PCI compliance regulations (mandated by the Payment Card Security Standards Council) are numerous, detailed and complex – leaving many businesses perplexed as to how to achieve them. However, if they fail a PCI compliance audit, they risk losing their right to process credit card transactions; effectively shutting them down. HOSTING is here to help. Following are five tips that every business can use to achieve PCI compliant hosting.
Tip #1 – Segment your networks
We hate to bring up Target’s massive data breach – again. However, Target’s use of “flat networks” to store their data played a significant role in its cyberattack. A flat network aims to reduce network administration and maintenance costs by allowing sensitive and non-sensitive information to mix. In Target’s case, hackers accessed the network through the HVAC system and then moved across the flat network to get to the point-of-sale systems.
Businesses subject to PCI compliance should segment their networks so that their sensitive information is securely located in its own “house.” Currently using flat networks? Get thee to IT – in many cases they can achieve network segmentation through properly configured firewalls and routers.
Tip #2 – Tighten up your access controls
PCI DSS standards require that you assign a unique user ID to each person with access to payment card data. This access should be on a need-to-know basis. Yet companies are notorious for creating generic sets of IDs and user names that multiple employees can access. In the event of a data breach, these firms are unable to determine who had access to what information.
Additionally, companies often fail to terminate access when employees leave or take on another position which doesn’t require them to have access to confidential data.
So take the time to assign unique IDs to your employees who are required to access confidential customer data. While you’re at it, establish a policy that employees never share these credentials with anyone else. Finally, have HR notify you when an employee moves on so you can terminate their access immediately.
Tip #3 – Encrypt everything
We get it – data storage is cheap these days. And many companies find that it’s easier for them to “store everything” rather than sift through reams of data to determine what is confidential. However, the more sensitive data you store, the more likely you won’t have the bandwidth to encrypt it. And you have to prove to the PCI auditors that all of that data is secure.
If we said it once, we said it a hundred times – encrypt your data. We promise, it’s not that complicated. In order to encrypt data in transit, you just need to make sure you’re using standard mechanisms such as HTTPS, the common protocol used to access a secure Web server, or a Virtual Private Network (VPN).
Also encrypt your data stored on your servers and hard drives (aka – “data at rest”), whether you keep it onsite or store it in the cloud. As as PCI compliant cloud hosting provider, HOSTING encrypts all data – in transit, at rest, and in mobile devices. However, keep in mind that when storing confidential data in the cloud, you are responsible for ensuring its encryption.
Tip #4 – Shore up your firewalls and routers
PCI mandates that you not only have strong controls over your firewalls and routers, but also dictates how they should be configured. In addition, PCI requires businesses to review firewalls and routers every six months to confirm that every connection into and out of a network is documented.
Not sure how your firewalls and routers measure up? Check out our blog, Your PCI Compliance Firewall Audit Checklist for information on how to address this requirement.
Tip #5 – Use PCI compliant passwords
Yes, this is really basic tip. However, the HOSTING team of information security and compliance teams can regal you with tales of a company failing a PCI audit due to “dumb passwords.” Fortunately, PCI provides detailed instructions regarding setting up passwords. For example, you can’t use the default passwords that come with your systems. You have to create your own, using the following guidelines:
- Password length is a minimum of seven characters
- A mix of uppercase and lowercase characters and numbers must be used
- Passwords must be changed every 90 days
- Passwords that have been used within the last two years are invalid
- Failure to access the correct password six times must result in a system lockout of 30 minutes, on until an administrator re-enables access
Still tempted to use a basic password? Consider the consequences of failing an audit over a simple detail.
Looking for a secure PCI compliant solution? Look no further than HOSTING. Our team of compliant cloud experts stands ready to help. Contact them anytime to discuss your specific needs. And be sure to view our on-demand webinar, Security Challenges of Migrating to the Cloud, for additional insights.