The Payment Card Industry (PCI) is a coalition of credit card companies including American Express, Discover, MasterCard and Visa. Non-compliance with the 12 requirements specified in the PCI Data Security Standards (DSS) puts your company at greater risk of a future data breach that comes with a steep financial cost as evidenced by the plethora of well publicized data breaches last year alone. Of the 12 PCI DSS requirements, it was found that 79% of failed PCI Compliance assessments were in non-compliance because of not being able to protect cardholder data via requirement 3. Thats huge.
Category: Compliance Standards
Staying informed about all of the cyber security compliance standards is essential to keeping your company safe from hackers. Read on to learn about the various steps you can take to stay up to date with your industry’s compliance standards.
-
Does a QSA need to be onsite for a PCI DSS assessment?
Keeping cardholder data safe and secure is an important part of your business as well as an agreement with your payment card brands and acquirers in order to accept the credit card based payments. Compromised data has a negative impact on everyone involved. Protecting data can help:
- Improve customer relationships
- Increase overall profitability in any program
- Prevent damage to your business’s reputation
This blog is part of our series of articles that will address frequently asked questions and provide a comprehensive guide on PCI DSS requirements and compliance.
Before we talk about QSA and on site assessment process for PCI compliance, heres a quick recap of the basics on PCI DSS.
-
Restricting physical access to cardholder data (PCI DSS Req. 9)
Credit cards hold a remarkable amount of cardholder data. If that data were to fall into the wrong hands, it could ruin a persons life. Now, imagine your company has a database of millions of credit cards that are unique to their cardholder. If that database were to be remotely breached via a phishing scam or hack, your entire database of payment cards could be stolen in a blink of an eye. In 2012 alone, attackers posing as legitimate service people substituted the payment devices and subsequently compromised three large retailers. It was found that 39% of organizations had been breached through insecure remote access (which was the single largest origin of compromise that organizations encountered).
-
Are you ready for GDPR enforcement?
The European Unions new data protection law, the General Data Protection Regulation (GDPR), went into effect on May 25th, 2018. The GDPR is a broad and substantial regulatory change meant to create uniform standards by which users personally identifiable information (PII) is stored, transmitted, and protected against theft. Many companies may be bound by the GDPR and not realize it. As such, they are at risk of being found non-compliant with the GDPR which can incur significant fines. In this article, well outline who is covered by the GDPR and explore the penalties that businesses can incur by being found non-compliant. The GDPR sets a high bar for compliance, and may require businesses to significantly change what types of data they store and how that data is stored. As such, a GDPR risk assessment or GDPR readiness assessment conducted by a qualified security assessor is essential to identifying areas of non-compliance and creating a comprehensive GDPR compliant data management system going forward.
-
What are GDPR Recitals?
The General Data Protection Regulation (GDPR) was recently adopted in the European Union but has far-reaching consequences for businesses operating around the world. The GDPR was crafted and adopted with the intention of creating a durable body of regulations that protect what personal data can be collected from individuals in the EU, how that data is processed, transmitted, and stored. The rollout of the GDPR has confused many businesses that are based outside of the European Union, who may not realize that they fall under the jurisdictional scope of the GDPR. Also confusing is the structure of the regulation, which has been crafted to adhere to standards consistent with the Court Justice of the European Union. In this article, well work to bring some clarity to the discussion regarding the GDPR. In particular, well outline the basics of what the GDPR is, who is covered by it, and whether your company should consider outsourcing your efforts to achieve GDPR compliance.
-
How to simplify GDPR with this need-to-know checklist
One of the biggest hot-button topics for consumers, businesses, and governments worldwide is data privacy and security. And the discussion has gotten that much more heated as high profile cases continue to hit the news. But things are set to get a lot more interesting with the introduction of the European Unions new General Data Protection Regulation (GDPR), which has just recently taken effect.
-
Does a P2PE validated application also need to be validated against PA-DSS?
There were 1,579 data breaches with over 178 million records exposed in 2017 alone. That averages about four data breaches a day for the entire year of 2017. Let that sink in for a second. That amounts to a nearly 45% overall increase over 2016 figures. Thankfully, there are ways that you can avoid a data breach, but these figures still lend themselves to have a bit of sticker shock. One way that companies can protect themselves from payment card data breaches is protecting their cardholder data environment (CDE) via PCI (Payment Card Industry) DSS (Data Security Standard) compliance. Any organization or merchant that accepts, transmits or stores any cardholder data must comply with PCI DSS.
-
Is VoIP in scope for PCI DSS?
Before we delve into understandingVoice over Internet Protocol (VoIP) and data security on VoIP systems, heres a quick introduction to PCI DSS payment card data security standards.
The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The PCI security standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) or by a firm specific Internal Security Assessor (ISA) that creates a Report on Compliance for organizations handling large volumes of credit card payment transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
-
How Does Encrypted Cardholder Data Impact PCI DSS Scope?
Merchants need to protect the cardholder data that they collect and encryption is one of the ways this is accomplished. Encryption by itself is not enough to place data out of scope for PCI DSS. This blog will cover what a cardholder data environment is, how encrypted data is part of that environment, and how encryption fits into the scope of PCI compliance.
-
Types of Data Security Standards
Credit and debit cards have been around since the 1850s, but werent commonplace in American wallets until the 1970s. Why? Because consumers were wary of using them due to the nonexistent security measures and legislative support that was in place at the time. Consumer complaints against this lack of regulation led to the implementation of the Fair Credit Reporting Act of 1970, the Unsolicited Credit Card Act of 1970, the Fair Credit Billing Act of 1974, the Equal Credit Opportunity Act 1974, the Fair Debt Collection Practices Act of 1977. The passing of these acts gave consumers the support and confidence to use their credit and debit cards at a merchant without having to worry about having their data stolen or being discriminated for their transactions.