06/09/2021 | News release | Distributed by Public on 06/09/2021 06:04
To standardize best security practices and combat credit card fraud, the PCI Security Standards Council was founded in 2006 by American Express, Discover, JCB International, Mastercard and Visa Inc. The goal of the group, which now includes hundreds of members, was to establish a rigorous set of security practices to protect the entire payment ecosystem from fraud and theft.
That's no mean feat. There are billions of records breached each year. Many include financial and credit card data, because, of course, that's where the money is.
Protecting against identity theft and credit card fraud involves fortifying every step in the chain of custody of financial and transactional data. That's why PCI compliance has become so important not only for merchants and financial services companies, but also for any business that might handle or store this type of data.
What Is PCI Compliance?
PCI compliance refers to adherence to the Payment Card Industry Data Security Standard (PCI DSS). As such, PCI compliance is applicable to any company of any size that accepts credit card payments. So any business that takes credit card information, stores it, processes it or transmits it needs to be PCI compliant.
PCI Security Standards comprise mostly technological security practices and solutions intended to protect payment account data throughout the payment lifecycle. The standards include practices for merchants, retailers, service providers and financial services companies as well as requirements for developers and any vendors involved in creating or supporting payment products and solutions. So PCI compliance extends from point-of-sale hardware to online shopping carts, databases, networks and the transmission of any related data.
'The goal, essentially, is to make sure no unauthorized person is able to get that data out,' emphasizes Shane Harris, Mimecast's senior director of product management.
Why Is PCI Compliance Management Important?
Private and personal information breaches can affect not only consumers and major financial services companies, but businesses of any size. Failing to manage PCI compliance can lead to leaks and attacks that result in everything from a loss of business to fines and lawsuits.
Cybersecurity is only as good as the weakest link in the chain, which is why a lack of PCI compliance can hurt a company's reputation and even prevent it from doing business with other companies. Payment processors, for example, may request compliance as part of their required reporting to payment card companies. Potential partners often request confirmation of PCI compliance as a prerequisite to entering into business agreements. And customers of technology platforms that facilitate online transactions may request proof of PCI compliance in order to demonstrate that the platform is handling data in a secure manner.
Moreover, maintaining PCI compliance helps companies prevent other attacks by using best practices for detecting, preventing and remediating data breaches. Adhering to the PCI Data Security Standard also helps companies meet related data security and privacy laws, such as Europe's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Finally, following the PCI Data Security Standard helps protect businesses from attacks that can result in additional legal expenses, settlements, fines, judgments - even the termination of a company's ability to accept payment cards.
The 12 Requirements of PCI Compliance
Here are the dozen top-level requirements, as laid out by the PCI Security Standards Council,with experts' additional input:
How Do I Validate my PCI Compliance?
There are two primary ways to validate PCI compliance. You may be required to conduct quarterly vulnerability scans and fill out an annual self-assessment questionnaire to demonstrate that your company is following the PCI guidelines. Or your business may be required to employ a certified quality security assessor to conduct annual audits of your company. Which level of validation is required typically depends on the number of transactions handled on an annual basis by a business, with those under 6 million transactions requiring less scrutiny.
However, acquiring banks (those that process credit and debit card payments) may have additional requirements for merchants or e-commerce sites, since banks and other financial services companies are the ones that stand to lose the most money in the case of fraud. They are also the ones that will be fined by the PCI Security Standards Council (reportedly as much as $10,000 a day) if there's a lack of compliance.
How Do I Maintain my PCI Compliance?
Following PCI validation, companies are required to conduct annual self-assessments and regular reviews to maintain compliance. The PCI council recommends, for example, quarterly vulnerability scans, which include scanning wireless networks for unauthorized devices, testing internal networks for vulnerabilities and checking databases to ensure that all PCI data is encrypted.
Additional reviews of public facing services and apps are also an integral part of PCI compliance practices, including web application penetration testing. Additional reviews of the settings on firewalls, routers and other equipment are required. And employees should undergo security awareness training on an annual basis.
It should also be noted that the PCI Security Standards Council is continually revising and updating security measures to meet new threats. So just as businesses should stay up to date with current software patches, experts say, they should also follow PCI Security Standards Council advisories and changes.
Penalties for PCI Compliance Violations
When there is a PCI violation, penalties range from changes in agreement terms to severe financial penalties. Some card companies will increase the requirements for compliance, for example, demanding that a company that previously only had to submit to self-assessments now undergo full audits no matter how few transactions are processed annually.
For more serious infractions, a card company may no longer allow a merchant to accept credit card payments. For some businesses, this would in effect shutter the company, a severe penalty indeed.
And while a failure to comply with PCI guidelines doesn't violate any specific law, the acquiring bank may impose fines and penalties on a noncompliant company. While a listing of fine amounts per violation is not publicly available, penalties reportedly range from $5,000 to tens of thousands of dollars per month. These penalties have been imposed to enforce compliance and offset the fraudulent charges that card companies are ultimately responsible for covering.
The Bottom Line
The PCI Data Security Standard was initially developed to protect the credit card payment ecosystem. As such, it initially only directly affected merchants and financial companies. However as businesses have become more digitally interconnected, PCI compliance has become more relevant to a wider variety of companies. 'Because, if your company has any customer data on premises,' underscores Mimecast's Harris, 'then security is paramount.'
'Understanding PCI Compliance Fines: Who Is in Charge of Enforcing PCI?', Help Net Security
'How to Maintain PCI Compliance Following Your First QSA Assessment,' PCI Compliance Guide
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly