Did you know that if you take credit cards of any quantity you are required to certify that you are PCI compliant? Did you know a PCI breach is a violation of the European Union’s GDPR? Nothing like getting fined by two agencies! Our opinion on the European Union is irrelevant though and this is the new world we are in. Watch these videos about PCI, and spend a few minutes understanding the monster that needs taming. Then give us a call. We will put you on the phone with our security expert and he will guide you through the process.
Small Biz PC is in a unique position to have a highly skilled engineer who has worked within a universe requiring adherence to the HIPAA and High Tech regulations on a daily basis for the last ten years. He can help you harden your networks, recommend solutions to any shortcoming that he discovers, and get your systems compliant. Chances are if you are bound by HIPAA, you’re probably bound by PCI/ DSS as well, for us that is no problem. For more information contact us
If you take credit cards or other forms of electronic payment you have to comply with PCI and DSS standards. Each year you need to fill out a compliance report. This report and it’s requirements are arduous.
We can help, our engineer has the required certifications, and can get the job done. Our engineer does test to see if you are visible from the internet and see if there are any holes would-be attackers might use. He then checks web certificates, PC and servers for update compliance, application compliance and more.
There is no need to worry about your electronic systems we will check for shortcomings, address those issues required to get compliant and keep you that way. Email firstname.lastname@example.org and we will get you moving in the right direction.
PCI/DSS 12 Step Program
In addition to admitting you take electronic payments and you probably are not compliant, these 12 steps must be performed. They are not optional if you want to remain in business.
- Firewalls – If you have our Managed firewalls at the Gold or Platinum level, you can check this one off your list.
- Passwords – Passwords must be non-default, and not simple. No password on any device or used by any user can be guessable. Forms of “Password” for example fail PCI/DSS.
- Encryption – All stored Credit Card data must be encrypted. No data should be left on the systems unless the Credit Card data is useful. Do not keep data past the order’s last return date for certain.
- Secure Data Internally – Just because you know Joe and he is a good guy does not mean that PCI/DSS trusts him. All Credit card data must be hidden from everyone without an immediate need for that record.
- Antivirus software must be installed on everything capable of receiving it. This means all devices, especially devices such as Raspberry Pi, Arduino. Internet of Things is one of the most overlooked vulnerabilities these days and often used to hack internal systems.
- Software updates – Software needs to be current on all devices, this includes BIOS, operating systems, and loaded software. This includes everything, MAC, Linux, Microsoft, Raspian, Debian and so on.
- Access Control – Software must be running that logs all usage of credit card files, personal information and customer information.
- Employee Accounts – Every employee must have their own unique login account, and never use another one. They should have access to no other accounts to make logging of data access meaningful.
- Physical security – Drives holding credit cards have to be locked away in a safe.
- Data Access and Change Management – All activity on customer data, credit card data, and files used in customer facing systems must be logged for changes.
- Quarterly vulnerability / Penetration test – Don’t have to be on certain dates, but there better be four in hand at year’s end.
- Network Documentation – All aspects must be documented, not just machines and networks, but software and tasks along with an explanation of what and why.
Here are the first steps if your company is a victim of a data breach. You are required to quantify the breach.
- Should your company be a victim of a data breach you are required to quantify the breach (record of all records touched during the breach from the logs in step 10 will be indispensable.)
- The number of customers affected.
- Systems that are damaged or infected by malicious intrusions, if applicable.
- The exact type of data breach-Was it credit card numbers? Social Security Numbers? Vital statistic information? Address and telephone numbers?
- Projected amount of cost to repair the damage from the organization perspective and, most importantly, the customer aspect.
- A complete list of compromised accounts
- Decisions as to whether to monitor, freeze or close affected accounts, if applicable.
- Blocking and reissuing credit cards, if needed
- Monitoring and studying affected accounts
- Determining fraud patterns
- Notify – FTC
- Notify – GDPR
- Notify – Customers or Employees known to be compromised
More information on Breach mediation. Here is a comprehensive Breach management drill program
Future compliance documents will be easily and honestly completed after you get Small Biz PC looking out for your company. Email: Athena@smallbizpc.com for more information. Get secure today!
Chances are if you are bound by HIPAA, you’re probably bound by PCI/ DSS as well, for us that is no problem.