PCI Compliance Checklist
POS data breaches continue to plague the retail and restaurant industries, with hackers perpetrating increasingly sophisticated schemes to access and fraudulently utilize credit card numbers and other information stolen from operators’ systems. Compliance with the Payment Card Industry Data Security Standard (PCI DSS) can reduce the likelihood of experiencing data compromise. Answering the questions on the following checklist will help you determine how close you are to achieving POS PCI compliance within your organization.
Have you installed, and do you continuously maintain, a firewall between a public network and payment card data? Network security is essential to maximizing POS security—which is why POS PCI compliance entails the use of a strong firewall to screen out network traffic from viruses, worms, and malware designed by hackers to compromise POS systems.
Have you changed all vendor-supplied defaults for system passwords and other security parameters, including network routers and modems? It’s easy for criminals to obtain or guess default passwords, so changing these and other security parameters are a must. Your best bet for POS PCI compliance: set complex, computer-generated passwords, and re-set them regularly.
Do you use strong encryption technology to protect cardholder data at rest and as it travels across open, public networks? The latter even includes cardholder data that is contained in emails. In very basic terms, encryption safeguards sensitive data by rendering it unintelligible to hackers. The greatest potential for POS PCI compliance can be achieved by encrypting data from end to end; i.e., encryption occurs at the moment data are captured, and the data remains encrypted until it reaches its final destination.
Have you installed, and do you regularly update anti-virus software? Such software should be deployed on all systems in your network. Installing anti-malware software is also advisable.
Do you utilize vendor-supplied security patches to secure systems and applications? Security patches decrease or eliminate vulnerability to malware, as well as enhance POS security and, in turn, POS PCI compliance.
Do you limit access to cardholder data? Employees and others—for example, third-party vendors—shouldn’t have access to your POS system unless the information is required in order for them to perform their jobs. Additionally, access to different levels of data should vary based on staff members’ responsibilities. For instance, store associates do not need to be able to view the same complex data as store managers or regional managers.
Do you assign a unique ID to each employee who does need access to your POS system? This makes is makes it easier to maintain accountability for accessing the data and assessing individual employees’ adherence to data security practices. It also enables you to quickly identify who may be flouting the rules and jeopardizing your operation’s POS PCI compliance.
Do you restrict, track, and monitor all access to the network and cardholder data environment? POS PCI compliance is an easier proposition if you do, and the tracking and monitoring steps help with accountability as described above.
Do you regularly test security systems and processes in your network for vulnerabilities? You don’t want to find out through a data compromise that your POS system is vulnerable. Instead, test security systems and processes at least every three to six months to determine in advance whether a compromise has already occurred or is in process.
Do you maintain and update a security policy and train your employees on the ins and outs of information security? Both the policy and the training should cover procedures for handling data to maintain its security, along with restrictions on data access.
Admittedly, no technology or set of best practices will completely eliminate the risk of POS data compromise. However, POS PCI compliance—and following the steps outlined in this quick PCI checklist—will go a long way to protecting data integrity for merchants of all sizes.
