PCI DSS: Are you taking payment security seriously?
What is the PCI DSS?
All merchants and service providers that store, process or transmit credit or debit card data must comply with the PCI DSS (Payment Card Industry Data Security Standard) to ensure proper security of their customers and their business.
The PCI DSS is designed to fortify cardholder data security and facilitate the broad implementation of consistent data security measures globally. Organisations failing to comply with the Standard are likely to get fewer beneficial commercial terms (including refusal of service) and those that experience a breach are likely to face substantial fines.
Want to know more?
For advice and guidance on the PCI DSS or to find out more about our cost-effective solutions, get in touch with one of our experts today.
Speak to an expert
Why is compliance important?
The GDPR (General Data Protection Regulation) introduced stricter rules for processing personal data, with substantial penalties for inadequate security. This makes PCI DSS compliance essential for any merchant or service provider processing cardholder data.
Despite improved PCI DSS compliance rates, research reveals that after validation, nearly half of these companies fall out of compliance within the first 12 months. This could be due to:
- A change to the PCI DSS (the latest version is 3.2), or the interpretation of the PCI DSS
- New software/technology that was not implemented with PCI DSS controls in mind
- A process or policy that is in need of modification
- Organisation, personnel or vendor changes
- A system that was not tested during the previous assessment
The PCI DSS, when implemented correctly, provides a baseline of security requirements, enabling organisations to know what action to take to ensure the security of cardholder data. The Standard provides a detailed action plan that can be applied to all organisations regardless of size or type or the method used to process the cardholder data.
Penalties for non-compliance with the PCI DSS
Any merchant breaching the PCI DSS can face significant consequences, including:
- Fraud losses
- Loss of customer confidence
- Diminished sales
- Cost of reissuing new payment cards
- Higher subsequent costs of compliance
- Legal costs, settlements and judgments
- Fines and penalties
- Termination of ability to accept payment cards
- Lost jobs
Payment data – a target for attack
Cardholder data is the prime target of attacks in commercial environments. The 2018 Trustwave Global Security Report identified that threat actors primarily targeted payment card data, with nearly 23% of attacks focusing on card-track (magnetic stripe) data and 20% on CNP (card-not-present) data, which is typically used in e-commerce transactions.
Complying with the PCI DSS helps safeguard your cardholder data environment, preventing attackers from gaining unauthorised access via the PAN (primary account number) and sensitive authentication data to impersonate the cardholder and steal their identity and money.
The PCI DSS
Payment security is important for every merchant, financial institution or other organisation that stores, processes or transmits cardholder data.
The PCI DSS specifies 12 requirements that are organised into six control objectives.
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security for employees and contractors
Which PCI DSS compliance requirements you must implement varies according to the annual number of card transactions performed by your organisation.
To find out more about the PCI DSS requirements, read our information page on the PCI DSS and the 12 requirements >>
Organisations that process more than 6 million card transactions annually
Large organisations processing more than 6 million card transactions a year must undergo an external audit by a QSA (Qualified Security Assessor) and submit a RoC (Report of Compliance) to their acquiring banks to demonstrate their compliance. This must be done annually.
Your assessor will:
- Validate the scope of the assessment;
- Review all documentation and technical information provided;
- Determine whether the Standard has been met;
- Provide support and guidance during the compliance process;
- Be onsite for the duration of the assessment as required;
- Adhere to the PCI DSS assessment procedures;
- Evaluate compensating controls; and
- Produce the final RoC.
Organisations that process fewer than 6 million card transactions annually
Smaller merchants are able to use a self-validation tool to evaluate their level of cardholder data security.
With nine different questionnaires to choose from depending on your merchant environment, the SAQ (self-assessment questionnaire) includes a series of yes-no questions for each relevant PCI DSS requirement.
You must perform internal and external network vulnerability scans quarterly and following any significant network change, irrespective of the number of transactions you process.
Discover our range of PCI DSS products and services
Whether you require a gap analysis, or need to reduce the scope of your cardholder data environment, conduct a risk assessment or test your systems for security vulnerabilities, IT Governance provides a range of services to support you in your PCI DSS compliance project.
Speak to an expert
For more information about the PCI DSS and what your organisation needs for compliance, please get in touch with one of our experts, who will be able to advise you further.