1. Requirement 7: Restrict access to cardholder data by business need-to-know
2. Requirement 8: Assign a unique ID to each person with computer access
3. Requirement 9: Restrict physical access to cardholder data

Here we look over who has access to customer’s information and the computers that store this information. Like many people starting an Internet business, our business computer is also used for recreation. This can pose a problem if friends or family also use our computer. The safest measure is to have a dedicated system used for processing and storing cardholder information. Let’s look at using our existing computer and how we can make this compliant.

We need to investigate who needs access to customer information. In our example, I will be the only one who needs to access customer information, so it will be simple. In some cases we may have a business partner or, if we expand as I hope, an employee or two. These people will probably need some access to customer information, so we need to figure out who needs what data to perform their job. The person answering customer service questions may need to know our customer’s name and address, but do they need to know any part of the credit card number? What information will be needed for accounting or systems administration? This is the time to decide who has access to what information. We need to record these policies and keep written authorization for individual access to specific data.

While we have reason to be aware of external threats, we need to be just as secure internally. We need a system of access control that identifies which users have access to information, systems, resources, and which identifies the user who accessed or changed the information. This allows us to protect our customers’ data from internal security leaks. Employee theft and fraud are very real crimes and Internet businesses are certainly not immune.

In order to be able to track who is accessing our resources, we need to assign unique logins for everyone who will use our computer. Using the access control we implemented above, these logins will allow different access to stored data. In our case, I have full access while other logins have no access (until I get a partner or employee). We can’t have any group or general logins. My initial idea of having a “Me” login with full access and a “You” login with no access will not work. Strict compliance means that each person who uses the computer needs to have a distinct username and password.

Speaking of passwords, we need to change the passwords every three months, a password cannot be reused for a year, the password needs to be at least seven characters long, and needs to a combination of numbers and letters (special characters increase the security of a password). Our passwords also need encrypted and we need to limit the number of user login attempts. Let’s set this to 5 attempted logins. If a login is failed 5 times we need to lock the username for at least 30 minutes, or administrator reset.

Physical access to credit card information needs to also be restricted and monitored. We need to have cameras recording any area that hold sensitive data, like our office. These recording need to be kept for a minimum of 3 months. Physical access to the office will need to be restricted. In our situation, we can use a locked door and a key. Access to the key will need to closely monitored and logged. Physical documentation of card holder data needs to be secured. This is independent of other security, so a safe or locked file cabinet. When the information is not needed for business purposes, it must be destroyed. Paper shredders are probably the most common and safest method of destroying the documents, but burning and pulping the data is compliant. Electronic data will need to be purged from our systems as well.

As we work on this portion of PCI DSS compliance, I found that we are making a number of small purchases to meet the requirements. There are a number of companies that sell computer access control programs for a reasonable amount of money for one or two computers. The larger expenses are going to be a new key less lock for the office door, a closed circuit camera set, a file cabinet. I guess I’m off to the local office supply store.

Bottom Line for Step 5:

Cost:

• Key less locks $200-$350
• Locking file cabinets $200-$500
• Camera system with 3 month storage $300-$600
• Security software $50-$75 per computer renewed each year.

Further Reading:

Clearing the Mystery of PCI Compliance (Part 1)
Clearing the Mystery of PCI Compliance (Part 2)
Clearing the Mystery of PCI Compliance (Part 3)
Clearing the Mystery of PCI Compliance (Part 4)
Clearing the Mystery of PCI Compliance (Part 6)
Clearing the Mystery of PCI Compliance (Part 7)

Now, we need to Maintain a Vulnerability Management Program. This comes in two parts. First, we need to use and regularly update anti-virus software. Then, we have to develop and maintain secure systems and applications. I know what anti-virus software is, so let’s start there.

Before we look into AV software, I want to give one bit of basic Internet advice. If you don’t know/trust a person or site – don’t download ANYTHING they send you if you don’t have AV protection. The most common method of catching a computer virus is still from opened email attachments. Most people have some anti-virus (AV) protection for their computers, but to be PCI compliant, we need to look into software that will protect every computer and device connected to the Internet through our network.

There are a number of companies that make anti-virus software, compile virus databases, and offer frequent updates. Most of these companies have PCI compliant versions of their software. The standard single-PC software will cost $50 – $75 for a year’s worth of automatic updates. Unfortunately, this level of protection, while typically excellent for home users, will not meet PCI compliance. Part of the reason for this is that PCI compliance requires that your AV software be able to monitor and generate reports detailing what viruses it has caught/contained. We need to look at the more robust offerings for business networks. The range of prices in this field is vast from $350 – nearly $3,000 yearly. The top end software is really more of an anti-virus “system” that protects mainframes and large networks, so we can breathe a sigh of relief and look a little lower on the price points. For covering a network with a few devices for one year, including unlimited updates, and support, the average cost settles in at about $500-$700.

The next standard, “Develop and Maintain Secure Systems and Applications”, requires a little more than picking anti-virus software that will meet your needs. Looking at the requirements to meet this standard, it becomes obvious that we either need to know our way around a network, or we need to get our networking expert back to test our network after each update, make sure that we have a separate part of the network used only for testing applications, and system monitors that watch our network. Because of the scope of this requirement, the next article will be devoted to addressing the various aspects of maintaining the security of our systems and applications.

Further Reading:

Clearing the Mystery of PCI Compliance (Part 1)
Clearing the Mystery of PCI Compliance (Part 2)
Clearing the Mystery of PCI Compliance (Part 4)
Clearing the Mystery of PCI Compliance (Part 5)
Clearing the Mystery of PCI Compliance (Part 6)
Clearing the Mystery of PCI Compliance (Part 7)

“PCI DSS (Payment Card Industry Data Security Standard) is a security standard that applies to companies handling credit card numbers. The PCI level of enforcement differs based on the volume of transactions that a company handles.”

My purpose with this series is to provide the details involved in each requirement. I want to look at this from the point of view of a very small home-based business with a website selling tangible products.

The first requirement for PCI DSS is to have a secure environment to hold credit card data:

1) Install and maintain a firewall configuration to protect cardholder data
2) Do not use vendor-supplied defaults for system passwords and other security parameters

First, we need to make our connection to the Internet as safe and secure as we can. This involves using a form of protection. The most common example of this is a firewall. A router is probably the most common device used. This will protect a network from unauthorized connections as well as keep a log of network activity.

A basic home use router can cost roughly $50-100+. However, as we will see in future articles in this series, these routers will not be able to provide the level of protection required to collect customer information. Based on my research, the cost of a compliant router starts at about $200 and can run into the thousands of dollars. There are significant differences between routers, and some of the more costly routers come with additional security packages from the manufacturer that includes network/technical support. Researching what router is going to work for your business is important. The firewall you choose will depend on a number of factors that only you can determine. It is important to note that laptops require a separate security device when used away from the home, and Internet cafe’s will not have nearly the security required for PCI DSS compliance.

Along with the router, we will need to have it connected to the network. Networking is a highly specialized, highly technical field. When was the last time you could remember terms like “internal IP address,” “network diagram,” and “network segmentation”  used in casual conversation? Since this is something that is critical to the ability to process credit cards, we want to be sure that the router (and the rest of the network) is as secure as it can be. This means we will have to pay someone who can create and manage the network. Thankfully, there are a number of people who are willing to do so. Alternately, at an additional cost, most router manufacturers will provide support and security update services. The cost for an independent networking freelancer will vary greatly from area to area (In my case, I would need to make sure I had $800-$1,000 to cover this expense).

Once we have the network all set up we will have to reset the username and password of the firewall. During the initial setup and testing, the device will have a preset password and username. This allows for easy troubleshooting for the manufacturer’s technical support. Since all of the devices by one manufacturer will have the same defaults, it is very important that this is changed before credit cards are accepted.

Bottom Line for Step 1:

Time:

• Research on the best firewall for your individual needs.
• Research on availability of either manufacturer-provided or independent networking assistance

Costs:

• Router: $200 – $3000 for the router. ($500-$800 is the average for the device alone)
• Support: Additional security features/support (varies from company to company, $200 seems average)
• Networking: Free if you already know how to do this.
• $100 – $149 basic charge with $100/hour fee for additional support  (Varies from place to place, but $100 looks to be the low end of average) assuming a full day’s work minimum.

We have just bought a router, hired someone to make sure our network is secure and spent roughly $1,000-$2,000. Now we have 10 more standards to meet before we are PCI compliant. Over the next few weeks we will explore topics ranging from data encryption to network monitoring, as well as realistically detail the costs associated with meeting all twelve PCI standards.

Further Reading:

Clearing the Mystery of PCI Compliance (Part 2)
Clearing the Mystery of PCI Compliance (Part 3)
Clearing the Mystery of PCI Compliance (Part 4)
Clearing the Mystery of PCI Compliance (Part 5)
Clearing the Mystery of PCI Compliance (Part 6)
Clearing the Mystery of PCI Compliance (Part 7)

Credit card association rules state that only a merchant account holder may display credit card logos on their websites. 2CO does not provide you with a merchant account. You can continue to display these logos, as long as immediately above, beside, or below the logos, there is a clear statement that 2CO is your authorized retailer.

Alternatively, you can display the logos shown here. Right click on the image of your choice below and choose “Save Picture as…” to save as a file on your computer.

Please also see 2CO Certified for “2CO Certified Seller” buttons.