If you are classified as a merchant or service provider, anytime you make a significant change to your cardholder data environment, you are required to ensure that all relevant PCI DSS requirements have been applied to that change. This means adding an extra step of analyzing any PCI DSS requirements that apply to that change and documenting how you've ensured that those requirements have been applied like updating network diagrams or data flow diagrams.
Freed Maxick 6.4.6 Guidance
PCI DSS is a rolling and perpetual standard which requires organizations to approach any chances to their environment with compliance considerations in mind. Any significant changes to the PCI CDE (Cardholder Data Environment) may require additional scrutiny on the creation of documentation or reviews of system configurations.
PCI DSS Resources
For additional insights and guidance on 6.4.6 compliance and other PCI DSS requirements, read our blog post and get a downloadable overview of all recent updates and revisions.View full article
If you're classified as a service provider or merchant, you're required to implement multi-factor authentication for any non-console administrative access into your cardholder data environment . There are multiple ways this can be accomplished, and you should consult with your QSA about the most appropriate way for you and your company to make it happen.
Freed Maxick 8.3.1 Guidance
Multi-factor authentication is a means to confirm a user’s claimed identity through knowledge, something they and only they know as well as possession, something they and only they have. MFA creates a defense mechanism which makes it more difficult for hackers or unauthorized users to access system resources.
PCI DSS Resources
To receive more insights and guidance on 8.3.1 compliance and other PCI DSS requirements, read our blog post and get a downloadable overview of all recent updates and revisions.View full article
If you're classified as a service provider you need to implement policies and procedures, and response mechanisms for addressing any failures in critical security mechanisms including firewalls, intrusion detection systems, intrusion prevention systems, and antivirus file integrity management systems.
Freed Maxick 10.8 / 10.8.1 Guidance
Policies and procedures should be reviewed and updated in the event of process changes and should accurately reflect the organization’s current PCI environment. Detection mechanisms should be configured appropriately to alert trained and qualified personnel in the event of critical security control failure.
Critical security control failures should be responded to as soon as possible. Any lag time in response or remediation can lead to unauthorized control of system resources, data leakage, or the installation of malicious software. It is necessary that documentation is prepared to support security failure response from an employee and system level perspective.
PCI DSS Resources
To receive more insights and guidance on 10.8 and 10.8.1 compliance and other PCI DSS requirements, read our blog post and get a downloadable overview of all recent updates and revisions.
View full article
If you are a service provider that uses network segmentation to reduce the overall scope of your PCI DSS assessment, what was formerly an annual requirement to obtain a penetration test is now a semi-annual requirement meaning it must be done every six months. Make sure to reach out to your QSA to ensure that you are compliant with this timing requirement.
Freed Maxick 220.127.116.11 Guidance
Organizations should schedule penetration tests in advance to meeting the timing restriction of this requirement. An experienced and qualified penetration tester independent of the organizational unit should be consulted to perform this assessment to validate and confirm the scope of the cardholder data environment
PCI DSS Resources
For more guidance on 18.104.22.168 compliance and other PCI DSS requirements, read our blog post that includes a downloadable overview of all recent updates and revisions.View full article
If you're classified as a service provider, you are required to formally establish the overall responsibility for PCI compliance and the protection of cardholder data. Your PCI DSS Charter should be approved by executive management at least annually and anytime that there are major changes to your organization.
Click to see a short video on PCI DSS 3.2’s Section 12.4.1 requirements.
Freed Maxick 12.4.1 Guidance
Establishing authority and responsibility for a PCI program within an organizational is an essential step in maintaining compliance. Aligning strategy with explicit requirements allows for increased level of cybersecurity and protection of sensitive customer data. Executive management’s role in PCI compliance promotes a more holistic approach to data security
PCI DSS Resources
For more guidance on 12.4.1 compliance and other PCI DSS requirements, read our blog post that includes a downloadable overview of all recent updates and revisions.
An overview of Freed Maxick services for PCI DSS Compliance can be found here, and for a more detailed discussion of your organization’s situations and needs, contact us here or call me at 716.847.2651.View full article
If you're classified as a service provider, you are required to implement a process for internal quarterly review of critical security procedures to ensure those procedures are operating effectively. You also need to perform and maintain documentation of the quarterly review process.
Click to see a short video on PCI DSS 3.2’s Section 12.11 and 12.11.1 requirements.
Freed Maxick 12.11 and 12.11.1 Guidance
Quarterly reviews of PCI procedures help to promote accountability within the organization. It is essential to document the results of all quarterly reviews and train employees to be familiar with specific PCI requirements. Retaining appropriate documentation and evidence of quarterly reviews helps to support the completion of required PCI DSS procedures.
Our PCI DSS Resources
View full article
If you're classified as a service provider, you're required to maintain a documented description of your cryptographic architecture including any cryptographic algorithms security protocols and keys, including the keys specific to usage expiration date and strength
Click to see a short video on PCI DSS 3.2’s Section 3.5.1 requirement.
Freed Maxick 3.5.1 Guidance
Relative to documented cryptographic architecture, our recommendation is that organizations who are subject to PCI DSS compliance should take proactive steps to maintain an up to date listing of cryptographic tools being utilized to protect cardholder data.
PCI DSS Resources
For more guidance on this issue and other PCI DSS requirements, read our blog post on new requirements for 2018 that includes a downloadable overview of all recent updates and revisions.
View full article
Nine “Best Practices” Out, Nine New PCI DSS Mandates In
In December of 2004 Visa, MasterCard, American Express, Discover, and JCB Co. created the Payment Card Industry (PCI) Data Security Standard (DSS) to limit credit card fraud and establish a robust framework for cardholder data controls. The PCI Data Security Standard is amalgamation of the standards, requirements and guidance of each of these company’s established security programs.
Application of PCI DSS Standards
PCI DSS standards apply to all organizations that are involved with the processing, storage, or transmission of cardholder data (CHD) as well as sensitive authentication data (SAD). The Standards are divided into six major control objectives, and each control objective has twelve unique requirements representing baselines for compliance.
When Version 3.2 was released in April of 2016, many sub-requirements contained the following language, “This requirement is best practice until January 31st, 2018, after which is becomes a requirement.”
Now that these best practice requirements are compulsory, it is essential to understand how they impact your organization and the steps you must take to meet full compliance. Non-compliance may lead to the loss of the ability to process credit cards and loss of an organization’s PCI DSS compliant status.
PCI DSS Best Practices That Became Requirements in February 2018
A total of 9 “best practices” –All 9 are mandatory for service providers, including 2 for merchants – became requirements as of February 1, 2018.
If your company is seeking to become PCI compliant, or will be conducting an annual PCI DSS examination, you’ll want to make sure that compliance with these new requirements are included in your compliance program or review.
- Documenting cryptographic architecture
- Updating documentation of significant changes
- Incorporate multi-factor authentication for all non-console access
- A process for the timely detection and reporting of failures of critical security control systems
- Processes for responding to failures in security controls
- Confirming PCI DSS scope by performing penetration testing on segmentation controls
- Establishing responsibility
- Perform quarterly reviews of personnel
- Maintaining documentation of quarterly review process
- Connect with the Freed Maxick PCI DSS Compliance Experts
Our team does a significant amount of PCI data compliance work across the country, and we would welcome an opportunity to share our insights and guidance with a complimentary review of your compliance situation. We also encourage you to read our through leadership on PCI DSS or download any of our compliance related thought leadership materials.View full article
Online business is the new "Main Street" of America. According to the U.S. Chamber of Commerce, 74% of small businesses have a website online; many of these solely conduct business through their website. With an uptick of devices that increases social media presence (i.e. the smart phone, tablets, apps); businesses are able to conduct more of their daily activities online than ever before. This drive to do business or maintain a website online does not just apply to corporations, but to entrepreneurs looking to start or grow their business online.
While companies large and small are increasing their online business, larger companies have the capability to improve their defenses and resilience against cyber threats, leaving the small companies ripe for the picking for cyber criminals. Theft of digital information has become the most commonly reported fraud. Whether a business is utilizing, or thinking of utilizing cloud computing or just using email and maintaining a website, cyber-security should be part of the plan. It is a business’s responsibility for creating a culture of security that will enhance business and consumer confidence.
In order for businesses to stay a step ahead of cyber criminals these steps should be taken to increase security:
Train your employees in security principles- establishing basic practices and policies for online use, such as creating strong passwords, appropriate internet use, and rules on how to handle and protect customer information and vital data.
Protect computers, networks from cyber attacks- “cleaning” computers is one of the most vital things you can do to help prevent cyber attacks. For example having security software, web browser, and operating systems are the best defense against malware, viruses or other online threats.
Provide a firewall for your computer- a firewall is a set of related programs that prevents outsiders from accessing data on private network information. This includes ensuring that if an employee is working from home that their home system has firewall protection. One of the most common mistakes is downloading firewall programs but not “enabling” them; essentially “turning them on”.
Secure Wi-Fi networks- make sure that any Wi-Fi networks you have for your business is secure, encrypted and hidden. You can hide information by setting up your wireless access point or router so that it doesn’t broadcast a network name, and password protect access to the router.
Limit employee access to data- do not provide any one employee to all data systems. Employees should only be given access to the specific data systems that they need to perform their jobs, and should not be able to install any software without permission.
PCI Compliance is also a big part of being secure online. PCI DSS is the Security Standards Council that was put into place to ensure that businesses storing, transmitting, and processing payment card data, are not putting their customers or their business at risk of data theft or fraud. The PCI DSS has four levels of compliance, with number one set as the highest level. The level that your business requires depends on:
The volume of transactions you process, and
How you process them.
Cyber-security is a team sport. Taking actions that will better protect both vital data and your business operations will have positive consequences for the security of all businesses, communities and the country. Computers and networks are interconnected through cyberspace; that means that both public and private sectors share responsibility.
Freed Maxick CPAs
Freed Maxick’s tax team and enterprise risk management team want to make sure that your online business is secure. Our firm is registered with the Payment Card Industry Security Standards Council, LLP (PCI SSC) and has Qualified Security Assessor’s certified by the Council to validate an entity’s adherence to the PCI DSS. Contact us and connect with our experts.