Staying on top of the latest in rules and regulations as a business owner is of paramount importance to the long-term viability of your organization. You know it is, yet you find that you become a deer in the headlights when tasked with needing to be compliant when accepting credit card transactions. Where do you start? Do you really need to be compliant? What happens if youre not compliant? Thankfully, this article is your one-stop-shop for the answer to these questions and a myriad of others you may have regarding PCI (Payment Card Industry) DSS (Data Security Standard) compliance. Dive into the topic in greater detail by absorbing this guide that investigates current and future PCI DSS cardholder regulations and requirements, who they apply to, and what you can do to keep your clients cardholder data safe from the constant threat of data breaches.
Back in December of 2004, The PCI Security Standards Council (The Council for short) enacted the universal security standard that is PCI (Payment Card Industry) DSS (Data Security Standard) compliance. Since 2004, there have been many updates to security requirements that businesses need to adhere to at the digital and physical Point of Sale (POS) to remain compliant. PCI DSS is a proprietary information security standard applying to all organizations that store, process and/or transmit consumer credit card data to and from major credit card organizations such as Visa, MasterCard, American Express, Discover, JCB, etc.
According to Verizons latest PCI DSS Compliance Report, PCI DSS compliance has increased by 167% since 2012 which means that having your company stay up-to-date on its PCI DSS compliance is key to continued competition with other merchants. If you wish to focus on emulating a secure and safe digital financial transaction presence that consumers can trust, your company must implement robust firewalls and authentication PINs that give consumers peace of mind.
But having a robust digital network security solution is just the tip of the cybersecurity iceberg. With theaverage cost of a data breach totaling more than $3.8 million, it would behoove a business to ensure they remain compliant to decrease their risk of a future breach and increase consumer confidence in their platform. What consumers crave are compliance solutions that allow them exponentially more flexibility to conveniently and frequently update their PINs and security data without lag and thought that it might be compromised at some point in the future. Identifying your company as a PCI DSS compliant entity that is focused on continuously updating its credit card processing security protocol per The Councils updates emulates a platform that consumers can utilize for their daily e-commerce transactions without contemplation of any negative impacts.
What is PCI Compliance?
The main goal of PCI DSS compliance is to protect the privacy and security of sensitive card data by delivering recommendations on how to secure online business. Before the formal security standard was established, different credit card companies had their own set of rules and regulations regarding credit and debit card security with roughly the same aim: to create an additional level of protection for card issuers by ensuring that merchants met minimum levels of security when they store, process and transmit cardholder data.
By federal law, PCI DSS is not required in the U.S. (for now), however, there are mandated PCI DSS compliance standards in Minnesota, Nevada, and Washington state that require companies that operate within state borders to be PCI DSS compliant for the protection of consumer payment card data. Regardless of these state and federal laws, PCI DSS compliance is required by major credit card organizations once your business reaches a certain size with non- PCI compliant companies facing fines and the threat of an imminent data breach. Your companys need for compliance with these credit card companies will ultimately depend on the way you run your business and the number of personal or e-commerce transactions per credit card enterprises you process over each calendar year.
PCI DSS Requirements
In a nutshell, PCI DSS compliance is aimed at helping international businesses protect their payment systems from data breaches and cardholder data theft which is becoming a vehicle that hackers have utilized for cybercrime in recent years. If your business accepts credit cards, mobile payments or online payments, then you need to be PCI DSS compliant. Theres no way around this, unless of course you would rather get stuck with a hefty fine or worse yet: get hit by a data breach (which arent as uncommon as you may think they are).
There are harsh consequences for non-compliant businesses that suffer a hack or data breach, which typically include:
|Non-Compliant Company Consequences|
|You will be responsible to repay issuing banks for all fraudulent charges attributable to the breach.|
|You must pay for the forensics investigation that determines the cause of the breach and how many accounts were compromised.|
|Banks will fine card issuers thousands of dollars, who will pass on these fines to you, on top of additional fines from the Council.|
|Time and cost for merchant to deploy new, secure technology and processes will increase exponentially.|
Ok, so now youve established that you need to be PCI DSS compliant but youre not sure what that means and/or how to get to the point of full compliance. Thankfully, The Council has detailed the guidelines below:
To sum up the above chart, if youre a merchant that processes over $20,000 in transactions annually, you will need to be PCI DSS compliant. The difference between level 4 and Level 1 (other than the obvious monetary transaction requirements) is that companies that are required to meet level 4 compliance are only required to take the annual self-assessment. On the other hand, Level 1 certification requires an audit processed by a Qualified Security Assessor (QSA). Be prepared to dig in for the long haul and jump through a few hoops regardless of your level of compliance. Each level comes with filling in the self-assessment questionnaire and the whole procedure is getting much more complicated for the highest level (Level 1).
The cost to comply with The Councils requirements for PCI DSS compliance can range between roughly $1,000 annually to over $50,000 annually, depending on the size of your business and your corresponding level. From a surface level assessment, this may seem like quite an investment to some. On the other hand, if you are not compliant, it can put your entire business in jeopardy.
Consumers are getting more weary of the level of credit card merchant security with 85 percent of adults surveyed across the United States, United Kingdom, and Australia believing that fraud attempts on debit and credit cards are on the upswing. Loss of revenue and customers due to the fallout from a data breach can affect your businesses reputation in many ways (more so if you are found to not be following PCI DSS requirements). For one, your business could lose the right to accept payment cards, which in this day of digital reliance, could lead your company to an early Chapter 13 bankruptcy filing if youre not careful.
We all witnessed the type of financial devastation that ensued recently due to Data Breaches that affected many prominent financial institutions:
Securing your network firewall through advanced encryption methodologies that are inherently built into PCI DSS compliance will not free your company completely from the threat of a data breach, but it will allow vulnerability management in your network security. The annual small cost that your business must spend to comply with PCI DSS requirements is microscopic when you consider the ROI that your company will achieve when you realize that becoming compliant means you now have more flexibility and control over financial data that runs through your companys digital infrastructure.
What does PCI Compliance mean for your business?
PCI compliance applies to any business, regardless of size or transaction volume, that accepts credit cards. Any company that processes, stores or transmits credit card information must be PCI compliant. In the event of a data breach, lack of PCI compliance could result in steep fines by the PCI Security Standards Council. PCI compliance for small businesses lessens your companys liability if a data breach does compromise your network. To identify any and all gaps in your cardholder data security environment, take this quick questionnaire.
Now, your business doesnt necessarily need to adhere to all levels of compliancejust the levels of compliance that are pertinent to your companys operations. If you are not currently PCI compliant and your business gets audited, it could pay up to $100,000 a month in fees depending on its current level. This will probably not sit well with your bank, ultimately leaving them with a sour taste in its mouth which most likely will lead to the deterioration of your relationship with them or an increase in transaction fee costs you would need to shoulder to remain their client.
Ensuring that your business adheres to all the PCI DSS security standards is the best way to ensure secure card transactions and safeguard your business from a data breach. In turn, youll also avoid paying steep monthly fines by the Payment Card Industry, which will help to protect the longevity of your business. From a consumer standpoint, a companys PCI DSS compliance is a verified stamp of approval that gives them peace of mind that their credit card data is safe from a breach that could cost them their hard-earned money, dock their credit score, or both. With U.S. consumer sentiment increasing at a rapid pace to surpass January 2004 levels, being continuously PCI DSS compliant allows your company to continue growing with your increased consumer demand.
2018 PCI Compliance Checklist
|#||PCI DSS Compliance Requirement|
|1||Install and maintain a firewall configuration to protect cardholder data.|
|2||Do not use vendor-supplied defaults for system passwords and other security parameters.|
|3||Protect stored cardholder data.|
|4||Encrypt transmission of cardholder data across open, public networks.|
|5||Protect all systems against malware and regularly update anti-virus software or programs.|
|6||Develop and maintain secure systems and applications.|
|7||Restrict access to cardholder data by business need-to-know.|
|8||Identify and authenticate access to system components.|
|9||Restrict physical access to cardholder data.|
|10||Track and monitor all access to network resources and cardholder data.|
|11||Regularly test security systems and processes.|
|12||Maintain a policy that addresses information security for all personnel.|
- Line items 5, 8, and 12 have been updated to correspond with the latest April 2016 changes to the PCI DSS compliance checklist (v3.2) from The PCI Security Standards Council.
Changes in 2018
With more instances of company financial data breaches than ever before via hackers using innovative mediums to gain access to major company networks, PCI DSS compliance is more important than ever. As such, the Councils standards that companies are required to adhere to for continued PCI DSS compliance have evolved to accommodate new requirements that give consumers and service providers a fighting chance against the continuous threat of a massive data breach. Earlier this year, we detailed some of the more high-level PCI requirement changes for 2018 with major changes being implemented by the Council on February 1st and June 30th, 2018.
February 1st, 2018 was when all new requirements were introduced by the Council in PCI DSS version 3.2 which were required to be adopted and included in each companys PCI DSS assessments. June 30th, 2018 will be the last date that a company can utilize Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS) as a security control to meet any PCI DSS requirements as these versions do not demonstrate a strong enough cryptography to be considered PCI DSS compliant.
As the above changes to PCI DSS requirements have noted, many past methods of encryption have become obsolete with the implementation of new types of transaction features at the POS. Transaction features such as Card Not Present (CNP) transactions are becoming more prevalent and will require merchants to implement more subtle detection mechanisms such as payment velocity checks via tokenization. This type of Point to Point Encryption (P2PE) is necessary for both credit card merchants and businesses alike to ensure consumer confidence remains high in the future.
Speaking of looking to the future you shouldnt be stuck working on solutions to problems that make you feel like youre constantly spinning your wheels. Meeting cardholder security standards will ultimately encourage your business to grow, not impede its progress through the addition of so-called red tape. Above and beyond being compliant with PCI DSS requirements, a proactive approach to potential network security woes such as data breaches is the ticket to unlocking the potential of your business to grow without the imposing roadblocks.
About RSI Security
RSI is the nation’s premier information security and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI can assist all sizes of organizations in managing IT governance, Risk management and compliance efforts (GRC).