PCI DSS: Are you taking payment security seriously?
What is the PCI DSS?
The PCI DSS (Payment Card Industry Data Security Standard) is administered by the PCI SSC (Security Standards Council) to decrease payment card fraud across the Internet and increase payment card data security. Organisations that accept, store, transmit or process cardholder data must comply with the PCI DSS.
If you are a merchant, the PCI DSS applies to you. Even if you have subcontracted all PCI DSS activities to a third party, you are still responsible for ensuring all contracted parties comply with the Standard.
If you are a service provider, including a software developer, the PCI DSS applies to you if you process, transmit or store cardholder data, or your activities affect the security of the cardholder data as it is being processed, transmitted or stored.
Why is compliance important?
The cardholder data that you store can be stolen from many places:
- Compromised card reader
- Filed paper records
- Cardholder data stored in databases
- Rogue access to your business’s wireless or wired network
- Concealed camera recording the entry of authentication data
If implemented correctly, the PCI DSS can help organisations secure cardholder data. It provides a baseline set of security requirements, which lets organisations know what action they should take. One of the key benefits of the PCI DSS is that it provides a detailed action plan that can be applied to companies of any size or type that use any method of processing or storing payment card data.
To find out more about the PCI DSS and why compliance is important, download our free brochure:
The PCI DSS: Challenge or Opportunity?
Penalties for non-compliance with the PCI DSS
The breach or theft of cardholder data affects consumer confidence that results in the loss of business. Any merchant that breaches the PCI DSS could face serious consequences, including fines, litigation and reputational damage. The implications can be far-reaching and include:
- Fraud losses
- Loss of customer confidence
- Diminished sales
- Cost of reissuing new payment cards
- Higher subsequent costs of compliance
- Legal costs, settlements and judgments
- Fines and penalties
- Termination of ability to accept payment cards
- Lost jobs
Payment data – a target for attack
Payment card data is the prime target in attacks against commercial environments.
Indeed, the 2018 Trustwave Global Security Report identified that threat actors targeted payment card data in most incidents, with card-track (magnetic stripe) data making up nearly 23% of events, and CNP (card-not-present) data, which is mostly used in e-commerce transactions, comprising almost 20%.
Criminal hackers want your cardholder data. By obtaining the PAN (primary account number) and sensitive authentication data, an attacker can impersonate the cardholder, use the card, and steal the cardholder’s identity. Following guidance in the PCI DSS helps keep your cyber defences primed against attacks aimed at stealing cardholder data.
The PCI DSS requirements
Payment security is important for every merchant, financial institution or other organisation that stores, processes or transmits cardholder data.
The PCI DSS specifies 12 requirements that are organised into six control objectives.
Goals
Build and Maintain a Secure Network
PCI DSS requirements
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security for employees and contractors
The exact PCI DSS compliance requirements vary depending on the annual number of card transactions processed by your organisation.
To find out more about the PCI DSS requirements, read our information page on the PCI DSS and the 12 requirements >>
For organisations that process more than six million card transactions annually
Large organisations must have an external audit performed by a QSA (Qualified Security Assessor) and submit a RoC (Report on Compliance) to their acquiring banks to prove their compliance each year. Your assessor will:
- Validate the scope of the assessment;
- Review all documentation and technical information provided;
- Determine whether the Standard has been met;
- Provide support and guidance during the compliance process;
- Be onsite for the duration of the assessment as required;
- Adhere to the PCI DSS assessment procedures;
- Evaluate compensating controls; and
- Produce the final RoC.
For organisations that process more than six million card transactions annually
Large organisations must have an external audit performed by a QSA (Qualified Security Assessor) and submit a RoC (Report on Compliance) to their acquiring banks to prove their compliance each year. Your assessor will:
- Validate the scope of the assessment;
- Review all documentation and technical information provided;
- Determine whether the Standard has been met;
- Provide support and guidance during the compliance process;
- Be onsite for the duration of the assessment as required;
- Adhere to the PCI DSS assessment procedures;
- Evaluate compensating controls; and
- Produce the final RoC.
To find out more about external audits for large organisations, download our free green paper:
PCI Audit Success in Nine Essential Steps >>
Discover our range of PCI DSS products and services
IT Governance provides services to support you at each stage of your organisation’s PCI DSS compliance project. Whether you need to conduct a gap analysis, reduce the scope of your cardholder data environment, conduct a risk assessment or test the security of your systems and processes for vulnerabilities, we can help. View our range of products and services to find out more about what we can do.
PCI DSS products and services
Speak to an expert
For more information about the PCI DSS and what your organisation needs for compliance, please get in touch with one of our experts, who will be able to advise you further.