If not, you’re leaving yourself and your member data exposed to potential fraud.
PCI 3.0 is out and applicable to everyone processing credit card payments – even gym owners. You have a responsibility for managing credit card data within your own environment.
- Are you storing paper contracts within your office that contain credit card information?
- Do you store full credit card data in a file on your computer system?
- Do you keep credit card data within your office?
If you answered yes to any of these questions, you need systems or procedures to be PCI Compliant.
Install and maintain a firewall configuration to protect cardholder data.
Dedicate the computer system(s) to run gym management software and transmit data. This system should be on an isolated, secure network. If you provide wireless Internet access to your clients or a system for non-PCI activity, make sure they’re separated from your isolated network. You can perform your blocking with any number of methods, but we recommend a hardware router or firewall. If not, consider using a software firewall on the system itself.
Do not use vendor-supplied defaults for system passwords and other security parameters.
In short, you should change the passwords on user accounts that were pre-installed on your system or router when you purchased them. Hackers maintain lists of default accounts that ship with devices. When a hacker discovers your network for the first time, they’ll attempt to identify what you’ve installed and then try to log into the devices using the default account lists. We recommend you examine and change the default accounts on your Internet router, wireless access points and computer systems.
Protect stored cardholder data.
Fortunately, this is where a health club management vendor will help make your job much easier. If you’re using a payment processing company to perform your recurring payment data, you don’t need to store it on your own. They fully encrypt all cardholder data and regularly review all procedures and controls used to protect the data.
You need to consider what cardholder data you’re storing and whether you need to store it? Many clubs are storing paper copies of the members contract. Unfortunately, many of these contracts have the members credit card data included. It’s a bad business practice and a compliance nightmare. If you store these forms, you should maintain an inventory and regularly check that none are missing. Your contract storage area should be physically secured (locked room; individual accountability on who enters; closed circuit cameras; 90 days of maintained camera footage). Alternatively, you can “sanitize” the forms and still remain compliant. By removing all but the last four digits of the card number, you don’t need to treat them as PCI data. If you choose to remove the card numbers, make sure the data can’t be read.
Encrypt transmission of cardholder data across open, public networks.
Gym management software vendors should manage this requirement for their customers. All cardholder data should be sent encrypted between the payment PC and the processing application.
Protect all systems against malware and regularly update anti-virus software or programs.
Ensure you have an anti-virus program installed on the systems used for applications and payment processing. Verify that all systems can detect malware and are configured to automatically download new virus pattern updates. Lastly, make sure the anti-virus product regularly performs full system scans. We recommend every week.
Develop and maintain secure systems and applications.
If you are using a vendor for your health club management software, you will not have to take any action with this item.
Restrict access to cardholder data by business need to know.
The club management software will store and manage your stored cardholder data. Ensure that access is allowed to the application is authorized personnel only. If you store printed documents or other types of cardholder data, you need to have a process in place to limit access to it.
Identify and authenticate access to system components.
Everyone who accesses the club management software must have a unique ID and password. No one should be using shared accounts.
Restrict physical access to cardholder data.
Ensure your systems are only accessible by authorized staff members and are not accessible by members. If you’re storing contracts or other documents with full cardholder data, put physical controls in place to limit access to the area.
Track and monitor all access to network resources and cardholder data.
Ensure the firewall you’re using is configured to only allow access to your payment management vendor from your secure system and have the logs from the firewall saved, protected and reviewed.
Regularly test security systems and processes.
As a PCI merchant, you’re required to have your network scanned by an Approved Scanning Vendor (ASV).
Maintain a policy that addresses information security for all personnel.
PCI compliance requires you to have an Information Security Policy that addresses security within your organization.
Jose Calvillo is the Chief Information Security Officer (CISO) for ASF Payment Solutions. He can be reached at Jose.Calvillo@asfpaymentsolutions.com.