PCI compliance is a task that every business owner or merchant needs to take seriously. If you have a staff that handles credit card information setting up a tracking process is a critical first step. And it’s just good business practice, plain and simple. Simple? Really? Bet that word grabbed your attention. Let’s take a closer look at this simple step that will help you create or enhance your security policy and keep your company in good standing.
PCI Compliance Protects Your Customers and You
Simply put, the whole idea behind PCI compliance is to set the stage to prevent, and to enable quick detection of a compromise of cardholder data. Minimizing the damage and preventing future loss is critical should a problem arise. The PCI compliance folks recommend that you establish a process for linking all access to systems (especially access done with administrative privileges) to each individual user. That’s where tracking comes in to the picture.
The Process: Who, What, Where and When
The best place to start with this process is to look at the 4 W’s of your business environment. Think about these questions in your business environment:
Who on my staff has access to cardholder data?
What level of access do they have and activity do they perform?
Where do they have access the information: onsite or remotely?
When do they have access?
Not that long ago keeping track of this detail was not considered very important. However, knowing who accessed your systems and what they did there is now critical in the event that a cardholder reports a problem or even if there is a suspicion of foul play. Failure to properly track all internal and external users can leave you unable to establish a breach timeline or pinpoint responsibility.
- Assign staff unique usernames and document the process. This is a great tool that will allow you to reliably identify the user or access code that performed the action in question.
- Track access to the logs and audit trails generated by the system itself. If someone can log in and delete the logs, that user will have essentially prevented you from proving that they carried out the action in question.
- Ensure that your systems have the time and date set correctly. Timestamps that record the date and time are important because they create a window during which questionable actions have occurred.
- Review the logs on a regular basis. Regular monitoring helps you identify questionable actions sooner rather than later.
For all the specific details on PCI compliance please visit the PCI Security Standard Council website.
Tracking is worth the effort for two good reasons: Putting a tracking process into your business environment will aid in PCI compliance and might put a new light on how your staff handles their responsibilities.