As PCI DSS v4.0 goes into effect beginning March 2024, businesses that process credit cards and handle cardholder data are faced with an increasingly rigorous set of regulations to maintain compliance. And while adhering to PCI DSS is a complex endeavor, several key behaviors can help companies of all sizes be defensible to the standard.
1. Establish or shore up your cybersecurity strategy.
To protect against threats, you’ll need a wide range of protective measures. This is a non-exhaustive list, but it’s a good place to start:
Firewalls to protect against internet-based attacks. Firewalls monitor and filter all traffic on your network and protect against threats like viruses, malware, and unauthorized access. This helps ensure that only legitimate traffic is allowed on your network, reducing the risk of breaches. To maximize effectiveness, your firewall should not only be installed and configured by experts, it should also be managed and monitored 24/7 so no security threat slips by unnoticed. Securing your network is a heavy lift – a great place to start is with TPx’s free Network Security Evaluation to help you identify, prioritize, and remediate security flaws.
Endpoint security to secure servers and workstations. Endpoints are often the weakest link in a company’s security, so prioritizing their protection is key. Note that antivirus software is no longer enough to protect your endpoints because antivirus can only identify known threats. Instead, combine preventative protection with continuous detection and response.
Encryption to shield cardholder data. Encryption takes regular, plain text data (like letters and numbers) and uses an algorithm to turn it into code that can only be deciphered by the correct decryption key. Bottom line? Encryption ensures that even if a threat actor gets ahold of your cardholder data, they won’t be able to decipher it. PCI DSS mandates encrypting both stored cardholder data and data transmitted over public networks, but it also requires that cardholder data only be stored for a reasonable time to meet the needs of the business – no hanging onto it forever.
Strong password protection to prevent unauthorized access. This includes multi-factor authentication and the use of long passwords. PCI DSS v4.0 mandates the use of passwords that are complex and at least 12 characters long.
Security awareness training to educate employees. Your team is your first line of defense. Equipping them with the tools and knowledge to protect cardholder data is not only beneficial to them, it’s crucial to compliance and preventing cyberattacks. In addition to implementing relevant, engaging training, consider investing in regular phishing simulations to build vigilance in employees.
2. Restrict access to cardholder data.
Consider cardholder data need-to-know only: Not every staff member needs access to credit card information. Define user privileges carefully, review them often, and continuously monitor who has access to sensitive data and systems. Don’t forget about physical access – many companies utilize cameras and other monitoring mechanisms to keep an eye on who is in sensitive areas or accessing systems.
3. Use strong passwords and change them often.
Implement a rigorous password policy for all employees, but be especially attentive to those who have access to cardholder data. Never use the default password provided by a vendor or anything obvious like “password”, your name, or the name of your company. For the strongest protection, consider using a passphrase (a longer sequence of numbers and letters that forms a sentence and is harder to crack) instead of a password.
4. Have and enforce a company-wide cybersecurity policy.
All employees should understand how security and compliance rules apply to their specific job responsibilities. Employees who handle credit cards or access cardholder data should be properly trained on how to minimize risk. To prevent security from falling through the cracks, your policy should be reviewed and widely disseminated yearly, and introduced to any new employees as part of their onboarding. Not sure where to start with your security policy? Engage a trusted partner to ensure you’ve covered your bases.
5. Keep your Point of Sale (POS) software updated.
POS systems can be directly infected with malware and outdated software is far more vulnerable to cyber threats. Keeping your POS up-to-date by installing all new software updates – also known as “patching” – fixes known vulnerabilities, improves performance, and keeps your system current with any new features released by the vendor. Check for updates often and install them right away to prevent bad actors from exploiting outdated or unpatched systems.
6. Regularly perform risk assessments.
It’s no longer enough to assess your security posture once per year. Instead, companies should implement assessments as an ongoing practice, continuously evaluating security practices, systems, and processes. Beginning in March 2025, PCI DSS v4.0 will even mandate that companies perform a Targeted Risk Analysis (a smaller-scale assessment with a narrow scope) whenever there is a change in their environment. Sound daunting? Think of it as a transition to managing risk proactively instead of yearly, or only when there’s an incident.
Work with TPx to Optimize Your PCI DSS Compliance
As an industry-leading MSP with deep experience in retail and PCI DSS-compliant solutions, TPx can help you be defensible to the standard’s stringent requirements. We’ll work with you to build a comprehensive cybersecurity strategy that does more than just check a box. Reach out to TPx today and speak with a cybersecurity expert about your specific needs.