8 common PCI compliance mistakes and how to avoid them
Last week, we saw LifeLock pulled its mobile wallet app from all app stores due to PCI compliance concerns. Security scare can easily break trust in a brand, but with some effort, such nightmare can be prevented. Here are 8 common PCI compliance mistakes and how you can avoid them. Because defence is the best offence when it comes to payment security.
(If you’re still not familiar with what is PCI DSS then you should watch this video.)
1. Storing cardholder data in plain text
Don’t need the data? Don’t store it. Try not to store card details after payment authorisation, but if you must, don’t store the full 16-digit card number. Never store track, PIN and CVV data in your log files and database. You should also encrypt all stored cardholder data and store encryption keys securely in the fewest possible locations and forms. Never store encryption keys alongside encrypted data. Why lock things up in a safe and attach the key on the safe door?
2. Default passwords not changed
Change the default passwords of all system components. Hackers’ can easily attain default passwords of various products online. Why make it so easy for them to hack your system? Change your passwords frequently and make sure they are strong. Encourage your users to change their passwords from the default password that you provide them as well. If that proves difficult to implement, then at least make sure your default password is impeccable and hard to attain. You can also use a 2-factor user authentication process to further safeguard your system.
3. Not using firewalls
Firewalls are essential, use them and never turn them off. You can use firewalls to segment cardholder info from the rest of your network. Simply using firewalls is not good enough. You should also have thorough understanding of the configurations applied, full documentation of changes, complete knowledge of what is allowed in/out and why they are allowed so.
4. Not transmitting data via a SSL/TLS connection
Ensure that all payment pages are served over SSL/TLS certified connection. SSL/TLS are cryptographic protocols that provide communication security over the Internet. The protocols do not prevent a server from intrusions per se, but a high assurance SSL/TLS certificate will provide a secure connection between customer’s browser and the web server. We recommend all pages to be served under TLS 1.2.
5. Not maintaining a secure and up-to-date system
Know exactly what you are using, and maintain a regular schedule for security patches. Keep up with security updates and news. While you’re at it, remove all programs and files not needed from your servers. They slow down processes and open your system up to vulnerabilities. That way you also don’t have to spend time maintaining security patches for programs that you are not using.
6. Not having code reviews
When you make changes to your system, test the changes before implementation to ensure that you’re not introducing vulnerabilities into your environment. Document and implement secure coding standards and be sure to follow them strictly.
7. Not having a concrete access control measure
Virtual and physical access to your data and servers should be highly restricted. Use a hosting solution or data centre that is PCI-DSS Level 1 certified. Carefully consider and decide on user roles base on separate user’s duties. You can also protect yourself by limiting your scope of compliance as much as possible – if an environment does not have any stored cardholder data, then it is out of scope.
8. Not monitoring and logging
Take a proactive approach and do all you can to protect your business. Regularly review system security and audit logs. Store log data off-device and protect them with cryptographic measures. The goal is to spot any unauthorised access to your system as early as possible to reduce the risk of data breach.
About Judopay · Judopay simplifies in-app payments, enable frictionless checkouts and intelligently prevents fraud for leading companies globally. Our payments and mobile experts help guide businesses and their development partners to create best in class apps to make paying faster, easier and more secure. Founded by serial financial technology entrepreneurs in 2012, Judopay is backed by leading venture investors and supported by banking and card scheme partners to offer in-app payments that are simple, frictionless and protected.