There are numerous regulations that companies in different industries have to contend with as a natural part of doing business. One compliance standard that virtually any company that seeks to process payment card data must follow is PCI DSS (The Payment Card Industry Data Security Standard).
What is PCI DSS? Why does it matter for your business? How can you ensure your company meets PCI DSS requirements both now and in the future? Here’s a brief PCI DSS definition and an explanation of some of the compliance requirements for this data security standard.
What Is PCI DSS?
PCI DSS is a data security standard that is administered by the PCI Security Standards Council. It details the 12 controls that organizations processing payment card data (PCD) and cardholder data (CHD) need to have in place.
PCI DSS compliance, as noted in version 3.2.1 of the Data Security Standard document, “applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data” (emphasis from original document).
The standards document undergoes periodic updates and review, with the most recent update being made in May 2018 (at the time of this writing), bringing the standard to version 3.2.1.
What Are the 12 Controls of PCI DSS?
The 12 controls mandated by the PCI DSS requirements document are spread across six categories:
Build and Maintain a Secure Network and Systems
PCI DSS compliance requires organizations to maintain a minimum set of controls to protect payment card data and cardholder data from outside threats:
- Install and Maintain a Firewall Configuration to Protect CHD.
- Avoid Using Vendor-Supplied Defaults for System Passwords (and Other Security Parameters.
Both of these items are crucial for guarding against the most casual outside cyber threats.
Protect Cardholder Data
This category of compliance requirements urges organizations to:
- Protect Stored Cardholder Data.
- Encrypt Transmissions of Cardholder Data when Moving Across Open, Public Networks.
Examples of steps for protecting stored data include encrypting data at rest, minimizing the amount of data stored to the absolute minimum, and never storing authentication data without a strong “business justification.”
Maintain a Vulnerability Management Program
To better protect stored payment card and cardholder data, organizations need to have a robust vulnerability management program to find and fix security gaps. The specific requirements cited in PCI DSS are:
- Protect All Systems Against Malware and Regularly Update Antivirus Software or Programs.
- Develop and Maintain Secure Systems and Applications.
These requirements are broadly-worded. However, the first can be largely addressed by establishing and adhering to a rigorous security patch schedule—as well as periodically assessing your cybersecurity tools and checking for better alternatives. The second requires careful management of your network assets and resources to ensure all new additions are secure and don’t create potential vulnerabilities that attackers could exploit.
Implement Strong Access Control Measures
Unauthorized persons should be prevented from being able to access PCD and CHD whenever possible. So, strong account controls are a must. PCI DSS specifically calls for companies to:
- Restrict Access to Cardholder Data by Business Need to Know.
- Identify and Authenticate Access to System Components.
- Restrict Physical Access to Cardholder Data.
Following a policy of least privilege (POLP), wherein users only have access to systems and information they need for their job function, is a good starting point. It’s also important to have a system in place for logging when sensitive data is accessed (and by whom). Finally, physical security for the servers/databases that store sensitive data should prevent unauthorized persons from coming into contact with them (to prevent the copying of data to USB drives or the outright theft of these devices).
Regularly Monitor and Test Networks
PCI DSS calls for companies to have rigorous network monitoring and testing solutions in place to identify potential security breaches (and to verify what, if any, data has been compromised).
- Track and Monitor All Access to Network Resources and Cardholder Data.
- Regularly Test Security Systems and Processes.
Activity on the network needs to be closely monitored to identify potential security breaches (and what specific databases have been compromised) as quickly as possible. Frequent testing, on the other hand, helps to verify the effectiveness of cybersecurity policies, procedures, and tools—and can help identify security gaps so they can be closed.
Maintain an Information Security Policy
There needs to be a documented information security policy in the organization that employees can reference. The standards document says to:
- Maintain a Policy That Addresses Information Security for All Personnel.
If you’ve come across the term “Written Information Security Policy” (WISP) in some of our other articles, the concept is largely the same—just with some specific requirements added in for PCI DSS compliance. In addition to simply having a WISP, PCI DSS requires companies to implement a risk assessment process that is conducted at least annually to identify critical assets, threats, and vulnerabilities.
Why Does Following PCI DSS Matter for Your Company?
The above description heavily abridges the content of the data security standard. There are many specific requirements that could each be the subject of their own dedicated article. Considering the expense and difficulty involved, why should your company follow PCI DSS compliance requirements?
There are a few reasons:
- To Follow Major Credit Card Brand Requirements. As noted by Investopedia, “All companies that process credit card information are required to maintain PCI compliance as directed by their card processing agreements.” If you want to take credit card payments, or issue cards with a logo that businesses will accept, you have to follow the standard.
- To Reduce the Likelihood of Data Breaches. Many of the security standard’s requirements actively help companies protect themselves against data breaches. Following these standards is a good starting point for a cyber risk management program.
- To Minimize the Impact of a Card-Related Data Breach. Stolen payment card and cardholder data can be used to cause enormous harm. Following PCI DSS standards for encrypting data and using monitoring tools can help to not only delay attackers from being able to use sensitive data, but to quickly identify what data was breached so cardholders can be alerted in time to prevent fraud.
- To Avoid Potential Fines and Lawsuits. Even with the best protections in place, there is always a risk of a cyberbreach happening. However, what happens after a breach can be very different depending on the security policies and tools you have in place. Companies that do not follow basic data security standards may find themselves faced with additional fines, penalties, and even negligence lawsuits that deepen the cost of the data breach. Companies that put into place every reasonable cybersecurity precaution, on the other hand, may avoid these problems more easily.
- To Earn Customer and Investor Confidence. Customers want to know that their financial data will be protected, and investors need to have confidence that they won’t be exposed to unnecessary risk. Following PCI DSS requirements can help establish the confidence needed to attract both groups by mitigating the risks associated with handling sensitive data.
PCI DSS compliance can be an incredibly complicated task. If you need help meeting compliance requirements like PCI DSS, reach out to the ideaBOX team today. We’re here to help you protect your business and meet your cybersecurity goals!