Four critical elements to establishing IT security

Credit card security is everyone’s responsibility. If you’re accepting credit-card payments over the phone, on site or via the Web, you have an obligation to protect your customers—and yourself—from data theft.

Many hotel and motel operators believe that their credit card activity falls “below the radar,” either because of their small transaction volume or because they don’t store credit card data. In fact, hotels are as vulnerable as restaurants, small grocery stores or any other small-to-medium merchant. Hackers regularly search out businesses like yours. They may either operate “in the blind” over the Web, looking for open data ports through which they might ultimately breach a payment network, or they may specifically target a particular merchant.

No one is immune—and that’s why PCI compliance is so important. While there are a number of elements to establishing credit card/IT security, here are some of the most critical:

• Properly configure firewalls. First, ensure that you have a firewall, and then ensure that it is properly configured. What many merchants don’t realize is that firewalls are meant not only to prevent things from getting in, but also from getting out. Make sure your firewalls also are configured to segment your payment application from other business activities. This way you can configure your payment application to only transmit out to your payment processor.

• Protect against unwanted remote access. Allowing remote access to your network is often a necessity. If that is the case, ensure that remote access can only be accomplished with two-factor authentication. For example, require a complex, individual password and have someone onsite at your business enable the connection. Don’t use default IDs/passwords; select new (complex) ones and ensure that all users have their own individual authentication credentials. Also, remote access (using pcAnywhere, VNC, LogMeIn, etc.) should only be used by authorized employees.

• Ensure strong encryption of stored cardholder data. By encrypting all stored credit-card data, you increase the likelihood that if an attacker gets into your cardholder environment, the data they may steal will likely be unusable.

• Stay current with patches and updates. Make sure your operating systems, your applications and all your anti-virus and anti-spyware services are up to date.

Contrary to what many small businesses believe, PCI compliance is not optional. It is both mandated by your acquiring financial institution and enforced by the major payment brands (Visa, MasterCard, American Express, Discover and JCB).

The kind of compliance you are required to meet is determined by your financial institution and defined by the number of credit-card transactions under your merchant ID. Generally, individual properties must furnish and submit an annual Self-Assessment Questionnaire and a quarterly network vulnerability scan must be completed by an ASV. Scans should also be done any time changes are made in your system—for example, after changing Internet service providers, applying updates or adding/changing point-of-sale terminals.

If your institution tells you that an annual SAQ and quarterly scan is sufficient, go to the PCI Security Standards Council website (www.pcisecuritystandards.org) and download a copy. A list of ASVs is available on the site as well. Remember, compliance is not a one-time activity, nor is it accomplished by a single fix. IT security requires a layered approach. Assessment and testing covers only a single point in time; you can be compliant now and not later. Routine security maintenance is required in order to preserve PCI compliance and ensure that you and your guests remain protected.