Every week, it seems there has been yet another company, once thought impenetrable, dealing with a major breach of member’s stored data. The protection of consumer credit card data is a serious concern for both the buyer and businesses. This is why the PCI Standard was created: to combat the risk associated with paying by debit or credit card. It applies to any merchant or service provider that accepts, stores, processes or transmits cardholder data.
So what exactly does this mean for developers? How can they remain PCI compliant? This article will explain PCI compliance and best practices for testing.
What Is PCI?
PCI is the abbreviated form of Payment Card Industry Data Security Standard (PCI DSS). Included in the standard are all major credit cards, including:
This information standard was created to reduce credit card fraud and increase security measures around cardholder data.
Not A One Time Event
Being PCI compliant does not mean a single security measure has been put in place, but rather, it’s an ongoing process that’s happening overall to prevent data theft. The standard requires basic security to include:
- Anti-Virus Programs
- End-User Awareness
- Intrusion Detection
- Security Patches
The Growing Concern For Security Measures
Even with PCI Standard security measures in place, cardholder data breaches still happen at an alarming rate. As of August 2015, the Identity Theft Resource Center’s report of data breaches was over 16 pages long and comprised of industries ranging from major banking institutions to large corporate retail stores. The report can be viewed here.
This information only reinforces how important it is for developers to adhere to the PCI Standard when testing new software for clients. A business’ reputation now depends on how well they are keeping their customers information safe.
In addition to the basic obligations outlined above, there are unique elements developers must understand to be PCI Compliant.
- Vendor supplied default passwords cannot be used for either system security or any other security parameter.
- Transmissions across open public networks must be encrypted.
- Developers must maintain secure applications.
- All cardholder data must be restricted to “need-to-know” personnel.
- Each employee must have unique identification if provided computer access.
- Networks must have regular monitoring and testing of networks: Tracking all access to network and cardholder data, and regularly scheduled security testing.
Is PCI Compliance a Law?
PCI Compliance must be implemented by all merchants that use cardholder data (process, store, or transmit), however, it is not mandatory for all entities. Federal Law does not require adhering to PCI Standards, but individual laws in U.S.States vary.
An example of the types of state mandated rulings would be the 2010 Washington state law enactment, which does not require incorporating the standard, but entities that do are protected from liability should a data breach occur.
It May Not Be The Law, But It Could Cost You Big Time
The two most popular credit card companies, Visa and Mastercard, currently require all merchants to maintain the standard. Small business models are only required to put in place controls but may still be held accountable for liability should fraud occur.
If your company is not in compliance, Visa and Mastercard can issue fines of up to $25,000 a month. In 2006, Visa reported $4.6 million worth of non-compliance fines.
PCI In The Call Center Setting
Front end collection of data, be it manually entering via a website or call center agent, gives a high potential for credit card fraud. More call centers are operating with off-site employees working from home, which poses an even bigger threat, especially if they are working from the cloud.
Cloud Security As A Service (CSaaS) is becoming more popular and has helped cut down some of this risk, but to further address these concerns, in 2011, the PCI Council revised their rulings that companies who previously stored digital recordings could no longer do so if the recordings could not be queried.
PCI Compliant Local Hardware Testing Solutions
Using a local software solution is an option that keeps developers compliant when testing out software that contains card data. Data is stored in databases and testing those databases can be done remotely, as discussed, or on a local server. When local testing is done, the hosting occurs on the home computer.
Working from a local server has benefits beyond those attributed to remaining PCI compliant. Developers do not have to worry about internet connectivity problems or network failures. The work can be done more efficiently too. No files will need to be uploaded because they are already on your own computer.
Another advantage of software running on local hardware is that information never leaves the entity’s network. This means the potential for fraud and data breaches by a third-party are severely limited. Especially if the company is already operating with their network to the PCI Standard.
Best Practices for PCI Compliance
The best practice for PCI compliance is continuous testing and improvement. When your company is using a product, such as ours, the opportunity for cross-browser testing, automated capabilities and test automation are all available to run on your own network and be performed in an ongoing fashion.
Any merchant that deals in cardholder data knows the responsibility entrusted upon them. Much can be at stake if a data breach occurs. The guidelines to remain PCI compliant and up to standard can be tricky enough. The testing component of a new project should not be an extra security burden.
An easy solution to this problem is to use testing platforms run locally. This way, cardholder data remains on the merchant’s network and there is a lesser chance of interception.
BrowseEmAll not only helps protect cardholder data by staying on the entities network but also improves the testing job. Testing can be performed on up to 4 unique browsers or mobile devices and they can run simultaneously. We also offer mobile simulator functionality along with the automated capability mentioned.
No extra encryption needed and with BrowseEmAll time is saved. Our optimized testing solutions mean there is a greater return on investment.