How Can Your Organization Achieve PCI DSS Compliance?
Concerned about your organization’s security posture and whether you are in compliance with the Payment Card Industry Data Security Standard (PCI DSS)?
Delta Risk offers a comprehensive suite of cyber security services to help you achieve PCI DSS compliance, including:
- ActiveInsight – Our advisory services offer multi-faceted assessments options of your current security program to identify security and PCI DSS compliance gaps.
- ActiveEye – ActiveEye managed services and professional services can help you offload day-to-day endpoint protection and security monitoring tasks while aligning with specific PCI DSS requirements.
- ActiveResponse – We take a proactive approach in detecting and hunting network intruders to contain the outbreak of a breach, keeping your organization in accordance with PCI DSS regulations.
PCI DSS Overview
Electronic payment information is now an obvious target for cyber criminals. That was not always the case. In the early 2000's, as fraud and identity theft became more rampant, companies recognized the mounting losses to cyber criminals. After individual company attempts to solve the issue failed, the five major credit card brands (American Express, Discover, JCB, MasterCard, and Visa) came together in 2004 to support the initial formation of PCI DSS.
Since then, the development and management of the various PCI DSSs has evolved substantially. Currently, the PCI Security Standards Council (PCI SSC) handles drafting the standards. The five major credit card companies also formed the PCI SSC, and its members now consist of employees of these payment companies.
The PCI DSS is comprised of many individual and specific requirements, but there are six overarching goals that apply to every organization:
- Build and Maintain a Secure Network
- Protect Stored Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
A major issue for those who must comply with the PCI DSS is the specific requirements are constantly changing. The major payment companies adopted the first version in 2004 with revisions in 2006 and 2008. Version 2.0 debuted in 2010, with the SSC releasing Version 3.0 in 2013. Version 3.2 (the most recent version to date) was released in April 2016.
Unlike the cyber security regulations in other industries, say finance or critical infrastructure, the PCI DSS requirements are not law nor does a government agency enforce them. While the PCI SSC is responsible for managing the standards, it is up to the various payment brand entities to enforce compliance along with those standards.
Update to 2013 E-Commerce Guidance
The PCI SSC released an update to its 2013 e-commerce guidance in February 2017. This update specifies best practices for securing e-commerce, including an added emphasis on data encryption. The new guidance, Best Practices for Securing E-Commerce, replaces the previous guidance.
Who Must Comply with PCI DSS?
The answer seems simple: all entities that process, store, or transmit payment card information.
However, different compliance levels based on the amount of card transactions complicate this general rule. The PCI DSS applies differently to merchants of different transaction volumes per year. As the number of cards processed by a merchant (credit, debit, and prepaid) increases, the level and range of security requirements the merchant must meet also intensifies.
|1||Processes over 6 million transactions|
|2||Processes 1 million to 6 million transactions|
|3||Processes 20,000 to 1 million transactions|
|4||Processes less than 20,000|
The requirements at each level can vary greatly. Level 4 and 3 merchants (least security required), can attain compliance through completing a self-assessment questionnaire, and may be required to run periodic vulnerability scans. Level 2 merchants must have a PCI SSC accredited assessor conduct an annual assessment in addition to periodic network scans, annual penetration tests, and security policy implementation. The requirements for Level 1 merchants are similar to Level 2, but Level 1 requires an accredited assessor to conduct an onsite security assessment.
What Payment Card Information Must You Protect?
There are two general types of information that you must protect if you are subject to PCI DSS. Cardholder data is the entire primary account number (PAN) or the PAN along with the cardholder’s name, the expiration data, or the service code. The other type of information is Sensitive Authentication Data. This refers to magnetic stripe data (or chip data), card validation codes or values, and PINs.
Specific PCI DSS Requirements for Protecting Payment Card Data
The PCI SSC further breaks down the six main goals into 12 standards, with even more specific requirements within each goal. The 12 general standards involve:
- Installing and maintaining a firewall configuration to protect cardholder data
- Not using vendor-supplied defaults for system passwords and other security parameters
- Protecting stored cardholder data
- Encrypting transmission of cardholder data across open, public networks
- Protecting all systems against malware and regularly updating anti-virus software or programs
- Developing and maintaining secure systems and applications
- Restricting access to cardholder data by business need to know
- Identifying and authenticating access to system components
- Restricting physical access to cardholder data
- Tracking and monitoring all access to network resources and cardholder data
- Regularly testing security systems and processes
- Maintaining a policy that addresses information security for all personnel
Consequences of PCI DSS Noncompliance
Given that a government agency does not enforce PCI DSS, if you fall out of compliance, you will have to answer to the major payment card brands. For noncompliance, they may impose fines, increase transactions costs, or end their payment card relationship altogether. The fines can range from $5,000 to $100,000 per month. Fines are not generally publicly available, but they can be catastrophic to small businesses.
If your organization experiences a breach, the PCI SSC may move your organization up to a merchant-compliance level, requiring you to meet stricter security requirements the following year. They may also impose a series of external audits to your security program.
Not maintaining PCI DSS compliance can have serious direct costs. However, you should also be concerned about the greater threat to your reputation for failing compliance standards, or worse, getting hacked. Developing and maintaining a comprehensive cyber security program is the only way to reduce your risk across the board.