Western Union Payments

PCI Checklist

Keep your customers’ information secure with these simple strategies.

As hackers become more sophisticated, companies must be even more vigilant about protecting customers’ sensitive information. Data theft exposes a company to fines, liability, brand erosion and potential loss of sales. That’s why businesses that process sensitive data must do everything in their power to protect customer information.

Here are several practices that can help your company stay one-step-ahead of data thieves:

Get educated about PCI compliance. PCI stands for Payment Card Industry and it publishes a set of security standards designed to protect customer payment account information. The standards give companies guidance on how to protect every touch point for customer information, including point-of-sale devices, payment applications and data storage devices. To learn more, visit the PCI Security Standards Council at www.pcisecuritystandards.org.

Don’t store customer data unless you have to. “If there’s nothing stored, there’s nothing to steal,” says Bob Russo, general manager at the PCI Security Standards Council. Double check that your company isn’t inadvertently storing magnetic strip data, card verification codes or PINs.

Train your team. Even the most secure practices are vulnerable to human error. That’s why education is key. Consider tapping somebody inside your company — perhaps an employee from the IT or risk department — who can champion PCI compliance. Enroll that person in an internal security assessor course and educate your entire staff on companywide security polices.

Only buy compliant applications. There’s more variety than ever when it comes to payment applications. When buying an application, talk to the vendor selling the device and don’t be afraid to ask questions. If you don’t feel comfortable with the vendor, chances are you may not feel confident with your company’s data security.

Change passwords. When you buy a new payment application, make sure to immediately change the administrative password. It’s relatively easy for hackers to guess administrative passwords, which are often some variation of admin or admin123. “This turns out to be one of the most persistent things we’re seeing out there,” Russo says.

Check your security log. Logging or automatically recording events in your computer database is essential for identifying suspicious activity. Check the logs daily or weekly and look for anything that seems out of the ordinary. Also, consider setting up automatic alerts that notify you the moment an irregularity occurs.

Watch your point-of-sale devices. Point-of-sale devices, such as PIN pads, are frequent targets of “skimming” for those looking to steal consumer data. Russo suggests taking photographs of these devices when you first get them and putting them in a file. “Make a habit of regularly pulling it out and comparing it with the device,” he says. “Does the device look the same? Did somebody put a false front on it? Might somebody have opened it up?”

Make PCI compliance a constant effort. It’s important not to underestimate the value of staying PCI compliant over the long term. As one study found, victims of security breaches were far more likely to be PCI non-compliant.[1] Meeting PCI standards requires everyday, year-round maintenance. “PCI compliance is not the ceiling, it’s the floor,” says Russo. “This is the minimum you should be doing … make sure this becomes ingrained. I lock my car everyday, not just Monday, Wednesday and Friday.”

[1] “Verizon 2011 Payment Card Industry Compliance Report,” 2011, Verizon