Welcome back to another installment of our series on the PCI Data Security Standards. As you may recall, last month we were looking at the third PCI DSS requirement – Protect Stored Cardholder Data. This month we will take a look at the fourth requirement your organization needs to follow in order to meet the PCI DSS.
The Requirement
The fourth requirement of the PCI DSS states to “Encrypt transmission of cardholder data and sensitive information across open public networks.” Simply put, you need to ensure that where you enter transactions is secured in a variety of ways and that the transmission of data through that website or payment application is encrypted to appropriate standards. Throughout the process of validating PCI Compliance, we often hear the question, “Why does this apply to me? I thought this was what your software does for us?” While the software you choose will never be able to exempt you from PCI Compliance requirements, the good news is that it can reduce the scope. This section of the questionnaire is one area where your decision to partner with the right service providers will pay off in a big way.
The Questions
In this portion of the requirement, the questions are focused on the methods you use if/when you enter transactions for your cardholders. For example, if you enter transactions in a system on the internet, you would need to ensure that the page where this information is entered utilizes the newest versions of SSL, encryption methods and other security protocols to ensure your cardholder’s data is secure and PCI Data Security Standard requirements have been fulfilled. If you need assistance in identifying where to look for this information, a good place to start is with your service providers, which we previously discussed here. Once you have identified your service providers, you should connect with them to make sure that the point of entry in their system has the attributes required in this section.
It is one of your organization’s requirements to ensure that when applicable, your service providers encrypt transmission of cardholder data and sensitive information across open public networks. An important standard in this section is question 4.2.b: “Are policies in place that state that unprotected Personal Account Numbers (card numbers) are not to be sent via end-user messaging technologies?” This just means that you have protections in place that advise your team not to send card data over unprotected mediums such as email.
You will want to ensure that you add this to your employee handbook as a policy that everyone is trained on in order to meet the requirement. Furthermore, if you state that you are following or will follow a particular policy for PCI, you will need to know without a doubt your organization is in fact following through.
Service Providers Can Reduce, Not Remove Your PCI Requirements
As you can see, the service provider you select is very important. Even though it will not absolve all of your PCI DSS requirements, it can make them significantly simpler while keeping security a top priority for your cardholders. Encrypting transmission of cardholder data and sensitive information across open public networks is an area where you will see an overlap between your PCI requirements and your service provider, provided they also do their part. Together, you can assure your cardholders the highest level of security when processing their payment information.
Next month we will move into the following area of focus for the PCI DSS – Maintain a Vulnerability Management Program. There we will inspect the fifth requirement of PCI DSS, using and regularly updating anti-virus software.
If you have questions about PCI that you would like to see covered, let us know! Email us your thoughts or questions at compliance@cashlinq.com. We may be able to address them here on our blog!