The Payment Card Industry Data Security Standard (PCI-DSS) is a binding set of requirements for any organization that processes or stores credit card information. We’ll briefly review PCI compliance and its main requirements, and provide a list of easy best practices you can implement in your organization to comply with the PCI standards.
In this article, we aim to cover:
- What is PCI compliance?
- PCI compliance requirements
- PCI compliance checklist
- PCI compliance best practices
What Is PCI Compliance?
The Payment Card Industry Data Security Standards (PCI DSS) applies to any company storing processing, or transmitting credit card data. It facilitates the comprehensive adoption of consistent data security measures. Web companies must follow the requirements of the PCI DSS, including a variety of measures, such as hosting the data with a PCI-compliant host. PCI DSS is an organization formed by the major credit card companies, such as Visa, Mastercard, Discover, and American Express.
The main goal of PCI compliance is to reduce the opportunities for attack. This involves using a secure Card Data Environment (CDE), and this applies regardless of whether you use your in-house environment or a third-party secure payment option. This is especially important for e-comerce sites, which rely exclusively on the transfer of payment card data through the internet.
Some risks involving e-comerce websites are, for example:
- Credit card fraud—attackers make purchases using stolen credit cards or credit card numbers.
- Identity theft—attackers pretend to be someone else and make purchases using their credentials.
- Credit card hijacking—attacks redirect customers to a fake shopping cart, hijack their session, or use other means to compromise credit card data.
Any e-comerce organization’s security strategy requires a continuous effort to ensure compliance. Compliance with PCI affects not only merchants but also universities, banks, municipalities, or in fact any organization from the public or private sector that handles credit card data. Since early 2019, this includes software developers that design software or web applications that accept credit card payments.
What Happens If You’re not PCI compliant?
If a company is found non-compliant with PCI-DSS, the penalties and consequences range from fines to the loss of permission to accept credit card payments.
Some of the penalties include:
- Inability to accept payments by credit card—the most severe penalty for many businesses is the inability to accept payments by credit card at all. This can create massive financial losses, loss of market share, and damage to reputation. An organization suffering this penalty needs to undergo a PCI reassessment by an external Quality Security Assessor (QSA) to regain permission to process payments.
- Fines—the penalty for a non-PCI compliant website typically ranges from $86,000 to $4 million.
- Mandatory forensic examination—when a data breach is suspected, merchants are required to undergo a mandatory forensic examination, which can cost between $20,000 and $50,000 for a Level 2 merchant (1-6 million annual transactions), and upward of $120,000 for a Level 1 merchant (6+ million annual transactions).
- Liability for fraud charges—following a security breach, a company is exposed to lawsuits, as it is the merchant’s responsibility to keep its customer’s sensitive information safe.
PCI Compliance Requirements
The PCI DSS is composed of six goals and twelve requirements, as follows:
Goal #1: Building and maintaining a secure network
- Maintain a firewall configuration
- Ensure unique, original system passwords
Goal #2: Protect cardholder data
- Protect stored cardholder data
- Encrypt cardholder data transmitted across public networks
Goal #3: Maintain a vulnerability management program
- Use anti-virus software and keep it updated
- Develop secure systems and applications
Goal #4: Implement strong access control measures
- Restrict cardholder data on a need-to-know basis
- Assign a unique ID to each person in the organization with computer access
- Restrict physical access to cardholder data
Goal #5: Monitor and test networks
- Track and monitor any access to cardholder data and relevant network resources
- Regularly test security systems and processes
Goal #6: Maintain an information security policy
- Create an information security policy and enforce it in the organization
PCI Compliance Checklist—Achieving PCI DSS Compliance
To comply with the PCI DSS, an organization should follow three steps:
- Assessment—this includes identifying the cardholder data, taking an inventory of the technology and business processes and analyzing them for vulnerabilities.
- Remediate—once detected, fix the vulnerabilities and don’t store unnecessary cardholder data.
- Report—document and submit remediation validation reports, as well as compliance reports, to the bank and card brands involved.
You can learn more about the steps to achieve PCI DSS Compliance in this YouTube video by Cisco.
PCI Compliance Best Practices
The following best practices can help you improve security measures, to more easily comply with PCI-DSS security requirements.
Use a firewall
Per the first requirement, you’ll need to install a reliable firewall to protect your network and run regular testing to ensure efficiency.
Do not use default passwords
To be in PCI compliance, you must ensure all devices and user accounts use passwords that are unique, and that includes lowercase and capital letters, numbers and symbols, to make them more secure.
Use both digital and physical measures to protect cardholder data
The PCI standard requires you to put in place electronic and physical barriers to prevent unauthorized access to passwords. Some of these barriers may include authentication protocols, strong password policies, locked servers and locked cabinets for sensitive physical data. A related measure is restricting access to cardholder data and encrypting the transmission of cardholder information.
Create and enforce a security policy
A security policy should be drafted, supported by management, and made known across the organization, as well as to third-party vendors and customers. You should include a summary of how you protect customer data, explaining password and access requirements.
Establish an incident response process
Have a clear process for detecting, remediating, mitigating and recovering from security incidents.
Keep track of changes
Identify and review changes made to processes or technologies affecting cardholder data. Establish change controls, identifying the impact on compliance for every change.
Keep software patched and install security updates
Many of the world’s biggest security breaches resulted from an exploit of a known software vulnerability. Keeping software up to date, scanning systems for vulnerabilities and remediating them, is a critical defensive measure.
Not complying with PCI standards can result in heavy fines and other consequences, such as loss of business. A Ponemon Institute study showed that more than half of customers lost trust in an organization after it suffered a data breach, and 31 percent terminated their relationship with the organization after a breach.
Complying with PCI DSS standards is critical for the survival and success of any organization, especially those in the e-comerce industry.
Want to learn more about Regulatory Compliance?
Have a look at these articles: