Guarding credit card information

Guarding credit card information
By Jeremy Simon

Merchants need to be sure they are taking all the necessary precautions to protect their customers' credit card information. Losing your customers' credit card information is an easy way to lose your customers.

The payment industry is attempting to police itself before legislators enact and impose their own regulations. The Payment Card Industry Security Standards Council's Data Security Standard is a group of standards commonly agreed upon by Visa, MasterCard, Discover, American Express and JCB, which must technically be met by any merchant who accepts credit cards.

PCI DDS aims to protect consumer information from identity theft. Merchants who fail to comply with PCI DDS could suffer consequences ranging from loss of the ability to process credit card transactions up to fines of as much as $500,000. Certain types of businesses may require an audit by a PCI DDS certified security auditor.

As for the basics of PCI DDS, information security policies are required to be written down. These policies should be clear to everyone, including employees, and should cover both PCI DDS requirements and the regulations of any states with which you do business.

In order to protect your company's network, be sure to disconnect from the Internet when business is closed. An unattended network connection represents an opening for hackers. Think about whether you always shut down servers, network switches and routers; the more doors you lock, the safer you become.

Additionally, do not put all your data onto a single server, since all your data will be in danger if that server is compromised. Major steps in the direction of meeting current and future compliance regulations include getting an additional server for sensitive data, limiting who has access, encrypting data, and limiting connectivity to the Internet.

Avoid using wireless networks when sensitive information is involved, since outside hackers can access wireless features on a laptop. Also, invest in encryption, so that you will not need to let clients know if you lose a laptop or are the victim of a breach.

Finally, be aware of the danger posed by employees. By limiting and knowing who has access to you system will help you meet the requirements of PCI DDS as well as allowing for regular monitoring to prevent data theft by employees. And, since employee negligence results in the vast majority of all losses, train your employees to protect business assets.