• About Us
  • IT Services
  • Compliance
  • Resources
  • Contact Us
  • Who We Serve
  • Speaker Request
  • (888) 277-8320

    • Appalachia Technologies Blog

    Appalachia Technologies team is comprised of a diverse mix of IT professionals, some of whom have been on the forefront of IT since the industry’s inception. Through the years, our team has developed a wide array of experience in understanding individual needs and how they relate to your business.
    Categories
    Tags
    Categories:   All Categories
    Suggested keywords
    x

    PCI - The Credit Card Industry's Answer to Consumer Data Protection

    People carry less cash in their wallets than they used to.  Even when going to the ice cream stand in the middle of summer, a debit or credit card is swiped instead of cash being tendered.  The reason for this is simple - it’s easier to swipe a card than it is to carry a load of cash in your wallet.  This has become an extremely convenient option over the years when making purchases.  However, as is often the case, convenience comes with risk.

    credit cardsLet’s talk about this credit card that you’ve been swiping.  A card contains data on it, stored on the magnetic strip, called “track data.”  Track 1 data and Track 2 data are stored on a card in order to transmit the information that it needs in order to complete a purchase.  Track 1 data includes items such as PAN (Primary Account Number), expiration date, first name, last name, and a few other bits of information.  When making a purchase with a credit card, this information is transmitted and sometimes stored in company databases for future use.  However, there are certain items within Track 1 data that is prohibited from storage.  One of these items is the CVV/CVC code.  The reason it is forbidden to be stored is a protection to the consumer from their card being misused.

    When making online purchases, a website will ask for the full card information, first name, last name, billing, zip code, and CVV.  It is extremely important that the organizations behind these websites have controls in place to protect this information. This is where PCI (Payment Card Industry) comes in.

    Years ago, companies such as Visa, Mastercard, American Express, and Discover came together and formed a council call the PCI Security Standards Council to help manage the Payment Card Industry Data Security Standard (PCI DSS).  PCI DSS was established to provide a unified standard across credit card companies.  This council included experts from around the world to write controls and standards around how merchants/businesses should protect their consumer’s card data.

    These controls are now known as the PCI standard that businesses are required to follow.

    PCI standards are broken down into 12 main requirements.

    • Install and maintain a firewall configuration to protect cardholder data
    • Do not use vendor supplied defaults for system passwords and other security parameters
    • Protect stored cardholder data
    • Encrypt transmission of cardholder data across open, public networks
    • Use and regularly update anti-virus software and programs
    • Develop and maintain secure systems and applications
    • Restrict access to cardholder data by business need-to-know
    • Assign a unique ID to each person with computer access
    • Restrict physical access to cardholder data
    • Track and monitor all access to network resources and cardholder data
    • Regularly test security systems and processes
    • Maintain a policy that addresses information security for employees and contractors

    Source: https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security

    These 12 main requirements are also broken down into many sub controls for a total of nearly 300 different controls. 

    PCI standards require more depending on the level of card transactions a business processes.  Currently there are four merchant levels.

    Level 1 – Business processes more than 6 million cards

    Level 2 – Business processes more than 1 million cards

    Level 3 – Business processes 20,000 to 1 million cards

    Level 4 – Business processes fewer than 20,000 cards

    For Level 1 businesses, a yearly RoC (Report on Compliance) is required.  This requires a certified QSA (Qualified Security Assessor) designated by the PCI Council to audit an organization against the PCI controls to verify that proper security is in place.  This can be a lengthy and expensive process, however, because of the number of credit cards the company is processing, it is required.  Levels 2, 3, and 4 are not required to have an RoC, however, they must abide by the same controls and self-validate.

    Although compliance never means security, PCI has been a great driver for organizations to leverage and have proper security measures put into place.  The PCI framework is one of the toughest and most critical frameworks that exist.  By becoming PCI compliant, a company can ensure that due diligence was accomplished in ensuring that they are taking every effort possible to protect their consumer’s credit card data.

    It can certainly be hard to understand each PCI control and what it means. If your organization processes credit cards and you want to ensure that you are aligned with the PCI framework, reach out to us at Appalachia Technologies 888-277-8320.

    Mike MillerMike Miller is a cybersecurity professional with 25 years of experience throughout the IT industry.  He has focused on security, specializing in the areas of Virtual Chief Information Security Officer services, Governance, Risk, and Compliance, PCI, SOC, Intrusion Detection, Penetration Testing, and Incident Response.  In 2011, Mike founded Cyber Protection Group, which was acquired by Appalachia in 2022.  Mike is passionate about mentoring and assisting aspiring cybersecurity professionals and can be found regularly sharing insight on his LinkedIn profile.  When he isn’t fighting cyber crime, Mike loves spending time with his wife and kids, often boating in the Ozarks.

    LinkedIn
    Tags:
    cybersecurity Compliance Security
    3 Actions for a Better Security Posture
    The ABC's of Ransomware

    News & Updates

    Terri Black-Bendl, Vice President of Sales & Marketing, Nominated for Women in Technology Award
    Terri Black-Bendl, Vice President of Sales & Marketing, Nominated for Women in Technology Award
    PRESS RELEASE Mechanicsburg, PA, July 11, 2024 - Appalachia Technologies is excited to announce that Terri Black-Bendl, Vice President, Sales & Marketing, has been nominated for the Women in Technology Awards, presented by Technology Council of Central PA.  Terri’s nomination category, Impact Award – Private Sector/Entrepreneur to Small Business, spotlights women who have made contributions in technology in the Entrepreneurial/Small Business (under 50 employees) category.
    Read More

    Contact Us

    Learn more about what Appalachia Technologies can do for your business.

    Appalachia Technologies
    5000 Ritter Road Suite 104
    Mechanicsburg, Pennsylvania 17055