Security is no secret sauce – especially if you are one of today’s subscription businesses. It is probably the first thing your customers think of when they give you their payment data. What’s more, the data is often shared with third-party integrators who manage your subscription management platform. The smart save? Cue in credit card data security solutions with a PCI-DSS compliant IT partner. For instance, if you use Zuora for your subscription management needs, it’s smart to seek support from a Zuora implementation partner that is PCI-DSS compliant. The accredited IT firm will take care of your payment information security via its secure credit card processing. It’s that simple.
What does PCI-DSS compliance mean for an IT company working with credit card data?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of stringent global security requirements to ensure the safety of credit card data. Any organization that handles, processes, stores, and/or transmits cardholder data must be PCI-DSS compliant.
PCI-DSS is administered by the Payment Card Industry Security Standards Council (PCI SSC), an autonomous body formed by five international banking moguls (Visa, MasterCard, American Express, Discover, and JCB).
In today’s subscription climate, businesses need a modern implementer for their subscription management platform. For top-notch solutions, this IT partner company needs to access your customer base’s credit card data. Herein, a PCI-DSS compliant IT partner can be key.
What qualifies as tough credit card data security solutions?
PCI-DSS compliance is the single global standard for cardholder data safety. Any enterprise stamped with this accreditation is treated as a world-class provider of credit card data security solutions. Not to forget, this is a payment data security standard mandated by five major players in the international banking field. Hence, a PCI-DSS compliant IT partner is the sturdiest padlock you can find for ensuring your subscription payment data’s security. And in today’s subscription climate, a PCI-DSS compliant Zuora partner might just be what you are looking for.
PCI-DSS involves a rigorous twelve-step action plan. Organizations eyeing secure credit card processing and vying to be PCI-DSS compliant partners must meet the following requirements.
What are the twelve steps to becoming a PCI-DSS compliant partner?
1. Install and maintain a firewall configuration
2. Implement strong settings for passwords
3. Ensure the security of stored cardholder data
4. Encrypt data transmitted over public networks
5. Use anti-virus programs and update them regularly
6. Maintain and update all systems and applications
7. Limit access to cardholder data on a need-to-know basis
8. Assign a unique ID to each person with system access
9. Restrict physical access to payment information data
10. Track and monitor all network and cardholder data logs
11. Regularly audit security systems for vulnerabilities
12. Maintain an enterprise-wide information security policy
The ultimate goal of each of these steps is to ensure credit card data security. Here is a brief run-down:
1. Install and maintain a firewall configuration – Properly placed firewalls and router policies control incoming and outgoing data. To be PCI-DSS compliant, partners must install such configurations in, out, and around the card data environment.
2. Implement strong settings for passwords – Devices such as routers and POS systems typically ship with factory-set passwords and usernames. The manufacturer’s default settings are easily hackable, so a strong password configuration of all operating devices and systems is non-negotiable for secure credit card processing.
3. Ensure the security of stored cardholder data – Partners who wish to be PCI-DSS compliant must be clear about the scope, location, and retention period of the payment information data they intend to store. Data must also be truncated, tokenized, or encrypted using acclaimed algorithms (like AES-256, RSA 2048). For the safety of PAN card data, the partner should regularly run data discovery tools like PANscan or PIIscan.
These actionable insights on how to avoid data breaches can also come in handy.
4. Encrypt data transmitted over public networks – Cardholder data is primarily passed to payment gateways and processors for transaction processing. TSH, SSH encryption, etc. can prevent the possibility of data theft and secure credit card processing.
5. Use anti-virus programs and update them regularly – An up-to-date anti-virus routine helps keep malware at bay. Anti-virus and anti-malware programs on a PCI-DSS compliant partners site must always be active, using the latest versions, and generating timely logs.
6. Maintain and update all systems and applications – PCI-DSS certification calls for applications regularly updated with the latest security patches. For secure credit card processing, all pathways in the PCI-DSS landscape – from browsers to operating systems to POS terminals – must be covered under the updates.
Required actions to become a PCI-DSS compliant partner
7. Limit access to cardholder data on a need-to-know basis – Role-based access control (RBAC) must be in place in the PCI-DSS compliant partner’s ecosystem. Names of team members with access to data along with their respective roles must be documented.
8. Assign a unique ID to each person with system access – All team members with organization-provided system access must have a unique and complex password. Remote employees must adhere to multi-factor authentication.
9. Restrict physical access to payment information data – Physical pathways to locations where cardholder data resides must be secured using electronic access controls like CCTVs. A potential PCI-DSS compliant partner establishes electrical access controls to distinguish authorized employees from general employees and workplace visitors.
10. Track and monitor all network and cardholder data logs – All systems in the PCI-DSS landscape must have updated audit policies. They must also be connected to a centralized Syslog server. The latter must be reviewed daily to detect and address anomalies and ensure secure credit card processing.
11. Regularly audit security systems for vulnerabilities – Security audits like wireless analyzer scans, quarterly examination of external IPs and domains (by PCI ASV) along with annual application & network penetration tests, and internal vulnerability scans must be an integral part of the PCI-DSS compliant partner’s security routine.
12. Maintain an enterprise-wide information security policy –The IT company’s information security policy must be reviewed annually and shared with all stakeholders. This will maintain the basis for secure credit card processing. Alongside, there should be an annual risk assessment identifying all critical assets, threats, and vulnerabilities.
Does your credit card data service provider really need PCI-DSS certification?
Yes, it does! Tying up with an IT partner known for the most secure processing of credit card data brings numerous benefits to your business table. A PCI-DSS compliant partner not only helps you build better customer trust, but also arrests data breaches, threats, and losses.
A PCI-DSS compliant Zuora partner that keeps itself updated with the latest industry trends on payment data security is the perfect fit. The partner must be aware of the evolution of credit card data security over the ages. Watch this video by PCI Security Standards Council for a perspective.
Estuate is the first-ever Zuora partner to receive the PCI-DSS certification
We are the first global system integrator in the Zuora ecosystem to receive PCI-DSS certification. Numerous businesses around the world rely on us for the security and governance of their data, including payment and credit card information. The PCI-DSS certification is an added layer of protection to ensure the secure processing of credit card data.
Ensuring compliance with PCI-DSS is one of the strategic initiatives of our Zuora practice team. Over the past 9+ years, this group of Zuora-certified consultants has driven 400+ successful Zuora implementations worldwide.
To reach our Zuora center of excellence, click here.
PCI-DSS compliance is the latest addition to our portfolio of compliance standards. In 2019, we received the ISO 13485:2016 certification (compliance with regulatory requirements in the medical device industry). Read here the importance of ISO 13485 in product development.
In 2018, we were certified with ISO 27001:2013 (the most recognized global standard for information security). We also have other compliance certifications in place such as the Privacy Shield EU-U.S., SOC 2 Type 2, and the Western Regional Minority Supplier Development Council (WRMSDC) certification.
Check all our certifications in detail, click here