Credit card and transaction processing companies, as their very name suggests, work with sensitive credit cardholder information on a daily basis and are subject to strict data security compliance requirements as a consequence. Chief among them is the Payment Card Industry Data Security Standard (PCI DSS), which has been adopted by financial institutions across the world as a general standard to help protect payment systems from breaches, fraud, and theft of cardholder data.
Data compliance requirements
PCI DSS is an international proprietary information security standard developed by the PCI Security Standards Council for organizations that handle cardholder information for the world’s biggest card schemes: American Express, Discover, JCB, MasterCard, and Visa. All companies wishing to accept card payments over the phone, in person, or online must be PCI DSS compliant.
Organizations found to be non-compliant with PCI DSS requirements face fines of up to $100,000/month and increased transaction fees. They can also have their relationship with their bank permanently terminated and wind up on the Merchant Alert to Control High-Risk (MATCH) list, which means they would never be allowed to process card payments again.
As such, PCI DSS compliance is paramount for credit card and transaction processing companies, but it is not the only standard they need to comply with. Together with cardholder information, they also collect massive amounts of personally identifiable information (PII), including names, addresses, and phone numbers, which are protected under data protection laws such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Therefore, data security is not only a passing concern for credit card and transaction processing companies but a vital aspect of their business. According to IBM and the Ponemon Institute’s 2021 Cost of a Data Breach Report, the finance sector to which credit card and transaction processing companies belong, have the second-highest data breach costs of any industry: $5.72 million/data breach, with lost business being the biggest contributing cost factor. So how can credit card and transaction processing companies better protect their data and avoid such losses? Let’s take a closer look.
Address internal threats
Cybersecurity is often equated with the need to protect company networks against external threats. However, while safeguarding data and systems from cyberattacks is a major part of any cybersecurity endeavor, credit card and transaction processing companies should not neglect the second most significant contributing factor to data breaches: employees themselves. Whether through neglect or malicious intent, insiders are one of the biggest root causes of data leaks.
Credit card and transaction processing companies can use Data Loss Prevention (DLP) solutions to protect data from internal threats without negatively impacting employee productivity. Using predefined profiles for data protected under laws and standards such as PCI DSS and GDPR, but also allowing customized definitions, DLP solutions identify, monitor and control sensitive data.
Using contextual scanning and content inspection, they can identify cardholder information, PII, and any other type of data defined as sensitive in hundreds of file types, monitor it, and block or limit its transfer. DLP solutions with a high level of granularity, such as Endpoint Protector, allow DLP policies to be applied to particular departments, groups, individuals, or computers, depending on their level of access to sensitive information.
Restrict access to sensitive data
Companies that need to comply with PCI DSS must restrict access to sensitive data on a need-to-know basis. This means that only authorized employees should have access to sensitive information and, even then, should only access it when it is needed to complete tasks.
DLP content discovery scans can help credit card and transaction processing companies to ensure that this requirement is met. Organizations can use DLP tools to search their entire company network for sensitive data stored locally on their employees’ computers and delete or encrypt it when found in unauthorized locations.
Block or limit the use of removable devices
Removable devices are another common data exit point. When it comes to credit card and transaction processing companies that collect, process and archive massive amounts of sensitive data, the use of removable devices by employees can be a high-security risk.
Companies can use DLP solutions to block the use of USB and peripheral ports as well as Bluetooth connections or limit their use to approved devices. In this way, organizations can control the level of security of devices connected to work computers, but also easily identify which employee has used a removable device at what time. Companies can thus identify any potential attempts to steal data by malicious insiders.
Frequently Asked Questions
Debit and credit card data is protected under the Payment Card Industry Data Security Standard (PCI DSS). It was adopted from a need to standardize and align the security requirements of the world’s biggest card brands: American Express, Discover, JCB, MasterCard, and Visa. Together, the five companies created the Payment Card Industry Security Standards Council (PCI SSC), tasked with supervising the evolution and development of PCI DSS.
PCI compliance refers to the Payment Card Industry Data Security Standard (PCI DSS), a set of security requirements that helps organizations protect their payment systems from breaches, fraud, and theft of cardholder data. While not legally binding, PCI DSS was adopted as a general standard by financial institutions across the world, which means that compliance is required for any organization wishing to accept credit or debit card payments, whether in person, over the phone, or online.
The Payment Card Industry Data Security Standard (PCI DSS) applies to all entities involved in card payment processing, including merchants, processors, acquirers, issuers, and service providers. Organizations that store, process, or transmit card information and/or sensitive authentication data also fall under its incidence. Organizations that outsource their operations to third-party payment processors are responsible for ensuring that credit card data continues to be protected and third parties are PCI DSS compliant.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.