PCI DSS Compliance – Why you need it

Financial data is one of the most sought pieces of information in the darknet marketplaces. As a result, merchants handling it are prime targets for cyberattacks. Where, five major credit card companies outlined the security guidelines to combat this situation.

This is known as PCI DSS, which aimed to tighten the card-processing ecosystem against various vulnerabilities. For organisations looking at how to protect cardholder data, it’s an essential document. At first glance, it can be a bit difficult to wrap your head around.

What is PCI DSS?

Payment Card Industry Data Security Standard (PCI DSS) is an operational requirement for cardholder’s data protection. The standard applies to all entities that store, process, or transfer financial customer data.

Obtaining this certificate can be costly as it requires yearly certification. This can also include additional lines in the budget for people training, onsite audits, required remediation to hardware and software, etc.

The primary purpose of PCI DSS is to provide an international framework to establish secure cardholder data handling mechanisms, these are classified into 6 categories:

1. Building and maintenance of secure network and systems
2. Cardholder’s data protection
3. Vulnerability management plan
4. Access control restrictions
5. Network monitoring
6. Information security policy

Each category governs vital security controls of payment data protection. The highest security standards can’t be achieved if at least one of the categories is neglected. Each of them supplements the remaining one, creating a solid foundation for users’ financial data security.

Who needs PCI DSS compliance?

PCI DSS compliance requirements apply to all companies involved in storing, processing, and transmitting credit card information. For instance, online shopping your bank, merchant’s bank, and website’s payment technology provider are all subject to PCI DSS regulation.

PCI DSS covers all merchants, credit card issuing banks, processors, intermediaries, developers, and other involved parties. Its purpose is to make sure that there are no weak links in the system that could be exploited. A rule of thumb is – during your line of work you come into contact with credit card information, you’re probably regulated by PCI DSS.

The compliance is enforced by the major credit card payment brands that established the Payment Card Industry Security Standards Council:

- American Express
- Discover Financial Services
- JCB International
- MasterCard
- Visa Inc.
- UnionPay (while this one didn’t establish the standard it provides banking card services supervision in mainland China)

Risks if you aren’t PCI DSS Compliant

Fines are the primary risk if your organisation is found to be non-compliant with PCI DSS requirements. Depending on the scope and violation’s severity, they can vary from $5,000 to $500,000 per month. Fines can also increase depending on the length of non-compliance time which increases the total amount.

Each card organisation involved in the PCI DSS guidelines has its separate compliance validation requirements. Compliance for American Express might have different requirements from MasterCard even though they both follow the same PCI DSS guidelines. Non-compliance to a specific brand’s set of rules may impose additional fines. For instance, the merchant is held responsible for covering all card re-issuance and remediation expenses after the data breach. Even if the merchant survives after such a financial blow, they still risk getting their privileges revoked.

The 12 requirements of PCI DSS

The requirements set by the PCI SSC are both operational and technical, and the core focus of these rules is always to protect cardholder data. The 12 requirements of PCI DSS are:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel

Benefits of PCI Compliance

Complying with PCI Security Standards seems like a daunting task, as the standards and issues is a lot to handle for large organisations, let alone for smaller companies. However, compliance is becoming more important and can be easy to follow if you have the right tools.

According to PCI SSC, there are major benefits of compliance, especially considering that failure to comply may result in serious and long-term consequences. For example:

- PCI Compliance standards mean that your systems are secure, and your customers can trust you with their sensitive payment card information; trust leads to customer confidence and repeat customers.
- PCI Compliance improves your reputation with acquirers and payment brands – just the partners your business needs.
- PCI Compliance is an ongoing process that aids in preventing security breaches and payment card data theft in the present and in the future; PCI compliance means you are contributing to a global payment card data security solution.
- As you try to meet PCI Compliance, you’re better prepared to comply with additional regulations, such as HIPAA, SOX, and others.
- PCI Compliance contributes to corporate security strategies (even if only a starting point).
- PCI Compliance likely leads to improving IT infrastructure efficiency.

Difficulties Posed by PCI Non-Compliance

PCI SSC also points to potentially unfortunate results of failing to meet PCI Compliance. After working to build your brand and secure customers, don’t take a chance with their sensitive information. By meeting PCI Compliance, you are protecting your customers so they can continue to be your customers. Possible results of PCI Non-Compliance include:

- Compromised data that negatively impacts consumers, merchants, and financial institutions.
- Severely damaging your reputation and your ability to conduct business effectively, not just today, but into the future.
- Account data breaches that can lead to catastrophic loss of sales, relationships, and community standing; plus, public companies often see depressed share price as result of account data breaches.
- Lawsuits, insurance claims, cancelled accounts, payment card issuer fines, and government fines.
- PCI Compliance, as with other regulatory requirements, can pose challenges to organisations that are not prepared to deal with protecting critical information. But protecting data is a much more manageable task with the right software and services. Choose a data loss prevention software that accurately classifies data and uses it appropriately so you can rest more easily knowing that your cardholder data is secure.

Steve joined Via Resource two years ago, having spent the previous 4 years working solely in the Information/Cyber Security sector recruiting roles such as Information Security Manager, Security Architect, Security Engineers and Security Analysts. Steve now solely focuses on GRC positions for Via Resource and has experience managing the end-to-end recruitment process for organisations nationwide with roles covering all facets of Governance, Risk & Compliance both contract and permanent. As well as this Steve gained a National Diploma Level 2 and NVQ Level 3 in Recruitment and is CertRP certified.

Steve ArnoldSenior Consultant