As I wrote in my blogsite www.oversitesentry.com PCI compliance is a good way to get started if you have not yet done so on the path of creating good Cybersecurity in your organization.
IF you are accepting credit cards, then you _should_ be PCI compliance standard capable. So it is a lot to take on if you have nothing, but it can be easier if you do not develop computer code so that you accept credit cards.
My slightly simplified headings:
First inventory all your systems (software and hardware).
- Firewall maintenance (set up proper procedures to edit the ACL – Access Control List)
- Change your default passwords (and create a password policy)
- Protect stored cardholder data (if you are not developing software or have a website that you are developing – this may not be necessary)
- Encrypt Cardholder data – i.e. use devices that encrypt cardholder data (or develop this properly)
- Protect all systems against malware (using anti-virus software)
- Develop and maintain secure applications (only if you are developing software)
- Restrict access to cardholder data (if developing authenticate before giving access)
- Identify and authenticate access to system components
- Authentication physical access (only qualified people should access credit card systems)
- Track and monitor all access to network resources and cardholder data (log systems)
- regularly test security systems and procedures
- Maintain a policy that addresses security information for all personnel
So from this point one can remove step 6 if there is no computer code helping you accept credit cards.
Step 4 should be handled by the credit card processor devices
Step 3,7,8, and 9 is easier with no coding.
Now all you have to focus on is 1,2,3,5,10,11, and 12 which you should be doing already, maybe you have no documentation, but it is being done (or should be).
If you ask me, 1,2,5,10,11,12 should be done no matter whether you have credit card processing or not. Someone should be accumulating bits and pieces until you have a proper security policy.
THAT is what we do!! We can help you with creating a security policy from scratch. Contact Us