3 Elements To Ensuring PCI Compliance

By Nikole Haiar, Director of Marketing at Hostway Services, Inc.

Depending on what industry you’re in, your businesses may be under legal obligation to ensure its corporate information, as well as its customer data, remains secure.

One such piece of legislation is the Payment Card Industry Data Security Standard, which outlines rules  to help retailers protect credit and debit card details.

In order to operate safely within the retail sector, businesses must adhere to PCI standards. However, security isn’t the only concern here; avoiding lawsuits and fines are additional incentives.

“Compliance with data security standards can bring major benefits to businesses of all sizes, while failure to comply can have serious and long-term negative consequences,” the PCI Security Standards Council stated.

Since complying with PCI standards, and ensuring that all partners and third-party vendors they work with do as well, is in businesses’ best interests, let’s examine some of the considerations to keep in mind about PCI compliance strategy.

Encryption through SSL certificates.

What will each company use to ensure that card data is safe? Although firewalls, anti-virus and other protection strategies will be utilized, the central safety measure is an SSL certificate. This technology encrypts the information it protects, ensuring that only authorized users with the decryption key can decipher the content. Security firm Barracuda noted that while PCI standards do not specify a minimum for certificate key sizes, companies should leverage SSLs of 2048 bit key strength for optimum protection.

The cloud.

Cloud hosting comes with its own set of PCI compliance considerations, particularly if the platform is leveraged for the storage or transmission of payment card information. The PCI Security Standards Council noted that in this type of landscape, security becomes a shared responsibility between the cloud service provider and the company utilizing the services. In this way, both parties must ensure compliance of the technology and its use.

“If payment card data is stored, processed or transmitted in a cloud environment, PCI DSS will apply to that environment, and will typically involve validation of both the [cloud service provider’s] infrastructure and the client’s usage of that environment,” the PCI Security Standards Council stated.

As cloud platforms are customizable, the council advises creating specific policies and procedures adhered to by both the cloud vendor and the client, outlining the security requirements needed for compliance, the management and reporting needs as well as the overall responsibilities of each party.

According to the council, depending on the type of cloud being utilized — i.e., infrastructure-as-a-service, software-as-a-service or platform-as-a-service — PCI DSS compliance considerations could include any of the following:

• The use and maintenance of a firewall for cardholder data protection
• Protection for stored card details
• Encryption of payment card information within publicly accessible networks
• The utilization and maintenance of anti-virus software
• The use of unique authentication credentials for each individual with approved access to payment card databases
• Tracking and monitoring all access to sensitive card information

Different types of businesses.

While retailers come to mind first when talking about PCI compliance, IBM noted in a recent presentation that other companies have their own PCI standards to observe. Manufacturers of PIN entry devices, software developers that create payment applications and companies that sell these programs must adhere to their respective portions of the PCI legislation.

One of the best ways to ensure compliance is to work with a compliant service provider.

With over a decade of experience in technology-focused B2B marketing, Nikole Haiar is responsible for the marketing, strategy and execution for Hostway’s retail and white-labeled cloud applications, which includes websites, email, online marketing, SEO, business productivity and web security tools.