PCI Vulnerability Scans
PCI Vulnerability Scans
As part of our maintenance contract we are now carrying out regular external vulnerability scanning on our clients internet connections to ensure that they are secure.
This involves a server outside of your network scanning your internet connection for any known issues, to ensure that these scans meet a formal level we strive to ensure that clients meet the PCI standard.
Payment Card Industry Data Security Standard (PCI DSS) is a mandatory annual assessment and set of requirements which was introduced by 5 members of the PCI Security Standards Council. Visa, MasterCard, American Express, Discover and JCB. It is enforced by all merchant acquirers in order to protect businesses and customers against credit card fraud.
If your business takes credit card payments being compliant is not just an insurance policy providing you with financial protection if credit card fraud was to occur in your business, but is a necessity (you may have already been contacted by your bank), and if you don’t take payments being compliant is an excellent standard to achieve in order to feel confident about the security of your network.
Why have we start doing this?
We have been scanning for about a year but made the decision in the light of the EU change in data protection laws coming into place next year (GDPR) that we would scan with a recognised PCI partner to strive to ensure that clients meet an industry standard.
We encourage clients to make additional security steps following as many of the below guidelines as practical, including:
- Anti-Virus & Malware software is up to date on an hourly basis.
- Monitor live AV issues and talk to users about usage patterns – for example if we get an alert about a specific site being blocked.
- Windows is up to date on a regular basis – every quarter as part of maintenance.
- Users only have user rights on the network – if users have the correct security access then the majority of virus’ won’t even run!
- Windows UAC is in place – if a virus does try to run UAC will prompt the user to confirm if that is right.
- Users only have access to data that they require – in order to limit damage if there is an infection.
- An Email and Internet usage policy is in place – so that users are clear that the internet and email should only be used for business purposes.
- Restrictions on internet usage - so that many sites (including social media) are blocked, this helps to reduce the chance of infection from a website but also blocks many virus’ that are started from within an email.
- Disable USB and CDROM access.
- Encrypted drives for mobile devices, including smart phones, tablets and laptops
- Restrict access to company data to only company owned devices – ensuring secure connections and reducing access by insecure devices, home machines and personal devices.
- Block all emails that contain Macros – many virus’ are actually started from a simple Macro contained in an email, by default we block all Macros as they are rarely required.
- Separate the Wi-Fi - so that this doesn’t give access to the internal network.
- FREE quarterly PCI scans - to ensure that the network is safe from outside attack, PCI compliance is a requirement from many banks and insurance companies.
- FREE training - for all staff to highlight what to look out for
We are also encouraging clients to work with us so that they can achieve the Governments Cyber Security Certification (http://jjsys.uk/2s0ZDLY).
If you have any queries regarding any of the points covered in this email please do not hesitate to give the office a call on 01227 371375.