As identity theft became an increasingly serious issue during the rapid expansion of the digital age, the four major credit card companies realized the need to protect cardholders from misuse of their personal information. Visa, MasterCard, Discover and American Express jointly created the Payment Card Industry (PCI) Data Security Standard (DSS) in 2004 to maximize the security of credit, debit and cash card transactions.
ARMS Inc., while not a direct processor of cardholder data (CD), serves as a downstream entity service provider for retailers and other companies who collect CD. As custodians of documents and data that may contain relevant cardholder data, ARMS plays an important role in protecting this sensitive information. ARMS adheres to the PCI DSS 3.2 SAQ D for Service Providers, a third-party certification designed to ensure physical and network security is in place to safely store and manage critical data.
The 6 Primary Components to PCI Certification
The PCI DSS governing body defines six major objectives that service providers such as ARMS must meet in order to earn and retain PCI certification:
- A secure network must be maintained in which transactions can be conducted. This requirement involves the use of firewalls that are robust enough to be effective without causing undue inconvenience to cardholders or vendors. Specialized firewalls are available for wireless LANs, which are highly vulnerable to eavesdropping and attacks by malicious hackers. In addition, authentication data such as personal identification numbers (PINs) and passwords must not involve defaults supplied by the vendors. Customers should be able to conveniently and frequently change such data.
- Cardholder information must be protected wherever it is stored. Repositories with vital data such as dates of birth, mothers’ maiden names, Social Security numbers, phone numbers and mailing addresses should be secure against hacking. When cardholder data is transmitted through public networks, that data must be encrypted in an effective way. Digital encryption is important in all forms of credit card transactions, but particularly in e-commerce conducted on the internet.
- Systems should be protected against the activities of malicious hackers by using frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions. All applications should be free of bugs and vulnerabilities that might open the door to exploits in which cardholder data could be stolen or altered. Patches offered by software and operating system vendors should be regularly installed to ensure the highest possible level of vulnerability management.
- Access to system information and operations should be restricted and controlled. Cardholders should not have to provide information to businesses unless those businesses must know that information to protect themselves and effectively carry out a transaction. Every person who uses a computer in the system must be assigned a unique and confidential identification name or number. Cardholder data should be protected physically as well as electronically. Examples include the use of document shredders, avoidance of unnecessary paper document duplication, and locks and chains on dumpsters to discourage criminals who would otherwise rummage through the trash.
- Networks must be constantly monitored and regularly tested to ensure all security measures and processes are in place, functioning properly and kept up to date. For example, anti-virus and anti-spyware programs should be provided with the latest definitions and signatures. These programs should scan all exchanged data, all applications, all random-access memory (RAM) and all storage media frequently if not continuously.
- A formal information security policy must be defined, maintained and followed at all times and by all participating entities. Enforcement measures such as audits and penalties for noncompliance may be necessary.
Full-Service Information Management and Destruction Services
ARMS is an industry leader in records and information technology solutions, providing organizations “best practice” consulting in the Green Bay, Wisconsin, area and across the United States. ARMS is an SSAE 16-audited company that meets today’s information regulatory requirements such as HIPAA, HITECH and FACTA. Services include traditional document storage, certified information destruction, data protection and media vaulting, and automated workflow solutions.
ARMS provides a variety of information protection solutions including off-site data and records storage, disaster recovery, document digitization, and secure shredding. To find out how ARMS can help you protect your critical information, please call 877-764-2767 or visit https://arms4rim.com/.
View original article on PCI Certification here.