December 4, 2009

Clearing the Mystery of PCI Compliance (Part5)

Posted by 2Checkout Category Icon2Checkout Category IconTechnology

Over the past four weeks we have been taking a look at becoming PCI compliant. We have set up our network, we are encrypting customer’s data, Our anti-virus program is installed and updated, and we are taking steps to make sure our network and software is secure. I feel good about this, and I think we have learned some useful information. Now, we will Implement Strong Access Control Measures:

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Here we look over who has access to customer’s information and the computers that store this information. Like many people starting an Internet business, our business computer is also used for recreation. This can pose a problem if friends or family also use our computer. The safest measure is to have a dedicated system used for processing and storing cardholder information. Let’s look at using our existing computer and how we can make this compliant. We need to investigate who needs access to customer information. In our example, I will be the only one who needs to access customer information, so it will be simple. In some cases we may have a business partner or, if we expand as I hope, an employee or two. These people will probably need some access to customer information, so we need to figure out who needs what data to perform their job. The person answering customer service questions may need to know our customer’s name and address, but do they need to know any part of the credit card number? What information will be needed for accounting or systems administration? This is the time to decide who has access to what information. We need to record these policies and keep written authorization for individual access to specific data.

While we have reason to be aware of external threats, we need to be just as secure internally. We need a system of access control that identifies which users have access to information, systems, resources, and which identifies the user who accessed or changed the information. This allows us to protect our customers’ data from internal security leaks. Employee theft and fraud are very real crimes and Internet businesses are certainly not immune.

In order to be able to track who is accessing our resources, we need to assign unique logins for everyone who will use our computer. Using the access control we implemented above, these logins will allow different access to stored data. In our case, I have full access while other logins have no access (until I get a partner or employee). We can’t have any group or general logins. My initial idea of having a “Me” login with full access and a “You” login with no access will not work. Strict compliance means that each person who uses the computer needs to have a distinct username and password.

Speaking of passwords, we need to change the passwords every three months, a password cannot be reused for a year, the password needs to be at least seven characters long, and needs to a combination of numbers and letters (special characters increase the security of a password). Our passwords also need encrypted and we need to limit the number of user login attempts. Let’s set this to 5 attempted logins. If a login is failed 5 times we need to lock the username for at least 30 minutes, or administrator reset.

Physical access to credit card information needs to also be restricted and monitored. We need to have cameras recording any area that hold sensitive data, like our office. These recording need to be kept for a minimum of 3 months. Physical access to the office will need to be restricted. In our situation, we can use a locked door and a key. Access to the key will need to closely monitored and logged. Physical documentation of card holder data needs to be secured. This is independent of other security, so a safe or locked file cabinet. When the information is not needed for business purposes, it must be destroyed. Paper shredders are probably the most common and safest method of destroying the documents, but burning and pulping the data is compliant. Electronic data will need to be purged from our systems as well.

As we work on this portion of PCI DSS compliance, I found that we are making a number of small purchases to meet the requirements. There are a number of companies that sell computer access control programs for a reasonable amount of money for one or two computers. The larger expenses are going to be a new key less lock for the office door, a closed circuit camera set, a file cabinet. I guess I’m off to the local office supply store.

Bottom Line for Step 5:Cost:

  • Key less locks $200-$350
  • Locking file cabinets $200-$500
  • Camera system with 3 month storage $300-$600
  • Security software $50-$75 per computer renewed each year.