Demystifying data security standards
You hear news about data breaches, fraud, and online security almost every day. You know you need to take steps to keep your customers and your business safe, but you’re far too busy to become a security expert. This article helps demystify data security standards for businesses that accept credit cards.
The Payment Card Industry Data Security Standard (PCI DSS) protects consumer credit card data by reducing the risk of data breaches and payment fraud. Major payment schemes including Visa, Mastercard and American Express established PCI DSS as a security baseline for merchants using their credit card networks.
If your business accepts credit cards, you need to be in compliance with PCI DSS. Failure to comply with PCI mandates leaves businesses vulnerable to a data breach and the potentially devastating financial impacts of fraud.
Beyond the requirements, PCI DSS standards represent common sense best practices that reduce security risk and save your business money. This primer will demystify the standards, explain how they protect your business, and offer resources to help you stay in compliance.
Why do we need data security standards?
Credit card fraud that results from data breaches costs businesses and consumers billions each year. Data security standards help to mitigate those losses by shoring up the weakest links in the payments ecosystem.
The PCI DSS are requirements for merchants, software developers and payment device manufacturers that aim to protect cardholder data and reduce credit card fraud. DSS standards are developed and maintained by the PCI Security Standards Council that includes founding members American Express, Discover, JCB, Mastercard and Visa. The current PCI DSS standard is v3.2.1, released in May 2018.
Previous to the existence of the Council, each card scheme had its own security standards for network participants resulting in a patchwork of burdensome regulations. The current PCI requirements make compliance centralized, consistent, and transparent for businesses that accept credit cards.
What are the PCI DSS standards?
The PCI Security Standards Council has issued 12 PCI DSS requirements and testing procedures spanning six groups:
Build and maintain a secure network and systems
#1. Deploy firewalls to protect vital systems. Firewalls segregate traffic between trusted internal systems and untrusted external computer systems. The cardholder data environment is sensitive data that must be protected by a firewall.
#2. Don’t use vendor-supplied defaults. Network systems are often provided by vendors with default passwords. Default passwords represent low-hanging fruit for criminal fraudsters. Use password best practices and always change vendor defaults before installing network systems.
Protect cardholder data
#3. Protect cardholder data at rest. Protection methods include encryption, truncation, masking, hashing, and tokenization. This requirement stipulates policies and procedures that minimize retention of sensitive data and govern its storage as well as deletion.
#4. Encrypt cardholder data in transit. Hackers are particularly skilled at identifying and exploiting security vulnerabilities of data in-motion between systems. This requirement seeks to reduce those vulnerabilities through strong encryption policies for sensitive data in transit.
Maintain a vulnerability management program
#5. Protect systems against malware. Malware (malicious software) represents a broad class of tools used by hackers to gain access to systems containing sensitive credit card data. Anti-virus software must be installed and, critically, maintained to detect and prevent malware threats.
#6. Develop secure systems and applications. Network, software, and communications vendors are continuously deploying patches and upgrades to combat criminal activity. This requirement seeks to enforce that those upgrades are deployed in a timely manner to combat the latest threats.
Implement strong access control measures
#7. Restrict access to cardholder data to need-to-know. “Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job. This requirement stipulates procedures to protect sensitive data only to those who require it to perform their job.
#8. Authenticate access to system components. Anyone with network access should be individually identified in order to create a transparent record of actions within systems containing sensitive credit card data.
#9. Restrict physical access to cardholder data. Even the most secure networks in the virtual world also require security in the physical world. Any networks and systems containing sensitive credit card data should be physically secured with access rights based on authenticated need-to-know.
Regularly monitor and test networks
#10. Track and monitor all access to network resources and cardholder data. Logging all activity in systems that store or come in contact with sensitive credit card data is essential to maintain the highest levels of security.
#11. Regularly test security systems and processes. Security threats are constantly evolving and ongoing. The efforts to protect business and their customers must be similarly robust. Testing and monitoring of all security processes and procedures should be a continuous process.
Maintain an information security policy
#12. Create information security policies for all personnel. Anyone who comes in contact with any systems containing sensitive credit card data should be trained in your security policies. This requirement helps your business stay secure through transparent and meaningful communication.
How do I ensure my business is compliant?
Becoming PCI compliant is a three-step process:
- Assessment. Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
- Remediation. Fixing vulnerabilities and eliminating the storage of unprotected cardholder data.
- Reporting. Compiling and submitting required reports to the appropriate acquiring bank and card brands.
Qualified security assessors and approved scanning vendors can help evaluate your procedures, scan your systems for vulnerabilities, and determine if your business is compliant. The PCI SSC offers a list of approved vendors to get you started.
Another option is to perform a self-evaluation to assess your compliance. The PCI SSC offers a self-assessment questionnaire to help you understand areas where you're compliant and where you might need additional support.
Do I have to validate compliance?
While every merchant that processes, stores or transmits cardholder data must comply with PCI DSS standards, not every merchant has to validate compliance. The credit card brands have their own rules about what “level” of merchants must validate compliance. These four compliance levels are based on the number of annual transactions the merchant processes.
PCI compliance: Where regulations meet best practices
Security systems are only as strong as their weakest link. Fraudsters seeking to steal credit card data often find that weakest link in the computer systems of small merchants. If you own or operate a business that accepts credit cards, you need to protect yourself, and your customers.
Many businesses use services offered by their credit card processor or merchant bank to achieve compliance. Vantiv, now Worldpay, offers OmniShield Assure to help businesses of all size achieve and maintain PCI DSS compliance. In addition to EMV and tokenization technology, OmniShield Assure also provides financial protection to help cover costs if you do experience a breach.
PCI DSS helps build trust in the credit card ecosystem by establishing a common baseline of security policies and procedures for all participants in the respective networks. As a merchant that accepts credit cards, it’s your responsibility to stay compliant. Doing so instills security best practices and helps protect your business and your bottom line.