This is part 5 in our 6 part series about compliance requirements with the PCI Data Security Standards (PCI DSS).
Over the last 4 days we've probably frightened you to death with all this security stuff. But that's what we do here at jWAG, we don't sugar coat anything. This PCI Compliance stuff is a necessary evil in understanding what you need to do for website security and jewelry store network security.
Here's our list of topics with links next to the previous day's Nuggets.
Introduction: You will hate PCI compliance too
1. Storing cardholder data on your website
2. Protecting internal and wireless networks in your store
3. Security used in payment card applications
4. Controlling which of your employees has access to cardholder data
5. Frequency of testing and reporting
4. Controlling which of your employees has access to cardholder data.
You may not think your in-store point of sale system is a security risk. Actually, unless your POS software is exposed directly to the internet it probably won't ever need to be directly tested against hacking attacks. However, inside your store it's not hackers that you need to worry about, but rather security relating to your employees or others who might access your computers.
This is where #4 on our list comes into play. Any accounting software you use internally needs to (at least) encrypt the payment card numbers. Only you, your accountant, and bookkeeper should have access to the actual credit card numbers. Employees not involved with financial activities should not have access.
QuickBooks is a popular accounting and POS software package. Inside that software any employee is allowed to type in a payment card number, but as soon as your cursor moves away from the cardnumber field, the number is encrypted. In order to be PCI Compliant, Intuit, makers of QuickBooks, have set up password levels so only authorized employees can see the cardnumbers.
Many retail jewelers use well known industry POS software. Some examples include The EDGE by Abbott Jewelry Systems, JewelMATE by Logitmate, and DiamondCounter by InCom Technical Solutions. Each of these needs to have some type of encryption to protect the cardnumbers just like QuickBooks does. (We don't get a kickback for mentioning those 3 software companies, they just happen to be the first 3 we thought of.)
With regards to your website, you need to make sure your e-commerce software allows different levels of permissions. The employee that's in charge of updating the product catalog and the web page content surly doesn't need access to stored cardholder information.
When you're evaluating an e-commerce platform you need to make sure that the website not only protects from hacking attempts, but also provides login security levels.
Even though you might only have 1 employee helping with your website, you might also have outside consultants helping with online marketing and SEO. These consultants should never have access to stores cardnumbers.
To tie it all together, tomorrow we're going to explain the process of PCI Compliance testing and wrap up this Daily Golden Nugget series after a grueling 6 days.
