PCI Compliance Security in Plain Language: What All IT Managers Need to Know
E-commerce is witnessing unprecedented growth. CreditCards.com reports, a total of $109.3 billion was spent in Q4 2016 alone – an increase of 18 percent from Q4 2015.
Although this surge in online shopping is great for digital retailers and business is booming, there’s a dark side. With such a large number of consumers paying online, there’s been a massive spike in cyber crime. According to CSO Online, damages are expected to reach $6 trillion annually by 2021.
But it runs deeper than just E-commerce. The majority of brick-and-mortar businesses accept credit and debit card payments as well, which fuels the problem even more.
At this point, it has become an epidemic. Cyber criminals can steal sensitive financial and personal information in relative anonymity leaving devastation in their wake.
In order to mitigate cyber crime and payment card data breaches, the Payment Card Industry Data Security Standard (PCI DSS) was released back in 2004.
A Brief Overview
The PCI DSS is defined by Tech Target as “a widely accepted set of policies and procedures intended to optimise the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.”
It was initially launched by Visa, Mastercard, Discover and American Express. However, Tokyo-based credit card company JCB International is now part of the council as well. The PCI DSS was designed to serve as an information security standard to mitigate the threat of data breaches and protect consumers’ sensitive information.
Although the initial version was released in December 2004, there have been multiple updates over the years with the most recent being in April 2016. As security threats continue to evolve and cyber attackers become increasingly sophisticated, the PCI DSS must evolve as well.
What IT Managers Need to Know
The first thing you’re probably wondering is whether or not this standard applies to your organisation. Is it even something you need to concern yourself with?
It’s simple. If your company accepts, processes, transmits or stores credit card payments from customers, you’re required to comply with the PCI DSS.
Considering the fact that many of today’s businesses accept payment cards in some form, this standard applies to a large percentage of enterprises. You also need to know that the size of a business is irrelevant. Whether small, mid-sized or large, all companies are expected to comply.
It’s not an option. It’s mandatory.
As an IT manager, you don’t necessarily need to understand all of the minute intricacies and details as they’re quite arduous and long-winded. If you’re curious about the specifics, you can view the most current version of the PCI DSS here.
What’s important is that you understand the core elements.
6 Goals and 12 Requirements
The official PCI Security Standards Council website states that there are six goals and 12 specific requirements in place in order to reach those goals.
They are as follows:
Goal #1 – Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
You’ll need to have an effective firewall in place to keep customers’ sensitive financial information secure. When it comes to creating passwords, they should always be strong and unique. They should not be passwords that the software vendor already had in place because this can create vulnerabilities.
Goal #2 – Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
If you store customers’ data for any length of time, you’ll need to have multiple levels of defence in place to protect it. This can include both digital security such as authorisation and authentication as well physical security such as guarding servers/equipment and monitoring who can access them.
In terms of encryption, this simply means that plaintext is converted into ciphertext so that it cannot be decoded by unintended parties. Although this doesn’t eliminate threats entirely, it significantly reduces any risks.
Goal #3 – Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
Not only must you install an effective anti-virus software, it must be regularly updated in order to thwart attacks. You should remember that this isn’t a one-off type of deal. Malware and other attacks become increasingly advanced over time, so maintaining anti-virus best practices is a must.
When it comes to systems and applications, you’re responsible for using a hosting provider who is PCI compliant and for using a system that automatically alerts you whenever threats or vulnerabilities are detected. This way you can act quickly and hopefully prevent a minor issue from escalating into a major one.
Goal #4 – Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
This mainly relates to physical security and restricting who has access to sensitive information. Limiting the number of individuals who have access to cardholder data reduces the chance of an incident occurring.
Providing individuals with a unique ID involves following password best practices like using strong, unique passwords, routinely updating them, etc. As for restricting physical access, this can include taking serious security measures when accessing servers such as implementing biometrics systems (e.g. fingerprint and retinal scanning) as well as surveillance cameras.
Goal #5 – Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
This is pretty straightforward and involves using systems that log whenever someone accesses them and tracking who those individuals are. You’ll also want to get into the habit of routinely testing all aspects of security to ensure that it’s functioning properly.
Goal #6 – Maintain an Information Security Policy
- Maintain a policy that addresses information security for employees and contractors
Incorporating information security into your company’s policies will provide both employees and contractors with a detailed set of guidelines to follow. This will highlight which behaviours are and are not acceptable, how to address potential threats, which procedures to follow and so on.
It’s also smart to educate employees and contractors on information security best practices. A Ponemon Institute report found that careless employees accounted for 56 percent of all data breaches. Equipping these individuals with the right knowledge can be a tremendous asset.
Besides the obvious advantage of having more secure payment processors and protecting cardholders’ data, there are some distinct benefits that compliance with the PCI DSS can have for your company. Perhaps the biggest relates to finances.
Noncompliance fines can be steep and range anywhere from $5,000 – $500,000 USD depending on the nature of the penalty and the time and resources required to investigate it. You can find further details on noncompliance fines on this resource from Focus on PCI. By staying compliant, you greatly reduce the odds of your organisation getting hit with costly fines.
It’s also important to note that there are other costs that can stem from a data breach, which can include damages from lawsuits, loss of business and so on.
Research found that 60 percent of small to mid-sized businesses end up closing their doors within six months of a data breach. Being compliant can save you from financial backlash and even factor into your company’s longevity.
This is also critical for gaining the trust of your customers. Shoppers are more wary than ever and want to ensure that their sensitive financial and personal information is being safeguarded.
HubSpot even points out that concerns about transaction security is the number two reason for online shopping cart abandonment. PCI compliance and being diligent about transaction security is a huge selling point and is likely to increase your overall conversion rate.
Finally, there’s the issue of brand equity. Even a minor data breach can quickly sour your organisation’s reputation. Consumers will become sceptical and may choose to go with competitors with whom they trust.
In a world where nothing is secret and negative press can go viral in hours, protecting your brand reputation is essential.
The Bottom Line
Like it or not, cybercrime and data breaches are a new reality for organisations in the 21st century. Although payment cards offer convenience, they can also compromise security. That’s why the PCI DSS was set into place.
It provides a universal standard for protecting cardholder data and gives companies a detailed sequence of steps to follow. Regardless of size, your organisation is required to comply with the PCI DSS if it stores, processes or transmits customer payment card data.
Doing so protects your customers’ sensitive financial and personal information and significantly minimises the threat of a data breach occurring. At the same time, this mitigates risk for your company as well and can potentially mean the difference between its longevity and going out of business.
If you would like further information or guidance on the steps you can take we’d be happy to hear from you at contact us today.
Has your organisation ever encountered a data breach or similar threats? Please let us know about your experience: