If you are taking credit card payments – either via point of sale or a website – you will have signed a contract with your bank saying that you will meet your PCI DSS obligations.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organisations that handle branded credit cards from the major card schemes including Visa, MasterCard, and American Express. It sets out twelve obligations that merchants must meet.
Build and maintain a secure network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks
10.Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security policy
12. Maintain a policy that addresses information security for all personnel
Many businesses in New Zealand use a payment processor that is PCI DSS compliant such as Payment Express. However, that does not mean that they can forget about meeting the twelve points above. Credit card details can still be stolen as part of the transaction before they are passed to the payment processor part of the website. Criminals can change the code on an insecure website so that it calls a similar domain (paymentiexpress.com for example), takes the credit card details, stores them to be sold at a later date, and then passes the credit card details to the correct site (paymentexpress.com) for processing.
And credit card details can also be stolen from insecure Point of Sale computers. Criminals install malware that grabs card information from the memory of the machine and transmits it to their servers.
If criminals do manage to steal the credit card details of your clients, the penalties from your bank can include:
- Fines of up to USD 500,000
- A mandatory review of your security (at your cost)
- Removal of your ability to take credit card payments
And your reputation with your clients will obviously suffer.
We can help you meet your obligations and reduce the risk to you and your customers via our Website PCI DSS Compliance Service. This covers the following areas which are required by your bank for compliance:
We work with you and your web developer / hosting company to complete the Self Assessment Questionnaire and to file it with your bank. If there are areas where you are non-compliant we will provide recommendations to resolve the issues.
We will scan your website every month to look for vulnerabilities that could be used by criminals. If the scans show issues we will advise you and your web developers and provide recommendations on how to resolve them. When the scan shows no issues we will file it with your bank. Scans need to be filed with the bank every quarter at a minimum.