PCI Compliance for Banks

Why PCI Compliance is Important for Banks

By Dr. Rey LeClerc Sveinsson, ERMProtect

Financial institutions are one of the most heavily regulated industries around, and for good reason. Access to the personal information and funds of customers make banks a popular target for hackers. Among other breach safeguards, banks must protect customer credit card information if they issue credit cards or process credit card transactions. For these banks, compliance with  the Payment Card Industry Card Data Security Standard (PCI DSS) is not only required but a great step forward to protect customers, preserve reputation, and avoid regulatory issues.

Compliance with PCI DSS standards ensures banks have greater control over sensitive credit card information. The requirements are specifically designed to protect against security breaches. The PCI DSS guidelines overlap with many other security frameworks, which gives banks a head start in meeting their other compliance requirements.

PCI DSS is not required by law. Rather, PCI DSS compliance is required by the contracts that govern participation with the major payment card brands. Financial institutions, including issuing banks and acquiring banks, as well as merchants and service providers that process transactions, enter contracts with the five card brands that enable them to process credit card information.

Issuing banks are banks that offer credit cards to consumers. Acquiring banks are financial institutions that hold merchants’ bank accounts, facilitate payment processing through the card processors, and deposit funds on behalf of the merchants. If your organization falls under either of these categories, then PCI DSS compliance will be legally required of your company.

PCI DSS 12 Primary Requirements

  1. Protect all cardholder data with a system of well-maintained firewalls.
  2. Change all passwords from any defaults to unique and secure options.
  3. Protect any stored cardholder data.
  4. Encrypt any cardholder data that is transmitted via open networks.
  5. Use antivirus software and make sure it is up to date.
  6. Ensure your systems and applications are secure.
  7. Permit access to cardholder data only on a need-to-know basis.
  8. Assign a unique ID to any staff members with access to credit card data.
  9. Restrict physical access to cardholder data.
  10. Closely monitor all access from staff to protected data.
  11. Regularly evaluate all security measures.
  12. Maintain consistent and clear information security policies.

Within these 12 main requirements are 281 additional controls, which may or may not apply to your organization based on the size of the bank and how many credit card transactions are processed each year.

Becoming a PCI Compliant Bank

To become PCI DSS compliant, the bank first must determine which standards they need to meet. Then assess the existing program to see where data protection is sufficient, and where banks may need to make changes to meet the necessary security requirements. The first thing for a bank is to know where the cardholder data resides. Sounds easy enough, but banks really need to sit down and assess, identify, and confirm where credit card information resides in the organization, both hard-copy and electronically, before compliance work can get started.

Knowing where cardholder data resides means knowing how the bank captures credit card information. It is critically important to develop a cardholder data flowchart showing the entry/origin, pathway, and exit point(s) of credit card information. When done properly, the bank will be able to readily identify where such cardholder data resides.

After identifying the location of cardholder data, assessing risk is a critical element for any bank trying to minimize threats to the organization. These risks should be identified, prioritized, and addressed based on the level of threats they pose.

Security Awareness Training for Banks

Policies and procedures are a big part of today’s regulatory compliance initiatives – and especially with PCI compliance requirements for banks. Financial institutions already have policies in place, but they must be written to the exact standards of the PCI framework and must be kept current. It is recommended that these be reviewed on an annual basis as technology and risks keep evolving.

One of the best initiatives any business can do – especially banks – to protect their organizations from cyberattacks is to put in place comprehensive security awareness training. The world we live in today is radically different from just a few years ago, with threats everywhere. So, any serious effort to protect organizational assets must  begin with high-quality, professionally developed security awareness training programs that teach employees how to avoid today’s threats that could result in them accidentally exposing the banks’ confidential information. ERMProtect has a robust Security Awareness Training Program and can assist in this endeavor.

Among other best practices and tools recommended are network segmentation and tokenization. Network segmentation prevents payment card data from interacting with other IT systems, helping to keep the information isolated and less vulnerable. Tokenization, a practice that uses non-sensitive values to replace credit card data, also improves an organization’s security posture.

It's important to keep in mind that compliance with PCI requirements does not give banks immunity from being compromised. Banks often share sensitive information with third-party vendors. If a third-party breach occurs, the bank is still responsible for the data loss. So, it’s important to have in place a program that assesses, manages, and reduces risks posed by working with third-party vendors.

PCI Compliance Solutions for Banks with ERMProtect

As you can see, PCI compliance is a 12-month process - an ongoing journey. ERMProtect can help. We employ experienced PCI QSA team members who can certify your organization’s PCI DSS compliance. They have practical experience in application security, information systems security, network security, IT security auditing, and information security risk assessments that will expedite the certification process.

Our QSAs possess one or more industry-recognized professional certifications in Information Security (e.g., Certified Information System Security Professional (CISSP), Certified Information Security Manager (CISM)) and/or Security Auditing (e.g., Certified Information Systems Auditor (CISA). These designations demonstrate a commitment to professional standards and continuing education that keep our staff members at the forefront of an ever-changing security landscape.

For more information about our PCI QSA services, email [email protected] or call 305-447-6750.

Get a curated briefing of the week's biggest cyber news every Friday.

Stop Phishing Attacks with ERMProtect's Security Awareness Training

Turn your employees into a human firewall with our innovative Security Awareness Training.

Our e-learning modules take the boring out of security training.

Intelligence and Insights

NIST Cybersecurity Framework

Complete Guide to the NIST Cybersecurity Framework 2.0

In this comprehensive guide, we explain in simple terms every aspect of complying with the NIST Cybersecurity Framework 2.0 …
Musings From a Pen Tester’s Diary

Musings From a Penetration Tester’s Diary – Part 2

We asked Akash to take a trip down memory lane and discuss some of his more interesting intrusion cases. This is Part 2 of “Musings from Pen Tester’s Diary.” …
Musings From a Pen Tester’s Diary

Musings From a Penetration Tester’s Diary – Part 1

Ever want to peek inside the mind of an ethical hacker? Akash Desai, our Director of IT Consulting for 18 years, is sharing his diary of experiences “hacking” banks, factories, fire departments, airports, etc …