The Payment Card Industry Data Security Standard (PCI DSS) is an international proprietary information security standard developed by the PCI Security Standards Council for organizations that handle cardholder information for the world’s biggest card schemes: American Express, Discover, JCB, MasterCard, and Visa. Merchants need to be PCI DSS compliant if they want to accept card payments over the phone, in person, or online.
PCI DSS protects all the information found on a customer’s payment card: their primary account number (PAN), the cardholder’s name, credit card expiration date, and service code. There are 12 core PCI DSS requirements with an associated 250 controls. Both basic measures such as installing and maintaining firewalls and antivirus software and more complex ones that require the development of secure applications and systems are included.
While not legally binding, merchants need to comply with PCI DSS as part of contractual obligations with card companies and financial institutions, including banks. Failure to comply comes with dire consequences: banks can choose to permanently terminate their relationship with an organization and add offenders to the Merchant Alert to Control High-Risk (MATCH) list which would bar them from ever processing card payments again. Non-compliance with PCI DSS can also bring fines of up to $100,000/month and increased transaction fees.
Reaching PCI DSS compliance is daunting, but an inescapable requirement for all companies that want to accept card payments. But what is the best strategy to reach PCI DSS compliance? Here are our tips!
Conduct an internal audit
Before you get started with any PCI DSS compliance efforts, you must first know how cardholder information is being stored and processed and what policies for the handling of sensitive data are already in place. This requires organizations to conduct an internal audit and involve in their input from compliance and privacy executives, IT departments, administrative management, and top-level executives such as CISOs and CIOs.
Tools such as Data Loss Prevention solutions can also be used at this stage to scan company networks to discover exactly where cardholder information is being stored and how it is being used by employees and whether current policies adequately protect that data. By using data at rest scans and monitoring features that allow for cardholder data to be detected and tracked, companies can get a good idea of data flows within company networks.
Organizations can then compare existing policies and practices against PCI DSS requirements and see which areas require improvement. In this way, companies can make informed decisions and build PCI DSS compliance on top of existing policies, without wasting time and resources by starting from scratch.
Secure business processes
To secure business processes, companies must first install and maintain cybersecurity solutions such as firewalls and antivirus software to protect against outside interference. Companies must also protect cardholder information from internal threats and human error.
To effectively do this, they must restrict access to cardholder information by business need-to-know. They can also use DLP tools to monitor, restrict, or block the transfer of cardholder data outside the company network. By tracking the movements of cardholder information, organizations can discover weak links in compliance strategies and identify the employees that may require training to ensure best security practices are being followed.
Any compliance strategy fails if employees are not involved in its application. Companies must ensure that everyone working with cardholder information on a day to day basis is aware of PCI DSS requirements, their importance, and how they can support and ensure compliance.
An informed workforce is less likely to bypass policies. Adequate training, based on situations they encounter daily, can also raise awareness of common errors and lead to a reduction in security incidents caused by negligence.
PCI DSS compliance for remote work
During the COVID-19 pandemic, the PCI Security Standards Council issued special guidance for remote work aimed at helping companies maintain security best practices and protect payment card data while their employees work from home.
From requiring employees to conduct processing operations in private home office spaces to securing devices from unauthorized access, companies must follow to Council’s guidance to ensure ongoing compliance with PCI DSS.
Regularly test systems and processes
Annual penetration testing is a requirement for all companies that need to be PCI DSS compliant. The test needs to be conducted through an Approved Scan Vendor (ASV). But companies should also test the effectiveness of their internal policies. This can be done through monitoring cardholder information, but also regular data at rest scans that can help identify where sensitive data is being stored without authorization.
By regularly testing their security mechanisms, companies can ensure that any potential vulnerabilities are discovered and swiftly dealt with. They can also test the effectiveness of new policies in meeting PCI DSS requirements.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.