Thursday, June 30, 2011

PCI Compliance - Practicing Safe Computing.

PCI Compliance Security
There has been a lot of talk going on right now about hackers, and their ability to break into even the biggest of software companies' systems.  The question, though, is how well could your system stand up to these hackers?  In 2004 five large companies took it upon themselves to create the PCI (Payment Card Industry) Compliance.

PCI Compliance was created by the major Credit Card companies in order to protect consumers from online credit card fraud. Developed by Visa, MasterCard, American Express, Discover, and the JCB Data Security Program; their intention was to create a standard for everyone to follow in order to protect the online merchant, the online costumer, and of course themselves. On December 15th, 2004, these 5 companies created the PCI Compliance.  

The best way to understand the PCI Compliance is by reviewing their terms and making sure that you take the proper steps to protect yourself and your customers, or in this case, your members.   
There are six different categories that regulate whether or not you are PCI Compliant.  First is that you maintain a secure network.  Is your network behind a firewall?  This is key to keep others out of your system.  A firewall keeps out all unwanted computers trying to connect to your network.  This way only people who are logged into your online marketplace can access and use their credit cards.

The second is that you protect cardholder data.  This is easier said than done.  You need to make sure that your card holder data such as names, card numbers, and other personal information that is stored on your server is protected.  The best way to do this is by encrypting your data.  Encrypting your data means that a computer creates a random code that only it has the key for.  This way if your network is broken into, the data would be useless as the hacker would not be able to read the data without the secret code.

Third is that you maintain a vulnerability management program.  Of all the items on this list, this is something you already do.  Just make sure your software is up to date such as your anti-virus and windows updates, along with running virus scans on a weekly basis (I recommend running it at least twice a week, and updating the virus definitions at least once a week).  This is something you should not just confine to your server, but your desktop and home computer as well.  Always good to practice safe computing.  

The fourth piece of the compliance standard is all about implementing strong control measures.  This is your responsibility to limit who has access to these key pieces of information.  This is done by assigning a specific ID number to those key people.  This may be anyone from an IT manager to an Executive Director.  But each has to have a specific ID so that it is known who has access to the system, and who doesn't.  You might ask, what about those who log in?  When you assign them a username and password, you are already giving them this specific ID number.  You can trace the IP Address this person logged in from, and therefore know exactly who it is, and where they were when they logged in.

Number five states that you must regularly test and monitor your networks.  This can be done by White Hat Hackers (hackers who are employed by security firms to test the strength and find holes in other networks, the good guys), or through some software that will monitor and test your network regularly for vulnerabilities.  It is important to make sure that your network is in tip top shape so that you can't be broken into.

The final item on the list is that you have and maintain an information security policy.  This is the idea that your employees know what your security policies are and are able to explain them to the public if need be.  You are responsible for your network; make sure you have a plan and know how to implement it.

The current version of PCI Compliance, 2.0, was released October 26th, 2010.  By January 1st, 2012 everyone must be on 2.0.  With all the hacking going on, especially to big companies like Sony, Google, and the CIA, it is your responsibility to protect yourself.  Some hackers do it for fun, and some do it for profit, but no matter what, unless you take the time to protect yourself, you can, and will be, hacked.

To get more information about PCI Compliance visit PCI Security Standards Official Site.

No comments:

Post a Comment