This is the 279th article in the Spotlight on IT series. If you'd be interested in writing an article on the subject of backup, security, storage, virtualization, mobile, networking, wireless, cloud and SaaS, or MSPs for the series PM Eric to get started.
The company I work for never had an IT guy, so when I was hired as their consultant, I wanted to help their business grow by pulling them out of the stone ages of computing and paper files. I was quickly hired on as full-time IT guru and have been making major changes ever since. We started out by getting everyone a new PC, adding a domain server, and then tackling the big problem of finding a good ERP/CRM solution that was geared toward our manufacturing business.
A month or so down the road, we realized that we were wasting a lot of time and money by having a third-party merchant handle all of our credit card orders. The fees were outrageous! We learned that our ERP software can handle credit cards through a gateway and that this “simple” step would not only save us money, but would also save us the hassle of dealing with a third-party merchant.
Why the quotes around “simple,” you ask? Because of six simple letters: PCI-DSS.
In order for us to process credit cards in-house, we would have to become PCI-DSS compliant. The problem? We were far from it.
A quick explanation of PCI-DSS
The Payment Card Industry Data Security Standard (PCI-DSS) is a standard that was created by the payment card companies (Visa, MasterCard, American Express, Discover, and JCB). These companies developed this standard to make sure their merchants met a bare minimum of security to protect not only the industry but the card holder. PCI-DSS is broken down in six major objectives, separated into 12 requirements, and contains multiple sub-requirements that all merchants must adhere to. These requirements are not optional; any merchant wishing to accept cards must be in compliance with all of the requirements or they may face stiff penalties, or worse, they could have a breach of data and face major lawsuits and fines.
The path we took
In our business, we were having a third party handle all of our transactions, so we didn’t know the first thing about compliance. Luckily, our ERP vendor provided us with a link to a self-assessment that contained a number of questions to help understand our current level of compliance as well as a number of pointers to show what was criteria was needed to meet each requirement. After about 20 minutes of answering questions, we had a good idea of the path we needed to take.
- Read up — The first thing that I can recommend to anyone going for compliance is to download and follow the Prioritized Approach Tool for PCI-DSS 2.0 that was created by the industry. This spreadsheet helped set a pace on what was needed immediately and what could wait for a previous step to be completed.
- Don’t panic — A word of advice: Don’t be discouraged by the amount and depth of requirements listed for compliance. The big thing to keep in mind is to remember that the PCI-DSS standards are a guide to compliance; they are not instructions on how to become compliant, but merely a guide to help you determine what is the minimum way to protect the data and in turn protect your customers.
- Limit your scope — One quick way to make the process less painful is to split your network so you can limit the scope of where the requirements need followed. It is far easier to enact all of the requirements on a handful of computers than it is on all of the computers, all of the phones, all of the printers, et cetera, et cetera. By limiting scope, you can focus on just the devices that will be storing and processing card holder data. We limited our scope to the two servers, twelve desktops, and a smart time clock that links to the ERP software. We immediately put all of these devices on their own switch.
- Get a nice blinky box — The next task was to install a true firewall that meets the PCI-DSS requirements of having and maintaining a firewall with IDS/IPS.
We wanted more, so we found a few brands out there that can do IDS/IPS plus gateway AV, plus another favorite, built-in DLP and reporting. These types of firewalls can put a big green check on a number of requirements all in just one simple device. The issue I ran into was the issue that most of us in IT can agree on: upper management finds IT as a cost center with limited ROI, so trying to convince the company to drop a few grand on a blinky box with cables can be difficult. I explained to them the requirements and explained the fines for non-compliance, and was quickly told to make it happen. The cost of compliance is still cheaper than using a third-party merchant. - Update your IT policy — A major factor in data breaches is, of course, users. Training and documentation is vital in maintaining compliance. We updated our IT policy and had our users sign off on the new rules. Penalties for infractions are swift and severe. All it takes is for a user to hit reply on a sales order email that the customer decided to send the full credit card number on, and poof, you are out of compliance. We have switched over to Exchange Online with DLP tools to help limit the exposure. We have created rules that block out anything looking like a card number outbound, and it flags all of that in a report, plus it emails the internal user with a message pointing them back to the policy.
Compliance is not a one-time thing. In order to maintain compliance, you must follow all of the guidelines at all times. Depending on the business, you may be required to complete self-assessments from time to time, or you may be required to have an auditor come in and check your compliance level. Audits can be a scary thing, so the biggest ally to you is documentation. As long as you can prove each requirement is being followed, you have nothing to worry about.
PCI-DSS is ever changing, and in recent light of the Target data breach, I believe there will be additional requirements that will be added to PCI-DSS, so compliance will always be an uphill battle. In order to survive, a company must be willing to spend the money to protect their customers, and a company must maintain training, documentation, and compliance.
To anyone thinking of becoming compliant, or in the process of becoming compliant, I wish you good luck and hope my experiences help shed light on the topic and I hope the links provided can assist you up the hill to compliance.
Links for reference: