Aug 19, 2014
Protecting your customers' cardholder data is extremely important. Leaked data can result in numerous problems, ranging from criminal proceedings to government fines and huge damage to your organisation's reputation. Appropriately protecting cardholder data is also a cornerstone of the PCI-DSS requirements, and in today's post I share 11 things all organisations should be doing to protect their cardholder data.
- Restrict access to physical data - physical data should only be accessible to the people that need it, at the times when they need it. Physical data should always be locked away, and inaccessible outside of office hours.
- Dispose of data when it's no longer needed - when your organisation no longer has any use for cardholder data, make sure to appropriately destroy it. This means using cross-cut document shredders.
- Only store essential data - never store more data than you need. The less data you have stored, the lower the risk.
- Only ever record the last 4 digits of card numbers - after processing a credit or debit card transaction, only ever record the last 4 digit's of a customer's card number. There's no reason to record the full number -- 4 digits is enough for confirmation purposes.
- Never retain CVV codes - your organisation should never be saving a customer's CVV code after they've made a purchase. CVV codes are important for maintaing payment security.
- Never retain PIN codes - PIN codes are highly confidential and should be stored under no circumstances.
- Regularly scan computer networks - all computers and networks should be regularly scanned for vulnerabilities, viruses and malware.
- Only store data on equipment dedicated to payment processing - cardholder data should only ever be stored on computers or servers dedicated to payment processing, and nothing else. Never store cardholder data on e.g. computers used by staff for their day-to-day activities.
- Never send card information via email - email is not a secure communication medium, and cardholder data is open to being intercepted when sent via email. Make sure that it's company policy to never request information from customers via email and to never share it with colleagues via email, either.
- Perform regular penetration tests - penetration testing is important, and something that should regularly be performed on your organisation's networks. Make sure that the network and systems that manage card holder data and process transactions receive particular attention.
- Train all employees on PCI best practices - last but not least, make sure that your organisation implements organisation-wide PCI security awareness training. PCI training will help employees to be complaint with the PCI DSS standards, and vastly reduce the risk of leaked data.