How to quickly pass a PCI compliance scan

The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations that businesses need to follow in order to protect sensitive credit card and personal information. It can be hard for small business owners who don’t know how the PCI DSS works, but there are some steps you can take to get compliant quickly and easily. In this blog post, we will discuss what it takes to become compliant with the standards and why you should care about compliance at all!

What is PCI compliance scanning and why is it important for your company?

PCI compliance scanning is the process of checking a company’s computer systems for vulnerabilities that could lead to a data breach. If you are not scanned regularly, your business could be at risk for fines and penalties from credit card companies. In addition, if your company is found to be non-compliant, it could lose its credit card processing merchant.

Compliance with the PCI DSS can take a significant amount of time.

Why should you care about compliance?

Your business’ first priority is to protect sensitive data so it doesn’t fall into the wrong hands and lead to a potential disaster for your company. A small mistake on your part could have enormous consequences, not only for your customers privacy but it could greatly impact your business reputation and your standings with the credit card merchants.

In order to become PCI compliant, small businesses need take the following steps:

How to pass a PCI compliance scan

This can seem like a daunting task but when you look at what the PCI compliance scans looks for, you can easily prepare for it. Here are the steps to can take right away to ensure you are PCI compliant and your business can pass a PCI compliance scan.

Make sure your firewall is up to date and has proper restrictions

Firewall vulnerabilities are the number one cause of data breaches, so it is critical that your firewall is in good shape and doing its job. Easier said than done you might think? Well, it’s not that bad actually! Lookup the make and model of your firewall.

If you’re not sure, you can contact a local IT support company near you in order to have them help you out on where to look for this information. Once you established your make and model, head over to the manufacturer’s website. They will have update files, and you will need to download this file on a computer that is hard wired into the network and connected to the firewall either directly or through a switch.

You will need to login to the firewall as administrator. This is typically done through the browser, type in the IP address of your firewall, under settings there will be an update button. Go there and follow the instructions, you will have to upload the update file you downloaded off their website. This will ensure your firewall has the latest update. If you don’t currently have a firewall and are using the all-in-one modem from your ISP, it’s time to get a real firewall. If you are not sure how to proceed or hook this up, you can find articles online on how to choose a firewall that is right for your business.

No matter what firewall you select, ensure that all inbound traffic is being blocked or minimized to only necessary services.

Use encryption on all your personal data, including passwords, credit card numbers, and social security numbers

We can think of encryption as a lock on our personal data. It makes it so that if someone unauthorized accesses it, they will not be able to read it without the proper encryption key. This is important because if your company experiences a data breach, the hacker will have all of your encrypted information and will not be able to do anything with it unless they have the key. Same holds true with encrypting devices such as laptops that can be physically stolen or end up in unsuspecting hands.

There are a few different types of encryption algorithms, the most common being AES. This is an open standard that has been vetted by many security experts and is currently used by the US government. You don’t need to be a cryptographer to use it either! Nearly every major operating system has built in support for AES encryption. Bitlocker is a common tool in a windows PC to encrypt hard drive and all the data. This is very effective for mobile devices.

Install Antivirus on every device connected to the internet.

Install Antivirus on every device connected to the internet. You would be surprised how many businesses don’t have this step in-place, and it is one of the easiest things you can do to protect your devices against viruses, malware, ransomware and other types of malicious software that could damage your company data or cause a security breach. Unfortunately, what often happens is that individuals have their own version of AV installed on their computers, and some machines could be out of date.

This can be a huge issue because if you are running different versions of AV, they might be different definitions, also they might not be consistent in how they scan and protect each computer. By installing one centrally managed AV solution on all devices in your company, you will ensure that everyone is using the same protection and it will be up to date.

Update your Operating System

Operating system (OS) updates are critical for security, and yet many businesses don’t make it a priority to install them. Out of date OS’s can be easily exploited by hackers and they often include patches for known vulnerabilities. In fact, studies have shown that the majority of cyber-attacks occur because of unpatched vulnerabilities in systems. It’s easy to ensure that you have automatic updates turned on as this is the best way to make sure all security updates are at least being downloaded.

Ensure you have a strong password policy in place – make them complex enough so they can’t be guessed by brute force attacks or dictionary lists

Don’t use the same password for every account. If you need to keep track of your passwords, then write them down and store them in a secure location – not on your computer or mobile device!

If you are using any cloud storage services like Dropbox or Google Drive that have “sync” features enabled by default, make sure these are turned off.

This is because when your files are “synced” to the cloud, they will also sync down on all other devices that you have logged into with that account and this can be dangerous if one of those devices falls into the hands of an unauthorized individual. Ensure these features are disabled in your settings or risk exposing sensitive information

Keep an eye out for suspicious activity like unusual logins or downloads from unknown sources

Keep an eye out for suspicious activity like unusual logins or downloads from unknown sources. Often times, hackers will try to infiltrate your system by doing something as simple as logging in from a different location than they usually do. They may also try to download files from strange websites that you don’t normally visit. This type of granule view of traffic takes some work, that is why a lot of businesses have IT service providers such as Managed Services Provider MSP that monitor logs of the server on premise or cloud, view account activity in Office 365 and Microsoft services. Installing a centralized antivirus solution that will scan your network and report all findings back to a single portal that is monitored.

 

author avatar
Dmitriy Teplinskiy
I have worked in the IT industry for 15+ years. During this time I have consulted clients in accounting and finance, manufacturing, automotive and boating, retail and everything in between. My background is in Networking and Cybersecurity