Keeping your organization Payment Card Industry (PCI) compliant can seem like an overwhelming endeavor. But, there are a number of simple steps you can take to keep sensitive data safe. While our list focuses on electronic data, the first thing every organization should examine is its operations.
PCI compliance applies to credit card numbers in any form – hard copy and electronic. We’ve found some organizations are writing card numbers on paper and then, keying them at a later time. In these instances, companies should look at whether or not the paper is shredded, how quickly it is disposed and any procedures that can be changed. Processing credit cards without writing down the number is a simple first step.
After reviewing your organization’s operations, here are 10 steps you can take to protect your sensitive data:
- Start by assessing your organization’s security. Learn where sensitive data is saved and who is responsible for it. Anything that can be linked to an individual should be secured. This could include credit card numbers and any personally identifiable information.
- Now that you know where the data is kept, determine who will be responsible for protecting it. Then, assign tasks accordingly. Be sure to limit employee access to sensitive data and create unique user ids to increase security. Last, but not least, track and monitor all access.
- When using outside systems to protect or process your data, do not use default passwords. Instead, create your own.
- If you can, avoid storing cardholder data. If you must keep sensitive data in-house, secure access and limit the amount.
- Be sure to encrypt any transmission of cardholder data.
- Train your employees. Ongoing education and security awareness are critical to the success of your organization. Your company is only as secure as your employees’ best practices.
- Implement a firewall to protect data. Watch for holes often caused by remote access. There are a few simple steps you can take to secure your perimeter. Limit remote access and use a two-factor authentication. Clearly communicate your security standards to employees and any outside vendors who access your system. If your organization uses an internet-facing web application, utilize a web application firewall or have your website reviewed annually.
- Keep anti-virus protection current and available on every machine. Follow service recommendations to keep it up-to-date.
- Ask your company’s partners about their practices and how they deal with sensitive data they process for you.
- Once your system is in place, conduct regular tests of your system’s security.
Interested in learning more about PCI Compliance? These articles offer in-depth information on best practices: