This is part 3 in our series about compliance requirements with the PCI Data Security Standards (PCI DSS). PCI Standards are technical and operational requirements, set forth by the Security Standards Council, intended to protect cardholder information. We are working through these specific compliance aspects:
Introduction: You will hate PCI compliance too
1. Storing cardholder data on your website
2. Protecting internal and wireless networks in your store
3. Security used in payment card applications
4. Controlling which of your employees has access to cardholder data
5. Frequency of testing and reporting
The overall goal of PCI DSS compliance is to protect cardholder information from being stolen. When you activate your e-commerce website you will need to hire an outside company to test and certify that your website is free from security holes.
But protecting your website is only a small part of PCI compliance. You might find this surprising, but the computer network inside your store also needs to be compliant. That's #2 on our list above.
2. Protecting internal and wireless networks in your store.
An e-commerce jewelry website is a perfect target for any hacker. Any hacker might be attracted to the stored payment card information for someone who can afford to purchase expensive jewelry online. This idea might be enough to make you lose sleep, but your fears should be abated once you start testing and certifying your website for PCI compliance.
On the other hand, you really need to worry about the security of your jewelry store's computer network. Depending on who your internet service provider (ISP) is, you might have huge security holes in security.
Many, if not most, cable providers now offer high speed internet access and all telephone companies provide high speed access of some type or another. Each company will install some type of box in your store. That box could be a modem or it could be a router. Whatever it is, you still need to install your own router and firewall.
A few years ago we discovered a security hole that one jeweler was completely unaware of. Locally, here in New Jersey, they were using the cable company's high speed modem without any other protection. Using simple Windows networking to view network computers we were able to see dozens of other computers that were not in the jewelry store. They were actually all the computers from other businesses and apartments on the same street!
That situation was completely frightening because each one of those computers could tap into shared folders and printers that the jeweler had. Imagine the devastation that could happen by sharing the data of your POS server to the other computers in your store.
A random hacker will not be able to tap into your store's network in this way unless they know how to find you. It's the teenager next door that you should worry about because they might try to hack you just because it's something fun and cool to do.
The other area of concern for your store is your wireless network. You can install a low cost WiFi network in your store for your employee iPhones, iPads, and other tablets, but make sure you activate the strongest security settings, and don't give general WiFi access to your customers unless you have 2 different networks running.
Without strong WiFi security any hacker could park next to your building and hack into your network without ever stepping into your jewelry store.
To protect your network you need to get a quality firewall for both the WiFi and the wired network. We recommend the Linksys series by Cisco. They are easy to set up and backed by Cisco's years of reputation and experience in network security.
One final note on network security: Change all the default usernames and passwords. Choose very long, very hard passwords and stay away from passwords like "diamond" and "diamond1."