PCI Hosting Information & Guide

The guide to PCI Compliance and PCI Web Hosting

Unanticipated Changes Could Cost You in Compliance

The business world has always changed quickly, but rapid advances in technology have brought things up to light speed. If you’ve made any recent changes to your business, it’s worth taking a few hours to review whether your PCI compliance services are still keeping you protected. Here are some things to keep an eye on.

Changing Levels

Many of the PCI DSS guidelines are based on your merchant level. If business is booming and you’ve significantly increased the number of credit card transactions you’re processing, you might find that your existing PCI compliant web hosting provider is no longer meeting the metrics of your new merchant level.

Internal levels may have changed as well, not in terms of cardholder data or transaction volume, but in terms of process. One small change on the IT end could grant your developers permission to make code changes or access certain data from their homes. If that means that cardholder data has migrated out of your secure database and is now vulnerable, your business could be found in violation of the PCI DSS.

An easy way to double check your existing PCI DSS requirements and make sure that you’re still following them to the letter is to compare your current configuration against your most recent Self-Assessment Questionnaire (SAQ). If all the data is still accurate and applicable, you should be able to keep on doing business as usual.

Checking Permissions and Verifications

Are you sure who has access to your cardholder data? Is your business small enough that you know exactly who’s been hired or fired since the last time you filled out the SAQ? If you can answer yes to both of those questions, you’re well-positioned to maintain your existing PCI compliance services. If you’re not positive, this is something that definitely needs reviewing.

Employees who have been hired, fired or who have been promoted will all mean re-verifying permissions. If an employee is no longer with the company, or if they’ve switched positions to a department that no longer requires them to have access to cardholder data, their permissions should be revoked. Make sure to check your current permissions list to make sure that nothing has changed, and adjust the necessary access data accordingly.

In addition to verifying personnel, you should also verify processes and policies. Part of ensuring that you achieved PCI compliance in the first place should have entailed coming up with new processes, policies and procedures that are in line with PCI DSS guidelines. Yet, the rules are made to be broken, and it only takes one rogue employee who decides not to follow those metrics to make your entire business noncompliant.

Make sure that daily operations are still securely configured, and that all necessary processes are being followed consistently. It takes very little to introduce a new vulnerability to the cardholder environment; regular verification is essential.

Follow Procedure

If your merchant level requires you to conduct rule set reviews on your firewall and router, make sure that you do so after any hardware changes or software upgrades to ensure continued compliance. A quarterly vulnerability scan is required for some merchant levels, so keeping on top of any changes within your company before hearing it from the expert is a good idea.

Whether your business has undergone massive restructuring or a few little changes here and there, it’s still a good idea to review your PCI compliance and make sure it’s in good standing. The last thing you want is for an unexpected change to cost you your compliance.