Discussion of the Purpose Behind the Questions on the PCI Compliance Survey
The PCI survey questions include queries about whether the business has written procedures in place for employees regarding the protection of credit card numbers. For example, an easy question to answer might be whether the company writes down or stores their customer’s credit card numbers. That answer should be a resounding NO. If an employee does occasionally write down a card number on a piece of paper from a customer on the phone making a purchase, that piece of paper should be immediately destroyed after the card is used to transact a payment. A written policy could be easily created to explain this first simple procedure that employees are required to follow.
Another question on the PCI survey asks if the merchant has a firewall. Most small businesses have a Comcast firewall. It would be more prudent to have an additional firewall. Of course, it costs some additional monies to install, but it would reduce a fine should a hacking situation occur. In either case, the firewall should be tested for breach from internal as well as external sources. And this first line of defense should be tested at least annually if not more often, not just when it is installed.
The PCI survey asks about passwords. Do you use vendor supplied defaults for passwords or do you change them? Where do you store your passwords? Is your password file encrypted? Do you use special characters along with letters and numbers? Remember in the news when John Podesta was using “Password” for a password to sensitive data for the Democrat Party and they got hacked? Do your mobile devices have strong passwords set up in addition to each of your computers or tablets?
Here is a huge break in security that I run into all the time. Are you deleting all emails and documents that have sensitive information on them, or are they sitting in your documents folder? Do you have a policy in place for employees to sign off on this very important security measure?
Another easy security measure to implement is to check that your antivirus is functioning. Has it been renewed and updates run? Can you retrieve antivirus logs should the need arise?
Do you have employees who are collecting credit card numbers along with customer’s addresses and the 3 little numbers on the back of their cards? If so, have you done a background check on these employees? Do they know and understand the best practices of preventing credit card fraud? Have they signed off on such a policy?
And finally, here is another simple thing to do. Is your building secure? Or if you do business out of your home, do you have security cameras or at least a Ring, to discourage thieves and other criminals from entering. Do your employees carry sensitive data on pieces of paper in their cars or trucks? What if that vehicle is broken into?
Yes it takes attention and time to put written policies in place, test your firewall, and do an annual PCI survey. But just like you seldom heard of identity theft 20 years ago and now everyone knows someone who has been such a victim, the same scenario is unfolding regarding PCI compliance breaches. The criminals don’t rob banks much anymore by walking in and waving a gun at the clerks. Instead there is an overabundance of credit card fraud, identity theft and yes, more and more PCI compliance breaches every day.