Rules of PCI DSS Compliance
Data breaches have made news often in the past few years. When credit cardholder data is compromised, merchants face bad publicity, lasting damage to their reputations, lost business and possible fines. The global average cost of a single data-loss incident was $3.43 million in 2009, or $142 per compromised record, according to a report from the Ponemon Institute.
That’s why American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa developed the PCI DSS (Payment Card Industry Data Security Standard). Businesses with merchant identification that takes credit card payments—whether online, over the phone, or using credit card machines or paper forms—need to comply with these standards, even if they use a payment service provider.
Here are some pointers and considerations to make the compliance journey a smoother ride for your organization:
• Don’t think PCI DSS is going away. Nevada, Minnesota and Washington have incorporated all or part of PCI DSS into their laws. These states are forerunners of a movement similar to the one that led to the adoption of data-breach notification laws, which have so far been enacted by 46 states. Additionally, many banks are now asking their merchants to comply; some are even imposing fines for noncompliance.
• Don’t hide behind the fact that your payment service provider is PCI DSS-compliant. Remember that all “actors” in the credit card payment chain must comply: merchants, payment service providers, banks and hosting providers (if applicable).
• Don’t pick and choose requirements. Merchants need to comply with all the requirements applicable to their credit card payments structure, regardless of any compliance-validation mechanisms they may use. This involves having the appropriate technical and physical security safeguards, policies and procedures in place, and performing quarterly scans of the CHD (cardholder data) environment if it is connected to public networks. Merchants need to train their employees—both when they are hired and again once each year—in matters concerning credit card security. It is also important to be aware that at the highest level, if a merchant makes more than 6 million transactions per year, a qualified security assessor must come on-site to verify compliance.
• Don’t underestimate the time, cost and effort involved in PCI DSS compliance. Get C-level support to make it happen.
Steps to Compliance
• Map out your environment to identify areas, processes and people involved in processing, storing or transmitting credit cardholder data. This is essential for a successful PCI DSS compliance strategy. All assessors start by looking at payment ecosystems and associated documents.
• Segregate credit card processing environment(s) from other production networks. Make sure that any system you use to process, transmit and store CHD is isolated, so that the controls mandated by PCI DSS apply only to this subset of your business.
• To do so, use virtual LANs, install a firewall around your CHD environment and deploy solutions that replace sensitive data with representative token values.
• Use encryption to protect the residual CHD environment. PCI DSS mandates encryption of CHD transmitted over public networks and of devices that may be used to store data elements retained under CHD, but you should go beyond that to encrypt CHD in your network.
• Train your employees: The PCI standard mandates it, and having a prepared staff increases security levels and reduces fraud. A good way to do this is through the use of e-learning, which allows you to see which staff members have been trained, which ones passed their security test and when specific employees need to be retrained.
• Understand the difference between validation programs and compliance readiness. Validation programs tend to include quarterly scans and self-assessment questionnaires but leave out training and policies. Full-readiness programs also include training, policies and procedures.
• Use PCI DSS compliance-management tools, which allow you to achieve compliance the first time by generating remediation plans and security project plans. Take control and proactively manage all PCI DSS tasks, whether it’s updating security systems, revising policies and procedures, or retraining staff. Be sure that you know—and can evaluate—costs for each control and high-level requirement for security ROI.
• Consider the upside of PCI DSS. Continuous compliance with PCI DSS will also reduce the time, effort and cost of complying with personally identifiable information (PII) and data-breach notification laws.
PCI DSS is not going away. If your business is not compliant yet, take action now. Once compliance is achieved, maintain it on an ongoing basis, thus also addressing PII and state laws. Complying with PCI DSS should be regarded as a security and compliance win-win.
Mathieu Gorge is CEO of security consultancy VigiTrust, which is based in Dublin.