PCI Compliance – Why It Is a Must
Financial institutions often deal with data breaches due to the huge value financial records hold for external attackers or malicious insiders. A data security incident in financial organizations can have multiple negative ramifications for both the organization and the owners of the leaked data.
Last year a series of data breaches occurred in the financial sector: Citizens Bank, Nationstar Mortgage, Central Bank of Russia, TD Bank, Bangladesh Bank, and many others. One of the major causes was the significant rise of phishing attacks, especially CEO spear phishing, resulting in the breach of confidential data, starting from PII, dates of birth, home addresses, e-mail addresses, credit card numbers, social security numbers, etc.
What is PCI DSS?
According to pcicomplianceguide.org, the Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that store, process or transmit cardholder data and/or sensitive authentication data maintain a secure environment.
In 2006 PCI SSC (The Payment Card Industry Security Standards Council) was launched to define and manage the security standards, improving payment account security throughout the transaction process. The PCI compliance was founded by American Express, MasterCard Worldwide, JCB International, Visa Inc., and Discover Financial Services.
The PCI standards include everything, from the point of entry of card data into a system, to how the data is being processed.
PCI DSS applicability
PCI DSS applies to any organization, no matter the transactions number, that stores. processes or transmits any cardholder data for the major debit, credit, prepaid, e-purse, ATM and POS cards. The PCI Security Standards Council includes merchants, processors, acquirers, issuers, and services providers.
Financial services organizations that need to be PCI compliant can range from banks, Credit Card Companies, Insurance Companies, Credit Unions, Investment Funds, Stock Brokerages, Accounting Companies, Consumer Finance Companies, Real Estate Funds, Government related enterprises and others.
Read our Case Study on how a large risk consultant, insurance and reinsurance broker protects a wide range of confidential data, improving security and compliance with Endpoint Protector 4.
PCI DSS Key Points
The sensitive data is divided in the PCI regulation as follows:
- Cardholder data: cardholder name, Primary Account Number (PAN), expiration date and service code
- Sensitive authentication data: CAV2/CVC2/CVV2/CID, PINs/PIN blocks, full track data (magnetic stripe data or equivalent on a chip)
The PCI standards include 12 main requirements. Organizations that fail to be compliant with the PCI DSS 12 requirements can receive fines or lose the credit card processing privileges.
The 12 requirements according to the PCI Requirements and Security Assessment Procedures version 3.2 are:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
Noncompliance to PCI DSS comes along with fines ranging from $5,000 to $100,000 per month which are perceived by banks and credit card institutions. Even if penalties for non-compliance are not openly discussed nor widely publicized, they have a negative financial impact for the business in cause.
Which of the 12 PCI requirements are covered by Endpoint Protector DLP?
Endpoint Protector provides predefined PCI policies to audit and block the transfer of documents containing Credit Card Numbers (CCNs), cardholder and other associated data to destinations like cloud storage apps, e-mail applications, instant messaging, web-browsers, social media, removable devices, and others.
It helps satisfying the 7.1 requirement – Limit access to system components and cardholder data to only those individuals whose job requires such access – reducing the chances of cardholder data to fall into the wrong hands by stopping the sensitive data transmissions.
Our Data Loss Prevention also helps meeting requirement 3 – Protect stored cardholder data – offering Enforced Encryption for USB devices to encrypt confidential data if it is stored on removable devices. Similar to this, 9.5 requires to physically secure all media to prevent unauthorized persons from gaining access to cardholder data on any type of media. With Endpoint Protector 4, organizations can set up Device Control policies to manage portable storage devices rights, blocking access to unauthorized individuals and impeding them to copy, view or scan sensitive data.
Among all industries, finance is usually the most up to date when it comes to information security implementation. However, financial institutions are also top targets for external attackers and they are subject to greater damages if insiders leak data intentionally or by mistake. PCI DSS is one of the most specific regulations in the industry, with clear requirements, so there is no excuse for organizations to fail in meeting compliance. On top of that, they must consider that a sound data security implementation to protect cardholder and other sensitive data should be complemented by other solutions, processes or technologies, besides the ones mentioned in the PCI regulation.