If your organisation stores, processes or transmits card payments, you must comply with the PCI DSS (Payment Card Industry Data Security Standard).
Given the complexity of the Standard’s requirements, it’s natural that you’d have questions about how to proceed. Cyber security expert Alice Turley knows that as well as anyone, as she answered your queries during IT Governance’s PCI DSS – Challenge or Opportunity? webinar.
In this blog, we look at several issues that were raised during that Q&A and provide advice on how to achieve PCI DSS compliance.
1. It’s easier than you think to find out whether a QSA is qualified
Most organisations are aware that, when choosing a QSA (Qualified Security Assessor) to audit their PCI DSS compliance practices, they must pick someone with the appropriate credentials.
If it’s unclear whether a potential QSA is qualified, Turley recommends visiting the PCI SSC (Security Standards Council) website and following the Assessors & Solutions tab to find approved assessors, scanners and certified forensic investigators.
You can search organisations or a specific individual to see whether they are registered with the PCI SSC.
2. Third-party payment processors must be PCI DSS-compliant
When asked about whether there was a difference between an organisation’s compliance requirements and those of third parties, Turley was clear.
“As you are outsourcing some of the process to a third party and sharing some of the cardholder data in order to make the payments, the third party needs to be PCI DSS-compliant as a service provider. Therefore, both parties need to be PCI DSS-compliant,” she explained.
“However, as the merchant, you can offload some of your PCI DSS controls to the third party so that your SAQ (self-assessment questionnaire) will be smaller and the third party will handle the rest of the controls.”
3. You should have evidence that third parties’ practices are compliant
Turley added that it isn’t enough to simply ask that a third party achieves PCI DSS compliance; it should be a legal requirement.
“The payment processor company should be maintaining their service provider PCI DSS compliance, and this should be a requirement within your contractual relationship with this payment processing company,” she said.
She also explained that organisations might choose to seek an Attestation of Compliance report. This is a form used by merchants and service providers that contains the results of the PCI DSS assessment.
4. Card issuers can store payment data only in specific circumstances
One of the biggest misconceptions about the PCI DSS is that achieving certification allows you to store cardholder data as you please.
However, Turley explains that even if an organisation has the appropriate defences in place, it can only store data if there is a business need to do so.
She adds that organisations must ensure that the full PAN (primary account number) is only accessible to those who need it to complete their job functions. In all other cases, the number should be partially masked, with the most common way of doing this to display the final four digits.
5. You must remove payment card data that’s not stored appropriately
Data breaches involving cardholder data often occur when an employee enters the information in the wrong field within a database.
Turley confirmed that any information entered incorrectly must be removed, and that organisations should conduct staff awareness training to prevent this error from happening again.
Looking for more PCI DSS advice?
You can find more of Turley’s advice on how to protect cardholder data by watching PCI DSS – Challenge or Opportunity?
This free webinar is available to download from our website, and provides essential guidance on how to meet your PCI DSS compliance requirements. It contains:
- An overview of the PCI DSS’s 12 compliance requirements;
- Best practices on how to achieve and maintain compliance;
- Advice on how to overcome challenges you’re likely to face; and
- Information on the ways that PCI DSS compliance helps you meet your GDPR (General Data Protection Regulation) requirements.