If your business is responsible for dealing with credit card payments, then PCI DSS compliance is an essential part of protecting customer’s payment card data and protecting your own business from the devastating consequences of a data breach.
The unfortunate reality is that credit card fraud is continuing to rise, and according to the Federal Trade Commission’s Consumer Sentinel Network, reports of credit card fraud rose by 104% between Q1 of 2019 to Q1 of 2020.
Protecting cardholder data has never been more important and PCI DSS lays the foundations for maintaining the strict security measures that are needed to protect this sensitive data. Our guide to PCI DSS compliance helps explain how PCI DSS works, who it applies to, and what steps you need to take to become compliant.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to reduce the risk of credit card fraud and increase payment card data security. It was founded in 2004 by the four major credit card companies; Visa, Mastercard, Discover, and American Express. PCI DSS has evolved over the years and is now regulated by the PCI Security Standards Council (PCI SSC). The PCI SSC defines and manages the standards, whilst compliance is enforced by the individual credit card companies.
Who does PCI DSS affect?
PCI DSS applies to any organisation that stores, processes, or transmits cardholder data. To determine the compliance requirements that apply to individual businesses, the PCI SCC created a four-level system that classifies businesses based on the size of transactions and risk.
Level 1 – Merchants processing over 6 million transactions annually, or those that have had data compromised in the past.
Level 2 – Merchants processing between 1 and 6 million transactions annually.
Level 3 – Merchants processing between 20,000 and 1 million transactions annually.
Level 4 – Merchants processing less than 20,000 transactions annually.
Despite the creation of multiple levels, the requirements remain the same for all merchants and service providers, across all industries.
How could cardholder data be compromised?
To gain access to sensitive cardholder data, cybercriminals will attempt to exploit any security vulnerabilities in your operating systems and devices. This could be through:
- Card readers
- Point of sale system
- Payment system database
- Storage networks
- Online portals
- Wireless network
- Paper records
What are the 12 Requirements of PCI DSS Compliance?
PCI DSS contains 12 requirements that are designed to protect cardholder data and prevent data breaches. These standards not only apply to merchants, but to any other business that stores, processes, or transmits cardholder data.
1. Install and maintain a firewall configuration to protect cardholder data
A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to block specific traffic based on a defined set of security rules. It’s your first line of defence against security threats and should be regularly tested, managed, and updated.
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Cybercriminals will frequently use default passwords and settings to compromise systems. It’s vital you immediately change any default credentials before introducing new systems into your network.
3. Protect stored cardholder data
Protecting cardholder data, whether it’s in physical or digital format is crucial to complying with PCI DSS. Cybercriminals will frequently target stored cardholder data and then use it to perform fraudulent transactions. Where cardholder data does need to be stored, you should ensure the correct security measures are in place to meet the different legal, regulatory, and compliance requirements.
4. Encrypt transmission of cardholder data across open, public networks
When cardholder data is transmitted across networks that are easily accessible, cybercriminals may attempt to intercept the data. To ensure that data is safe and secure, it must be encrypted with strong cryptography and security protocols such as Secure Shell (SHH), IPSec and Transport Layer Security (TLS).
5. Use and regularly update anti-virus software
Anti-virus software should be installed on all critical business systems to prevent malware from being introduced into your network. This will help protect cardholder data and provide enhanced protection against newly created viruses.
6. Develop and maintain secure systems and applications
Cybercriminals will often exploit any vulnerabilities in your system to gain access to sensitive cardholder data. Network vendors will regularly release patches to address security vulnerabilities so it’s vital you apply these as soon as they are released. Patches are essential in keeping systems up to date, stable, and safe from malware and other threats.
7. Restrict access to cardholder data by business need to know
Access to cardholder data should only be granted on a need-to-know basis. Employee error remains the leading cause of all data breaches, so strong access controls should be in place to ensure that only those staff that need to make transactions are allowed access.
8. Identify and authenticate access to system components
Every staff member that has access to sensitive information should be assigned a unique ID. This will enable you to track who is accessing specific systems and when.
9. Restrict physical access to cardholder data
Physical access to computer systems containing cardholder data should be restricted to authorised members of staff. This will prevent any unauthorised individual from physically accessing systems or making hard copies of sensitive data.
10. Track and monitor all access to network resources and cardholder data
Access to network resources and cardholder data should be closely monitored, and all activity logged. This audit trail can help detect malicious behaviour and identify a breach.
11. Regularly test security systems and processes
New vulnerabilities are emerging all the time so it’s important to regularly test your systems and processes to ensure security is maintained. PCI DSS also recommends regular penetration testing and the use of intrusion detection and prevention systems to ensure the security of cardholder data.
12. Maintain a policy that addresses information security for all personnel
A strong, PCI DSS compliant security policy should be implemented throughout the business. This will help set a standard for what’s expected of your staff and highlight the need for data security within your organisation.
Why is PCI DSS Compliance so important?
Compliance with PCI DSS requirements are critical if you want to be able to process card transactions, protect cardholder data, and reduce the chance of a costly breach. Whilst PCI DSS is not a legal requirement, under the GDPR, credit card data is considered personal data which means you are legally bound to keep this data safe and secure.
What happens if you’re not compliant with PCI DSS?
Non-compliance with PCI DSS can lead to serious security incidents such as the breach or theft of cardholder data. A data breach can cause irreparable damage to your business, and in addition to the crippling fines, your business could face further consequences from being unable to protect sensitive cardholder data. These include:
- Increased risk of payment card data compromise
- Fines and penalties
- Compensation costs
- Loss of consumer confidence
- Damage to brand reputation
- Legal action – costs, settlements, and judgements
- Job losses
- Termination of ability to process payment cards
- Go out of business
Cybercriminals are taking advantage of the rise in digital transactions and exploiting vulnerabilities in systems to gain access to sensitive cardholder data. To combat this fraudulent activity, it’s vital your organisation is PCI DSS compliant and taking all the necessary steps to secure payment transactions and protect customer data.
To help improve Cyber Security awareness within your organisation and reduce the chance of a costly data breach, we’ve created an indispensable resource for implementing a change in behavior and create a culture of cyber awareness.
In this Cyber Security Awareness For Dummies guide, you will learn:
-How to implement a cyber risk awareness campaign.
-How to maintain staff momentum, commitment and attention to cybersecurity threats.
-10 cyber security awareness best practices.
Click here to access your Cyber Security Awareness For Dummies guide.