If you’re a service provider or retailer who accepts credit and debit card payments online, it’s likely you’ll need to adhere to PCI DSS compliance in your operations.
Credit card numbers represent some of the most sensitive information that consumers possess and they’re a hot commodity for cyber thieves. Hackers aren’t going to wait for you to develop strong defenses before they attack. You want to make yourself a more difficult target by beefing up your security strategy.
Here are the essentials you need to know about PCI DSS and the steps you can take to prepare for achieving compliance.
The Payment Card Industry Data Security Standard (PCI DSS) is a global cybersecurity standard for businesses that handle branded credit cards from major credit card networks (think Visa, Mastercard, Discover, etc.). Although these networks have mandated compliance, it’s the Payment Card Industry Security Standards Council (PCI SSC) that handles its administration.
PCI DSS was developed in 2004 to address the growing trend of credit card fraud as online payments became more prevalent. Currently, any merchant or service provider that handles credit card information through an e-commerce site or point-of-sales system in a physical location must be PCI compliant.
PCI compliance has four levels, based on how many transactions a company processes every year:
In addition, each card network maintains its compliance requirements’ table for businesses and may have its internal security assessors.
The PCI SSC has outlined a series of requirements for handling cardholder data and securing your network. Follow these steps to get started with PCI compliance for your business.
Start with an audit of your information security and infrastructure that receives, processes, stores, or transmits cardholder information. Conduct a full inventory of these tools or resources, including their current compliance status. The PCI SSC provides an online tool for identifying approved PIN devices for running transactions, which can help you get started.
You should identify where and how cardholder information is being processed and stored in your infrastructure. We recommend implementing a data classification system to make it easy for you to spot information that needs to be protected.
After this, use the information you gathered in step one to perform a gap analysis. Pay attention to potential vulnerabilities, risks, or areas where you’re currently not compliant. The next six steps map onto the PCI DSS framework and will help you address them.
Besides the cybersecurity measures you’ve already taken, two PCI DSS requirements exist regarding your network. You must:
We recommend you go beyond these measures and implement a set of strong cybersecurity policies for your entire organization.
Make sure that any cardholder data you’re currently storing is kept in a secure environment. PCI DSS notes that you can also satisfy the requirements for cardholder data security if you don’t store any data at all. PCI SSC recommends:
PCI DSS also requires specific vulnerability management measures for cardholder data. Make sure that you’re using an up-to-date antivirus for your network, as well as up-to-date software across your systems. We recommend that you also consider:
Access control involves restricting the ability of users (or non-users) from accessing parts of the system or premises that store sensitive information. In addition to user account privileges, you should also consider physical safeguards. Make sure that:
A strong network monitoring system should be among your front line of defense for any security program. Without it, breaches go undetected longer and can cause more damage. PCI DSS requires that merchants track and monitor access to network resources and cardholder data.
Additionally, implement periodic testing and reviews of your policies and procedures to ensure they remain updated. At the very least, you should conduct an annual review plus reviews after every documented incident.
Your final step for achieving PCI DSS compliance involves solidifying your procedures and policies in a written information security policy. You should document safeguards, roles, responsibilities, and other important security information for employees and contractors.
Following this, we highly recommend conducting security awareness training for your business. This ensures that everyone gets on the same page and understands why existing policies are in place and each member’s roles and responsibility as it pertains to information security.
Vulnerability scans need to be completed once every 90 days (every quarter). On an annual basis, Level 1 and Level 2 merchants must be audited for PCI DSS compliance while Level 3 and Level 4 merchants must submit a self assessment questionnaire. Regardless of what level you are as a merchant you must undergo an onsite audit annually if you have ever experienced a data breach.
There are numerous consequences associated with non-compliance including lawsuits and governmental action but the fines through PCI DSS range from $5,000 to $100,000 per month until compliance is achieved. Also important to note is that banks may increase transaction fees and you can also have your ability to process payment cards revoked until you become PCI DSS compliant.
Every year, roughly 10 million Americans experience identity theft, with a significant number of them finding their credit card numbers stolen. This can and does wreak havoc since credit cards represent such a major aspect of our lives. Make sure you’re protecting your customers’ most sensitive information by working toward PCI DSS compliance now.
You can make it easy with an informaiton security management platform like Securicy. Your business gets a secure foundation when you use powerful tools to generate custom policies, review configurations, and manage an effective information security strategy. Don’t settle for stop-gap methods and spreadsheets – get the right tools for the job and keep your customer data safe.