Many non-profit organizations and companies process payments, donations, and sales transactions via a merchant services account. If credit card processing is part of your business practice, than your business must be PCI Compliant. This means your business follows certain credit card security requirements set forth by the Payment Card Industry Data Security Standard (PCI DSS) Program.
Below we provide a brief overview of the 12 PCI Requirements for Processing Electronic Payments (debit or credit card processing via Mobile Devices, Point of Sale or eCommerce systems):
Requirement 1: Build and Maintain a Secure Network
Firewalls must restrict connections between untrusted networks and any system in the cardholder data environment. Firewalls must prohibit direct public access between the Internet and any system component in the cardholder data environment.
Requirement 2: Do not use Vendor-Supplied Defaults for System Passwords and Other Security Parameters
Vendor-supplied defaults must always be changed before installing a system on the network. Defaults for wireless systems must be changed before implementation. Credentials for non-console administrative access must be encrypted using technologies such as SSH, VPN, or SSL/TLS.
Requirement 3: Protect Stored Cardholder Data
Sensitive personal data should be retained only until completion of the authorization of a transaction. Storage of sensitive authorization data post-authorization is forbidden. This includes: the full contents of any track from the magnetic stripe, the card verification code (on back of credit card), or the personal identification number (PIN).
The company must also mask the display of PANs (primary account numbers), and limit viewing of PANs to only those employees and other parties with a legitimate need. A properly masked number will show only the first six and the last four digits.
Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks
Cardholder data sent across open, public networks must be protected through the use of strong cryptography or security protocols. Sending unencrypted PANs is prohibited.
Requirement 5: Use and Regularly Update Anti-Virus Software
All systems must have installed an anti-virus program which is capable of detecting, removing, and protecting against all known types of malicious software. All anti-virus programs must be kept current, be actively running, and capable of generating audit logs.
Requirement 6: Develop and Maintain Secure Systems and Applications
All critical security patches must be installed within one month of release.
Requirement 7: Restrict Access to Cardholder Data by Business Need to Know
Access to cardholder data is limited to only those individuals whose job requires such access. Access limitations must include the following: Restriction of access rights to cardholder data to the least access needed to perform job responsibilities, access to cardholder data is based on an individual’s job classification and function, access to cardholder data will be granted only after completing an authorization request form signed by management.
Requirement 8: Assign a Unique ID to Each Person with Computer Access
All employees should have a unique ID for all log-ins. Generic account names should not be used and shared across groups. All accounts used by vendors for remote maintenance shall be enabled only during the time period needed.
Requirement 9: Restrict Physical Access to Cardholder Data
Hard copy materials containing confidential or sensitive information (e.g., paper receipts, paper reports, faxes, etc.) are subject to secure storage guidelines such as:
- Printed reports & all hardcopy media containing cardholder data are to be labeled and physically stored or archived only within secure office environments and locked.
- All confidential or sensitive hardcopy material must be sent or delivered by a secured courier or other delivery method that can be accurately tracked.
- Custodians of hardcopy media containing cardholder data must perform an inventory of the media at least annually.
All media containing cardholder data must be destroyed when no longer needed for business or legal reasons. Shredding, incineration or pulping so that cardholder data cannot be reconstructed must destroy hardcopy media.
Requirement 10: Track & Monitor Access to Network Resources
Ensure audit trails and system logs are maintained for access to all sensitive data. Logs should be reviewed periodically and retained for one year.
Requirement 11: Regularly Test Security Systems and Processes
The company must perform testing to ensure there are no unauthorized wireless access points present in the cardholder environment on a quarterly basis. This includes vulnerability scanning on all in-scope systems.
Requirement 12: Maintain a Policy that Addresses Information Security for Employees and Contractors
The company must maintain a security policy that addresses how the company will protect cardholder data. Employees shall not use employee-facing technologies to store, process or otherwise handle cardholder data; this includes: remote-access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants (PDAs), email, and internet usage.
The company must also establish, document, and distribute a security incident response and escalation procedures to ensure timely and effective handling of all situations.
* Note: the content summarized here provides brief overview of the type of security requirements required for electronic transfer of credit card data. You should check with your merchant services provider to get the full details of the mandatory PCI Requirements.