The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized security standard, one of the most popular standards that most security professionals have encountered or worked with and that impacts businesses that process card payments. Although PCI in itself is not a law, the repercussions of a data breach may result in problems from other regulations (like the GDPR) if this standard is not satisfied. So, complying with it is nevertheless beneficial. The standard has requirements for businesses to fulfill to maintain a secure environment when accepting, processing, storing or transmitting credit card information.
Let’s consider the requirements to meet this standard and some guidance on how your business can reach compliance.
Why is PCI DSS important
Cybercriminals exploit any security gaps. Security weaknesses as a result of card payment processing or an inadequately secured environment where card data is processed or stored are no different — cardholder data is very much a prime target. Cardholder data is defined as the full primary account number (PAN) and any of these components: cardholder name, expiration date, service code. All sensitive authentication data like the full magnetic strip data must be protected.
Cybercriminals target weak links in the payment chain to steal sensitive personal data (names, addresses, and phone numbers) including card details (account numbers and security codes).
So, whether driven by PCI compliance or data security, it is in the best interest of any business that’s processing cardholder data to ensure the necessary controls are in place to securely handle this personal information. Not only is there a real risk of cyberattack, but also data compromise through accidental or intentional employee error, especially where access controls are not effectively managed.
All of these incidences can result in a data breach and serious implications for not meeting other obligatory data compliance responsibilities where personal data must be protected. So, the cost of not complying is so much greater than that of becoming PCI DSS compliant.
Implementing PCI DSS also helps with the compliance of other data security and privacy regulations like the EU General data protection regulation (GDPR) and the U.S. Gramm-Leach-Bliley Act (GLBA), which is directed at financial institutions with regards to the safeguarding and secure sharing of sensitive customer data. Generally, PCI DSS provides a good security foundation through good security best practices.
Not complying with the PCI DSS standard could result in damaging fallout for many businesses, if cardholders’ data is breached. Namely:
- Loss of customer confidence and damage to business brand and reputation.
- Monetary losses.
- Numerous consequences resulting from a data breach.
- Penalties and termination of future powers to process card transactions.
Subsequently, taking the security of payment card data seriously is extremely important and continuous due diligence is necessary to ensure a secure infrastructure for processing this data is maintained, especially when changes are made to systems and processes. Risk assessments and gap assessments are useful, especially at these times to ensure security remains adequate.
What is PCI DSS
PCI DSS was initiated to provide businesses with a framework to follow to ensure that the card payment process is secure and to reduce opportunities for card-related fraud.
It is a global standard for enforcing controls around card processing including the storage and transmission of cardholder data so that sensitive cardholder data is always protected. As it is a global standard it aims to provide consistency across many countries with its baseline of security controls.
Any time a transaction is made, when you accept a credit or debit card as payment, either online, over the phone or in person, PCI compliance applies. If you choose not to store the card data, compliance still applies, although the risk is reduced and compliance is easier to achieve. Using a third-party processor for card transactions may reduce the risk of exposure, but it does not exclude you from compliance.
The standard is administered and managed by leading card brands themselves through the Payment Card Industry Security Standards Council (SSC). So, it is not statutory but rather a way for the card brands including Visa, Mastercard, American Express, Discover, and JCB to govern card processing so that whenever a business handles card data it is done safely. By requiring businesses to apply the controls laid out in the standard, the card brands can enforce compliance whenever card payment processing happens. Card brands can issue penalties for noncompliance.
Together, the SSC and PCI DSS intend to help organizations understand the risks to payment systems and ways to protect payments systems, for example, by implementing effective security technologies and policies for secure payment systems and solutions.
The roadmap to compliance: Six goals and 12 requirements
To follow the standard a business must ensure it has technical and organizational controls in place to address the 12 requirements that in turn accomplish six goals. By fulfilling the 12 requirements (critical to securing card data) the business can meet the six goals to comply. They are specified by the PCI SCC as follows:
- Build and maintain a secure network.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security policy.
12 core requirements to achieve these goals
Build and maintain a secure network
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
Maintain a vulnerability management program.
- Use and regularly update antivirus software or programs.
- Develop and maintain secure systems and applications.
Implement strong access control measures.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
Regularly monitor and test networks.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
Maintain an information security policy.
- Maintain a policy that addresses information security for employees and contractors
All of these are primary controls for data security and are all good practice anyway. The likelihood is if you process sensitive data and even if you have not specifically considered the PCI DSS standard that you already employ many of the necessary controls.
These practices should be followed, nonetheless, if your business is handling personal and sensitive information to ensure client and customer data security and privacy. Not addressing these is merely negligent on an organization’s part.
Measuring business compliance against the standard
This is where assessments and audits come into play. Businesses must demonstrate compliance with the standard and this can be done in several ways including self-assessments (done internally), external third-party assessments, and audits done by a certified body.
The assessments and levels of security required may vary and are determined by the businesses merchant level (Anyone that accepts a payment card as a form of payment is a merchant.) PCI Compliance Self-Assessment Questionnaires (SAQ) and PCI security assessments by a PCI Compliance Qualified Security Assessor (PCI QSA) are often used depending on the business’s compliance requirements.
Often, starting with a gap assessment is useful and can help to facilitate easier future assessments and PCI DSS audits.
Merchant level is established by considering the annual volume of payment card transactions the business does and the means used to take them. Also, each card brand has different requirements, so depending on the brand used different assessments may be needed. So, it is important to clarify this with your card issuers to define what is required. Usually, if you are considered a particular level by one card issuer you will be considered the same by the others, but each issuer may have minor variations in what they require, so it’s best to check.
Merchant levels exist to establish the risk and the security necessary to cover the risk best. Generally, levels range from 1 to 4. Where level 1, the highest, is for a business that processes over 6 million transactions annually and level 4, the lowest, is if less than 20 thousand annual transactions are done.
Ultimately, the bank is responsible for ensuring compliance is met with PCI DSS when card data is processed, so will require a merchant to demonstrate its compliance with the standard.
Self-assessments may lead to gaps being overlooked whereas an external audit, although costlier, is often stricter and more thorough if undertaken by a professional in the field, so usually has higher standing and more successful outcomes.
Ensuring continuous compliance is important. A primary part of maintaining compliance is through ensuring the entire chain is compliant. Any gaps can result in a breach. It’s important to ensure that the entire transaction life cycle is PCI compliant — your business, any third-party processor that you deal with as well as the banks involved.
Implement effective data security procedures within your business and monitor, check, and test that practices are being engaged securely and followed as they should be.
Classify and protect sensitive data using an end-to-end encryption solution and strong authentication methods. Properly manage and control access to data — access control is essential and always follow the least privilege model. Monitor user activity and behavior, this helps to highlight anything out of the norm which can then be dealt with swiftly. Educate users with regards to the cybersecurity risks and their roles and responsibilities to help maintain data protection and compliance.
Protect, monitor, detect, asses, test, audit, report, and remediate — all of these are important controls to maintain compliance.
The standard requires all merchants to regularly check for vulnerabilities. The vulnerability scan checks systems, services, and devices for any security vulnerabilities that could potentially be exploited by cybercriminals. Depending on the merchant level, undertaking and passing a vulnerability scan may be required quarterly to maintain PCI DSS compliance.
New version coming late 2020
The current PCI DSS version is 3.2.1; version 4.0 is due for release late next year. It’s anticipated that the 12 central requirements will remain the same, but the standard will evolve to address specific areas like advancements in technology and risk mitigation techniques as well as changes to the threat landscape.
The new version is under development, but it aims to ensure the standard progresses with the industry so that it continues to meet its growing needs. It aims to allow further flexibility by offering additional approaches to accomplish security. It will encourage continuous security and improve validation processes.
All PCI DSS stakeholders globally are having their say and version 4.0 will encompass contribution from them all to ensure all areas of concern are appropriately addressed to accomplish a superior version of the standard.
Featured image: Pexels