work toward creating the most secure environment possible.
The PCI DSS is a set of 12 requirements that any merchant who stores, processes, or transmits credit card data must adhere to. Some of these requirements are seemingly obvious, and some of the requirements cover aspects of data security that are often overlooked. Well, overlooked by merchants... not by hackers.
Nevertheless, studies have shown that many companies are still failing to reach PCI compliance. There could be many reasons for this failure, though quite often the cause stems from the costly and complex nature of the PCI DSS. It simply seems too daunting a task to achieve, and as such winds up getting putt off, or not fully accomplished.
Data security, however, is too important to ignore. Every day the criminals are becoming more aggressive and advanced in their methods, and if you intend to provide a safe environment to do business, you will have to keep up with these requirements.
The Federal Trade Commission offers a guide for businesses who are implementing measures to improve data security. And once you have a security plan like this in place, you may find it a lot easier to achieve and validate your PCI DSS compliance. In this guide they divide up their plan to include five key principles.
The first is to Take Stock. Take a step back and analyze your entire business. What information are you storing? Who has access to it? There are a number of things you can do to initiate this process, including: inventory all computers, flashdrives, disks, etc, that you use to store information. Sensitive data can be (and is) stored on any number of mediums, depending on how you conduct your business. All of these items must be checked and inventoried.
You must also actually talk to the different sections of your business and make sure that you all understand the complete picture of how information passes through your business and make sure it's not getting lost or left behind somewhere along the way.
The next principle is to Scale Down. This means only keeping the information that is absolutely necessary for your business needs. For that matter, you probably shouldn't even collect it in the first place. And for the stuff that can legally be kept (or must be kept for legal reasons) then you should have a specific policy on how to store it, how long to store it, and how to purge it.
The third principle is to Lock It. This includes encrypting sensitive electronic data, but can also mean procedures involving physical data. Nothing like writing down your password on a piece of tape and sticking it to your desk to invite a security breach. Lock it all away.
Number four is to Pitch It. This means properly disposing of anything you no longer need. It's not as simple as tossing paper in the trash or hitting the delete button on the computer. Information must be completely eliminated. Shred paper documents and use wipe or format utilities on computers.
Key principle number five is to Plan Ahead. Be aware that even with your best intentions to protect card holder data or become PCI DSS compliant, a breach could still happen. You have to be prepared to deal with these situations. Do you know how to respond to an intrusion? Do you know how to initiate an investigation? Do you know what authorities to report the incident to?
The PCI DSS is a complex set of requirements, but by taking preparatory steps you can find that reaching compliance is withing your grasp. The five principles listed here – Take Stock, Scale Down, Lock It, Pitch It, and Plan Ahead – are foundational principles that can help you improve data security and future success.
Andy Eliason is a writer at Main10, Inc. If you'd like to learn more about the
PCI DSS and
Data Security, visit
Braintree Payment Solutions today.
