PCI DSS: What, why, and do I need to comply?

What is PCI DSS? PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of requirements developed by major payment card industry brands – Visa, MasterCard, American Express, Discover, and JCB. Any organization that accepts, captures, stores, transmits or processes payment card information needs to be compliant with these security standards.

With the evolution of payment cards and the rise of ecommerce, payment frauds began to rise dramatically. Hackers began taking advantage of poorly protected systems to steal payment data, making payment card fraud faster and easier than ever before. Credit card companies faced major losses and this led to the birth of the PCI security standards. All major credit card companies responded to this crisis by coming together to create the PCI Council and all merchants, service providers, and payment processing organizations, big or small, are required to comply with these standards.

It is important for organizations to protect the data of their customers, employees, third parties and everyone else related to their ecosystem. The whole purpose of PCI DSS is to protect data – albeit payment card data. Here are a few potential repercussions of not being PCI complaint.

• Noncompliance Penalties: Organizations might end up paying a heavy noncompliance fines. Credit card institutions may levy fines as a punishment for noncompliance. And remember, even if you outsource to a service provider, compliance is your responsibility. So, if your service provider is non-compliant then you could well be held accountable for failing to take actions for observing compliance.
• Forensic Investigations: The cost of forensic investigations can be very significant. And you will be liable to pay for these costs if evidence of compromise is established.
• Reputational Damage: In the event that your organization’s network has been breached and payment card data has been stolen, unhappy customers will lose confidence in your organization. So, you lose business and could even go out of business eventually with lost sales. Also, a merchant’s acquirer may hold the merchant financially responsible for any resulting fraud loss and other costs.
• Disruption of Operations: Hackers might also compromise non-payment card data on the organization’s network such as financial and human resource records and trade secrets. And this can harm the complete operation of business.
• Lawsuits: And lastly after all these fines and penalties there’s more – that is dealing with lawsuits from customers, third parties and more.

At a high-level, the PCI Data Security Standard is comprised of 12 compliance requirements that were built on foundations of data security best practices. Let’s look them:

1. Protect your cardholder data with firewalls. They are designed to vet inbound and outbound network traffic and block certain types of network traffic and untrusted networks.
2. Change vendor-supplied default passwords and configurations. These defaults are freely published online and available for hackers to misuse as well.
3. Protect cardholder data at rest using strong encryption, hashes, and/or other methods that are part of industry-accepted best practices.
4. Protect cardholder data in motion using strong encryption, trusted keys, and trusted digital certificates.
5. Use anti-virus and anti-malware software to protect all systems. Also ensure that the anti-virus and anti-malware software are fully updated with the latest patches and signatures at all times.
6. Establish a process to identify vulnerabilities in systems and applications so that they can be remediated in an expeditious manner. Also ensure that they have the latest patches and updates installed as these often have fixes to known vulnerabilities that otherwise serve as low-hanging fruit for malicious hackers.
7. Restrict all access to cardholder data by employing the principles of least privilege and “need to know”.
8. Assign a unique ID to each individual with access to systems and applications such that there is complete accountability of access in place.
9. Restrict physical access to cardholder data and cardholder data systems.
10. Establish a logging and monitoring mechanism and process to track access and user activities related to cardholder data and cardholder network resources.
11. Perform periodic penetration tests, vulnerability scans, and comprehensive data security and compliance assessments on the cardholder data environment.
12. Draft, maintain, and disseminate a comprehensive data security policy best suitable for your organizational structure. Review the data security policy annually and update it in accordance with your changing technological and operational environment.

PCI DSS compliance is a moving target. It changes as it moves through levels and versions. But if you focus on strong data security and compliance foundations at your organization then you’ll find that PCI compliance standards are easier to meet and implement.

The business risks and ultimate costs of noncompliance can vastly exceed the costs involved in complying with PCI DSS instead. So, implementing PCI DSS should be part of a sound, basic enterprise security strategy, which requires making this activity part of your ongoing business plan and budget.