Robert Ramsay, Director and SOC Reporting Practice Leader
Zachary Riggs, Senior Assurance Associate
Kat Jenkins, Marketing Director
February 2021
Kat Jenkins (00:09): Hi, and welcome to Barnes Denning Ask the Experts, I’m Kat Jenkins, marketing director. And today SOC reporting practice leader and director Robert Ramsay talks with senior assurance associate Zachary Riggs about PCI-DSS compliance. Robert and Zachary, thanks for joining us.
Robert Ramsay (00:27): Thank you, Kat. I appreciate you setting this up for us, great to talk with you today. Yeah, we’re excited to talk a little bit about the payment card industry data security standards. There’s a few kind of high level things that it means to our clients. And then a little bit of history. The industry wanted to self-regulate a little bit so that government didn’t come in and impose regulation on them. And so back in 2004, the payment card industry data security standards were born and they gave guidelines and guidance for those processing credit cards.
Robert Ramsay (01:05): And it’s really, throughout the US, it’s become a de minimus kind of baseline for data security in a lot of places. And here in Ohio, there’s actually… Our security laws give small businesses credit for being compliant as if they’re doing reasonable best practices, which is really nice. And it is a baseline for data security. It’s super-thorough, it’s very precise on cardholder data. But in general, for an environment to be protected following these standards is a really great place to start though. Zachary, do you mind talking us through those kinds of goals and requirements that come from PCI?
Zachary Riggs (01:47): Yeah, absolutely. So PCI, it’s one of the more popular data regulation standards, and I thought I would just kind of go over the main six goals of it. It’s pretty robust, but at a high level, the first one is really just building and maintaining a secure network. And this is dealing with firewall management, strong passwords, not using default passwords. The second one is protecting the actual cardholder data. And a lot of this requirement is around encryption and dealing with wireless networks, making sure it’s private, not public. The third one is when you get into your vulnerability management program and that’s dealing with having proper antivirus, not being able to disable it and making sure you’re pushing out the right patches to all the machines on your network.
Zachary Riggs (02:36): The fourth is dealing with access control, and that can be logical access. Logical access in the PCI standards are dealing with user IDs, passwords, making sure no terminated employees still have access or logins. And then the other part of access controls, physical access. If you’re storing any credit card data on pieces of paper in the office. The fifth is dealing with monitoring and testing your network. This gets into any type of logging tools or IDS tools and kind of doing log reviews. The six goal is really an information security policy, and that gets into formal documentation and having your standards written out. And for everybody that interacts with cardholder data at your company, that they understand what their responsibilities are.
Robert Ramsay (03:31): Hey, thanks Zachary, that’s a great overview. And that does kind of inform, so it is a broad background or baseline for a lot of security and we use it to help our small business clients. We use it as a data security checkup against the data security standards from PCI. We also help them if they’re accepting credit cards, and this applies to small businesses and a lot of not-for-profits, we help them with their self-assessment questionnaires so we can help them be compliant on the scale where they’re at, given their volume of transactions. We do that quite often and I think it’s very helpful so they can let their owners or their board know that yes, we’re doing best practices, we’re being compliant, we’re dotting our I’s and crossing our T’s. And they come out of that with some data security advice, some really good documentation on their environment and some quality training for their people, occasionally some reduced fees as well for their credit card processing.
Kat Jenkins (00:09): Hi, and welcome to Barnes Denning Ask the Experts, I’m Kat Jenkins, marketing director. And today SOC reporting practice leader and director Robert Ramsay talks with senior assurance associate Zachary Riggs about PCI-DSS compliance. Robert and Zachary, thanks for joining us.
Robert Ramsay (00:27): Thank you, Kat. I appreciate you setting this up for us, great to talk with you today. Yeah, we’re excited to talk a little bit about the payment card industry data security standards. There’s a few kind of high level things that it means to our clients. And then a little bit of history. The industry wanted to self-regulate a little bit so that government didn’t come in and impose regulation on them. And so back in 2004, the payment card industry data security standards were born and they gave guidelines and guidance for those processing credit cards.
Robert Ramsay (01:05): And it’s really, throughout the US, it’s become a de minimus kind of baseline for data security in a lot of places. And here in Ohio, there’s actually… Our security laws give small businesses credit for being compliant as if they’re doing reasonable best practices, which is really nice. And it is a baseline for data security. It’s super-thorough, it’s very precise on cardholder data. But in general, for an environment to be protected following these standards is a really great place to start though. Zachary, do you mind talking us through those kinds of goals and requirements that come from PCI?
Zachary Riggs (01:47): Yeah, absolutely. So PCI, it’s one of the more popular data regulation standards, and I thought I would just kind of go over the main six goals of it. It’s pretty robust, but at a high level, the first one is really just building and maintaining a secure network. And this is dealing with firewall management, strong passwords, not using default passwords. The second one is protecting the actual cardholder data. And a lot of this requirement is around encryption and dealing with wireless networks, making sure it’s private, not public. The third one is when you get into your vulnerability management program and that’s dealing with having proper antivirus, not being able to disable it and making sure you’re pushing out the right patches to all the machines on your network.
Zachary Riggs (02:36): The fourth is dealing with access control, and that can be logical access. Logical access in the PCI standards are dealing with user IDs, passwords, making sure no terminated employees still have access or logins. And then the other part of access controls, physical access. If you’re storing any credit card data on pieces of paper in the office. The fifth is dealing with monitoring and testing your network. This gets into any type of logging tools or IDS tools and kind of doing log reviews. The six goal is really an information security policy, and that gets into formal documentation and having your standards written out. And for everybody that interacts with cardholder data at your company, that they understand what their responsibilities are.
Robert Ramsay (03:31): Hey, thanks Zachary, that’s a great overview. And that does kind of inform, so it is a broad background or baseline for a lot of security and we use it to help our small business clients. We use it as a data security checkup against the data security standards from PCI. We also help them if they’re accepting credit cards, and this applies to small businesses and a lot of not-for-profits, we help them with their self-assessment questionnaires so we can help them be compliant on the scale where they’re at, given their volume of transactions. We do that quite often and I think it’s very helpful so they can let their owners or their board know that yes, we’re doing best practices, we’re being compliant, we’re dotting our I’s and crossing our T’s. And they come out of that with some data security advice, some really good documentation on their environment and some quality training for their people, occasionally some reduced fees as well for their credit card processing.