PCI compliance doesn’t stop at your billing and gym management software company. Are you protected in your facility?
Payment management companies provide a host of online gym management software applications to health clubs including POS operations, recurring payments, onsite credit card processing and more. These companies need to operate in a very secure environment and have had all their operations, policies and online POS software modules PCI DSS certified. If the company is a Level 1 Service Provider, club owners can feel comfortable knowing the data they entrust will be secure and protected.
On the flip side, club owners must also manage the security related to their locale, physical presence, along with ensuring they are operating in a secure and PCI compliant manner. When clubs sign-on with payment management companies, they should be assured that their customer information, along with recurring payment data, are stored securely. However, merchants have a responsibility to ensure the systems in their own locations are compliant with the PCI DSS controls.
When did PCI begin? In 2004 Visa, MasterCard, American Express, Discover and JCB banded together to create the Payment Card Industry Data Security Standards (PCI-DSS), better-known as just “PCI.” The PCI standard lists a series of requirements that apply to any business that processes, stores or transmits credit/debit card data. The standards are designed to provide a standardized security model that needs to be used by anyone involved with credit cards.
PCI is now on version 3.0, which became the required standards on January 1, 2014 and is comprised of six primary controls and 12 core requirements.
In your day-to-day operations, PCI DSS compliance probably isn’t even on your radar, but it’s important that you’re aware of what is required and that you understand the new requirements of PCI 3.0.
Critical points to consider in safe guarding the POS system are:
- Safeguarding that your POS is on a network segment by itself. There should be no other computers or wireless access points on the same network. It’s recommended you separate your POS from other devices on your network. Your Internet Service Provider should be able to help you configure your router to do this.
- Configuring a host-based firewall on your POS system to secure it from remote access or external hacking attempts. Microsoft and Mac computers have a built-in firewall you can use. See Microsoft or Mac support for additional information.
- Ensure all users have strong passwords. It is recommended that you have a minimum of eight characters using both alpha and numeric characters.
- Do not store credit card information or social security numbers onsite unless they are secure and safe. If you have this information stored where it is accessible, you are opening yourself up to huge liability if the data is compromised.
- Protect all systems against malware and regularly update your anti-virus software. Make sure you are updating all malware and anti-virus programs to the latest versions and perform regular disk scans.
The PCI-DSS 3.0 standards have also added requirements for merchants to maintain equipment compliance. These requirements ensure the merchant understands what systems are currently being utilized and how to protect them from tampering.
The new PCI standards applicable to merchants are as follows:
- Maintain an inventory of all systems related to credit card processing. This would include POS workstations, card readers and network devices. Your inventory should include the make, model, serial number and location of each device.
- Devices used to accept credit card data should be periodically inspected to detect tampering or substitution. For example, check to ensure the card reader hasn’t been replaced with an unauthorized device. Also, compare the serial number of the device to the serial number in your original order, or inventory sheet.
- Provide training to personnel to be aware of attempted tampering or replacement of devices. For example, train the on-site staff to ensure they will recognize when the devices have been tampered with or replaced. Inspect the device to see if it has been opened and ensure the device plugs directly into your computer.
Jose Calvillo is the Chief Information Security Officer (CISO) for ASF Payment Solutions. For questions on PCI compliance he can be reached at Jose.Calvillo@asfpaymentsolutions.com.
