Posts
Furthermore, with the Internet being the fastest growing retail sector, many merchants are turning to this sales channel to attract a wider audience for their goods and services – however if systems are not fully secure, they could find themselves vulnerable to remote attacks from anywhere in the world.
PCI DSS compliance in practice
The following are some critical areas that are typical for a retail environment, but may be overlooked:
- Merchant Receipts: Although many new terminals now print the PAN truncated (displaying the first 6 and last four digits), older terminals may print the full PAN on merchant receipts. Therefore, merchant receipts are in scope. Furthermore, other physical media such as chargeback forms and physical faxes may be present. Any media containing the PAN must be handled, stored and disposed of in a secure manner. Ensure your organisation does not simply leave transaction receipts in public areas or place them in plastic bin bags to be thrown away; they should be treated the same as cash.
- Sales/Customer Services Team: If the merchant maintains an electronic point of sale system, the equipment may be vulnerable to ‘keyloggers’ either by hardware (connected to the keyboard and hidden from view behind the PC) or by malicious software (installed deliberately or accidentally) may capture keystrokes.
- Call Recordings: If calls are recorded. Storing the PAN in an encrypted format is permitted, however the storage of any CVV (sensitive authentication value) is prohibited by PCI DSS and must not be recorded.
- Post-authorisation: Storing sensitive authentication data post-authorisation is strictly prohibited by PCI DSS. Ensure sensitive authentication data is not stored after authorisation.
- Video Monitoring: Most CCTV footage is destroyed after a month, however under PCI DSS requirements access mechanism logs should be retained for at least 3 months.
- Indirectly Connected Devices: Any machines not involved in cardholder data processes, but are logically connected to devices that do process, store or transmit cardholder data will be in scope.
- Terminal/POS Responsibility: POS systems usually are mounted on underlying operating systems such as Windows 98, 2000, XP or later and should be included within an organisations PCI DSS project scope . However, this is often not considered.
- Private Networks: ‘Private’ networks provisioned by a service provider may actually be shared. Ensure that the perimeter device to the private network is not connecting out over the Internet.
‘PCI DSS is achievable with guidance and an effective roadmap’
Achieving PCI DSS compliance
Sysnet recommends that rather than taking the ‘traditional’ route and performing a gap analysis as the first step to achieving PCI DSS compliance, it would be more beneficial to conduct an initial scoping exercise – this will review all systems, which will shape the extent of the PCI DSS project.
A scoping exercise offers options to manage the size of the project by offering ‘as is’ and ‘what if’ scenarios to clearly demonstrate how change to the process impacts the scope. The organisation then has the opportunity to choose the option they feel is most appropriate to their situation and their business.
By adopting this approach, a significant reduction in the overall cost of the compliance exercise can be achieved, simply by reducing the number of systems, locations and employees who are subject to PCI DSS requirements. This will also make compliance review a more manageable process.
Sysnet have often achieved ten-fold reduction in the costs of an organisation’s initial and on-going compliance due to the adoption of this methodology. Although PCI DSS may seem a long and daunting process, with good planning and a clear road map supported by a experienced and pragmatic QSA partner, compliance can be achieved.
This will also put the business in a stronger position as there will be a greater understanding of how systems work within the organisation, and also the identified potential risk areas. Business should also consider that the financial and reputational costs of a data breach could be far higher than the implementation of a PCI project.
‘A commitment to protecting customer’s cardholder data 24/7 365 days a year’
Maintaining PCI DSS compliance
Once the people, processes and technology are in place, re-assessment should become far easier. Many businesses use PCI DSS as an opportunity to introduce new hardware and operating systems, and merge disparate business processes – it is therefore essential that a full scoping review is undertaken prior to engaging in any major project development. A commitment to PCI DSS is a commitment to protecting customer’s cardholder data 24/7, 365 days a year.
How can Sysnet help?
Sysnet QSA consultants have significant experience with helping organisations attain and remain compliant with the PCI DSS. We have worked closely with many high profile organisations and have a wealth of experience in dealing with a varied range of payment applications that are currently being used.
Due to the challenges faced in this area Retail merchants should find the most time and cost effective route to compliance. Sysnet can assist with this by reducing the number of systems, locations and employees subject to PCI DSS compliance which will ultimately reduce the overall cost of achieving and maintaining compliance.
For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.
