Digital Data Services
PCI Compliance Basics
Any business that takes credit or debit cards for payment has had to deal with PCI Compliance scans. But what is it and what does it do? PCI scans check for vulnerabilities in your network that a hacker could use to compromise your credit card machines or network, but is that all a hacker could do? In this article I’ll talk about PCI Comliiance and why it is so important for your network.
You don’t need a hardware firewall in place to pass a PCI compliance scan, but I would highly recommend one. You have to do your homework when shopping for a router/firewall, see my security article in the blog. The characteristics of your business go a long way in determining what kind of firewall you need. Health care requires much more security (HIPAA Compliance) than say a lawn and garden center, but all personal and financial information demands protection. Always consult an an IT specialist when securing your network. IT professionals know their job and it’s their responsibility to ensure security for your network and data.
Run your PCI compliance scan to check for a failure. If there is a failure, follow these steps;
- Get a generated report of the scan to determine what is actually causing the failure.
- Review your site survey and compliance information you filled out initially to see if anything has changed.
- Has your IP changed? DHCP (Dynamic Host Control Protocol) connections may have a different IP when renewing a lease. If you have changed ISP’s(Internet Service Provider) your IP will certainly change, even if it is a static IP.
- Have you added, removed, or replaced any equipment?
- Hace you added any firewall rules for equipment?
These basic steps can provide an answer. If they do not, call an IT Professional for help. Manual compliance is an option if you have services or devices allowed through the firewall. Always consult an IT professional and work with your compliance scan management company to ensure compliance.
General Scan Failures
Most PCI scan failures are basic problems that can be corrected easily if you know what to look for.
Here are a few examples;
- Port vulnerability – Usually not SSL or comes to a login screen
- Script Vulnerability – Gives the ability to run a script to harvest information
- CSS Vulnerability – Cascading Style Sheets is imbeded code in a web page that can be an opening to an intruder
- Intrusion Detection – Intrusion prevention keeps your network from being hacked.
All these threats and many more make a secure gateway (firewall) necessary to protect your company from the world.
How do I Become Compliant?
When a scan fails, find the exact cause of the failure. It’s always a good idea to hire an IT Professional to help you understand and assess threats before you fail a scan, but it’s never to late to consult with one. A good idea is to stick to what you know, and that is running your company. An IT Pro can be invaluable when dealing with network security and PCI compliance scan failures. Repeated scan failures will result in the credit card company revoking your privilages and you will no longer be able to accept credit or debit card payments.
When it comes to PCI Compliance, it’s not rocket science, but it is necessary to protect your customers information. Security is a must when dealing with financial or other personal information. The threats are everywhere and in every form. If you don’t have an IT department, hire a professional to advise you on the risks involved and find out how to lessen the chances of being a victim of a compliance failure threat or worse. Companies all over the world are under attack and you see it in the news almost every week. PCI Compliance is just one more step in securing your network and keeping your customers information, and your own data safe.
Eric Evans, Owner
Digital Data Services LLC.
Digital Data Services