Simply put, companies that touch credit card data are required by the Payment Card Industry (PCI) Security Standards Council to adhere to certain data security standards. While this may seem like a hassle, the objective of this independent collaboration of financial institutions is good. Securing credit card data helps protect banks, consumers, and merchants alike.
Merchants that process, store, or transmit cardholder data are required to adopt the security protections (controls) detailed in the Payment Card Industry Data Security Standard (PCI DSS). This rigorous standard includes security policies, procedures, and other ongoing requirements aimed at securing cardholder data throughout its entire lifecycle in the merchant’s Cardholder Data Environment (CDE). Depending on annual credit card transaction volumes and the mandates of their acquiring bank, merchants may be required to demonstrate compliance in the form of an annual PCI self-assessment or by third party audit.
Unfortunately, many businesses struggle to correctly implement and maintain the controls set forth in the PCI DSS. These organizations may find themselves scrambling to prepare for PCI audits and at risk of hefty penalties for failing to prove compliance. Additionally, companies that are breached and are found non-compliant will also face these fines, and risk losing their ability to accept credit card transactions going forward.
Even with an optimal strategy, compliance is not a point-in-time undertaking. Beyond the initial implementation of PCI DSS controls, merchants are expected to maintain compliance by executing a variety of regular recurring processes. They must also be careful to maintain evidence of these activities in order to prove compliance in the event of an audit.
Build and Maintain a Secure Network and Systems
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
*Additional compliance requirements for software developers and manufacturers of applications and devices used in credit card transactions
The global standard for cardholder data security, the PCI DSS consists of six overarching goals broken into twelve high-level requirements, and supported by more than 220 detailed security sub-controls. However, it does not offer guidance for implementing these controls or ensuring audit success. As a result, merchants are first faced with the challenge of developing a compliance strategy that is well suited to their business practices and card processing use cases.
A “check-the-box” approach to PCI compliance is risky from both a business and a practical cyber security perspective. By attesting to PCI DSS compliance without confidence in control efficacy, merchants are at a significantly greater risk of suffering a credit card related breach. While a cyber breach can wreak havoc of its own, compounding it with fines for breach of compliance can be devastating. A programmatic approach to PCI compliance ensures that people, process, and technology are brought to bear thoughtfully and consistently to ensure meaningful CDE protection and repeatable audit success.
Get the security leadership you need to not only achieve and maintain PCI compliance, but strengthen the overall security of your environment. Our information security experts are capable of guiding and executing all phases of PCI compliance program development, maturation, and management. They work with your team to create and implement a compliance strategy that conforms to your unique environment and operations. Pulling from years of experience and broad expertise, they help incorporate proven best practices into your PCI DSS control implementation. The result is a PCI Compliance Program that keeps you not only better protected, but well prepared to pass annual self-assessments and PCI audits with ease. Contact us for help.