Keeping your online business in line with industry rules and regulations isn’t easy. It’s a time-consuming, yearly process but one that is vital to staying in compliance. The annual Level 1 Payment Card Industry (PCI) Audit is the deepest dive that a group of outside security auditors will do on a payment system to be sure it’s secure. This weeklong, on-site audit is required for licensing in both the U.S. and the EU and can take a team up to an entire year to get ready. Here, Cathy and Segpay’s IT Director share the top three ways to help narrow down what to focus on for the 2021 PCI Audit.
Don’t Procrastinate, Become PCI Proficient
While the days and nights of August are hot, the Segpay IT team isn’t sweating it—at least not this month as they’ve finished the annual Level 1 Payment Card Industry (PCI) Audit two months ahead of the deadline. The Level 1 Audit is the deepest dive that a group of outside security auditors will do on a payment system to be sure it’s secure. It’s a very time-consuming process that occurs every August at Segpay. In fact, every time our team finishes one audit and we pass, I think they’ll get to take a break and relax. Maybe they’ll even find time to focus on their normal office routines. The reality is, as soon as they finish one audit the team already needs to look ahead to the next year’s standards.
As challenging as it is, the process is designed to help everyone. It’s all about the safety and security of merchants who rely on processors to have the tightest security measures in place to protect consumer data. Depending on which card brands you accept, all merchants processing from one million to six million payment card transactions per year and service providers processing, storing or transmitting more than 300,000 card transactions per year are required to be audited for PCI compliance. A Level 1 Audit is also required for licensing in both the U.S. and the EU. It takes several team members to focus on an audit like this. Every year our team spends countless hours to get ready for the week-long, onsite audit. The audit itself is backed with a full stack of policies and procedures that our IT and entire organization follows. Each year, the PCI Security Standards Council establishes new objectives and standards. We’re currently following the PCI 3.2 Audit but are already setting our sights on the upcoming 4.0 standard. This new standard is based on perceived threats and what processors need to do to avoid them. As we begin our focus on next year’s audit, we sat down with our IT Director to carve out the top three ways we’re staying ahead of the game for the 2021 PCI Audit. We hope it will help you narrow down what to focus on too.
Become a Cyber Security Champion
Strengthen Standard Operating Procedures
You may have noticed this when logging into your bank account, the request for an additional code or password. It is now a requirement for all business line applications to implement dual-factor authentication (DFA), which is the second layer of security requiring a user to go beyond presenting a username and password. It doesn’t have to be just for banking accounts either. We’re looking at implementing this to all Segpay apps and other programs inside the office to increase security. It’s something that’s becoming very common in the industry as an added layer of strength and stability. Knowledge is also a security strength and developers can stay on top of the latest secure coding practices through the Open Web Application Security Project (OWASP). This free and open security community offers products freely like articles, mythologies, documentation, tools, and technologies in the field of web application security. It’s a great resource and tool to help make sure security is built in from the start. Our company takes advantage of online security training yearly with some members of the team training on a monthly basis. Even the end-user can help with security awareness by knowing there are security risks based on their actions. We send out regular reminders of current malicious cyber activity to our staff warning them about what they should look out for. You can access this type of information through the Cybersecurity and Infrastructure Security Agency website. They provide national cyber security system alerts highlighting incident reports, vulnerabilities, and announcements. By keeping the line of communication transparent our staff can be aware of what to watch out for.
Make the Most of Monitoring and Controls
You want to make sure you see the full picture of your infrastructure’s health to stop security issues before they happen. Having processes like end-to-end monitoring and analytics along with metrics and logs across the full stack are extremely helpful to get a bird’s eye view of what’s going on in your company. Our IT team forces updates instead of waiting for me to update them. This keeps us ahead of any potential issues and we’re able to solve them before the end-user is impacted. Staying up to date on hardware and software provides an edge on the latest application and system services, such as Cyphers. Payment processing and cardholder data (CD) is any personally identifiable information associated with a person who has a credit or debit account. One of the main goals of PCI Data Security is to protect cardholder data that is processed, stored or transmitted by merchants. That data should always be on a separate domain and/or provider for maximum security.
While this process is very time-consuming, it’s also very necessary to protect the health and safety of a merchant’s business. Failing to be PCI compliant can cost you fines ranging between $5,000 and $500,000 and you could face serious consequences. If you’re not PCI compliant you could lose your merchant account- meaning you won’t be able to accept credit card payments at all. Every year the process seems overwhelming, but a skilled IT team can pull this together. I’m proud of ours for their dedication in getting this done year after year– and if you find yourself stuck, we’re here to help, just ask. Reach out at Sa[email protected].