If your business uses or processes any credit card information, you are required to comply with Payment Card Industry Data Security Standards (PCI DSS). PCI DSS is considered to be one of the key components of security compliance and refers to regulations developed to ensure that companies who store, process, or transmit credit card information maintain a secure IT environment. Let’s explore how to determine if your business is PCI compliant, and what it takes to get there.
Who Needs to Be PCI Compliant?
Let’s start with the basics. Does your company have a Merchant ID? If it does, guess what? By virtue of that merchant ID, you are required to be PCI DSS compliant. In addition, if you outsource any of your IT needs to a third-party vendor, you must take steps to ensure that the vendors your work with are also PCI DSS compliant. This is especially important as cloud computing becomes a popular business solution, as there are risks associated with reliance on the cloud especially when it comes to maintaining PCI compliance.
The data security standards are clear, yet businesses struggle to attain compliance, citing confusion about the requirements, uncertainty about what data to monitor and, of course, limited resources. According to the PCI Security Council, “Many organizations treat compliance as a one-time, annual event. But only focusing on an annual compliance assessment can create a false sense of security.”
Bottom line? No matter how limited your resources, how overwhelming the amount of data you need to monitor, or how confusing you find the entire process—you must be in compliance and you must be vigilant and maintain PCI DSS standards year-round. Let’s explore further.
The Components of PCI Compliance
PCI compliance is a continuous process made up of three steps: assessment, remediation, and reporting. In the initial evaluation, you need to do an inventory of your company’s IT resources, cardholder data, and payment processing, and then analyze each for any areas of weakness or susceptibility for breach. Once you have identified any areas of vulnerability, you must fix the problems and then submit reports to the required bank and bank card companies.
Critical Considerations for PCI Compliance
To achieve PCI compliance, you must be sure that your business:
- Maintains a secure network. Your hosting provider should have an appropriate firewall to protect cardholder data, as well as complex system passwords for entry into your financial system.
- Takes measures to protect data. Cardholder data must be stored securely and must be encrypted while in transit over public networks.
- Has an auditing process. Not only should you conduct regular audits yourself, you should require all third-party vendors to regularly assess their own vulnerabilities and provide regular audit reports. Assessments, anti-virus software updates, and maintaining secure systems are absolute necessities.
- Implements strong access control measures. Access to the system should be restricted only to those who need the information to complete a task successfully. In addition, each user should have a unique ID to gain access to the system.
- Monitors and tests for flaws frequently. It’s critical to regularly run security checks and monitor all access to cardholder data.
- Has established information security policies. Make sure that information security policies are explicitly written, reviewed often, and regularly updated to reflect changes in the industry and PCI DSS regulations.
The good news? According to the PCI Security Standards Council, PCI DSS will be updated in 2016, to improve directions for companies working to achieve compliance, with a particular focus on PCI DSS Requirement 10, which addresses log collection and monitoring processes.
The Council has put together a special interest group called “Effective Daily Log Monitoring” tasked with developing an information supplement with instructions on techniques that can be used to meet requirements and improve daily log monitoring. The Information Supplement, targeted for publishing in 2016, will include examples and evidence from daily breaches, as well as a listing of available tools.
Lastly, it’s important to note that while you are required to be in compliance with PCI DSS regulations, PCI compliance doesn’t guarantee you won’t experience a cardholder data breach. According to Experian’s 2016 Data Breach Industry Forecast, the frequency and sophistication of security incidents continue to advance at what seems like breakneck speed. Want a wake-up call? According to the 2015 Cost of Data Breach Study: Global Analysis study published by IBM and the Ponemon Institute, the average total cost of a data breach increased 23 percent over the past two years to $3.79 million.
Additional Safeguards to Ensure PCI Compliance
In addition to meeting or exceeding the PCI DSS regulations, here are two safeguards you should consider implementing in order to achieve PCI compliance:
- Encrypt Everything. One of the critical tactics to avoiding an information breach is to encrypt files at every step in the process. Data should, of course, be encrypted while traveling over public networks, but you must take it a step further and encrypt it locally, as well as over private networks.
- Practice Continual Monitoring. Businesses cite continual monitoring as one of the biggest barriers to PCI compliance, but this is probably the most important step you can take to avoid a breach. With so many points of data transmission, IT professionals view monitoring access as a daunting task. But when you practice this, it not only mitigates your risk, it helps ensure compliance.
As challenging as it is to maintain PCI DSS compliance, with the constant influx of new security threats and vulnerabilities, your company needs to be prepared to respond and address these risks and as data breach costs continue to rise, the stakes become even higher. What are the biggest challenges you and your team face when it comes to PCI Compliance?
Additional Resources on this Topic: